In light of the fact that it’s Shark Week, I noticed a very interesting article in the Insurance Journal.
In a closely-watched case on insurance coverage in an age of expanding cyber risk, a federal appeals court in New York just upheld a lower court ruling that a Chubb unit’s commercial crime insurance policy covers wire transfer losses resulting from a spoofing attack.
The case (Medidata Solutions Inc. v. Federal Insurance Company) before the Second Circuit appeals court involved a crime insurance policy with a computer fraud provision issued by Chubb subsidiary Federal Insurance Co. in June 2014 to Medidata, a clinical trial software firm.
The claim involved a – now pandemic – type of social engineering called CEO Fraud, which the FBI calls Business Email Compromise. This is where fraudsters convince employees to wire funds to external accounts. The policy had a $5 million limit for forgery, funds transfer fraud, and computer fraud.
“BEC is a serious threat on a global scale,” said Special Agent Martin Licciardo, a veteran organized crime investigator at the FBI’s Washington Field Office. “And the criminal organizations that perpetrate these frauds are continually honing their techniques to exploit unsuspecting victims.”
According to the Insurance Journal, Medidata employees were “spoofed” into wiring $5 million to an account. They were led to believe it was for an acquisition due to a series of fraudulent emails they received where the fraudsters misrepresented an outside attorney and Medidata’s own president.
Medidata argued that its computer fraud provision should cover its loss because the Federal policy defined a computer violation as any “entry of Data into” or “change to Data elements or program logic of a computer system.”
Federal Insurance denied the claim, arguing that the email case did not amount to the entry of data into or a change to the elements of the Medidata computers. Federal said the policy applies to only hacking-type intrusions.
Medidata sued over the claim denial, and the U.S. District Court for the Southern District of New York last August awarded Medidata $5.8 million in damages and interest.
Ruling on an appeal by Federal, the Second Circuit agreed with the district court in finding that the “plain and unambiguous language of the policy” covers the losses incurred by Medidata.
The appeals court found that while no hacking occurred, the fraudsters did insert the spoofing code into Medidata’s email system, which the court said is part of the computer system, and they sent messages that were made to look like they were from high officials at Medidata to trick the employees.
According to the appeals court:
“Thus the attack represented a fraudulent entry of data into the computer system, as the spoofing code was introduced into the email system. The attack also made a change to a data element, as the email system’s appearance was altered by the spoofing code to misleadingly indicate the sender. Accordingly, Medidata’s losses were covered by the terms of the computer fraud provision.”
This ruling is a reminder that the wording of your cyber insurance policy is crucial in determining payments related to social engineering attacks.
These types of attacks don’t discriminate against any kind of business. Recently scammers even phished a church! – Come on!
What Should You Do?
Here are a couple of ideas:
- Make SURE that your cyber insurance policy clearly covers instances where your employees become the victim of a social engineering attack.
- And of course, step them through new-school Security Awareness Trainingand friendly phishing from KYOCERA Intelligence to prevent snafus like this in the first place.
- Be vigilant and say informed.
The best defense is always a good offense, and the same goes when it comes to phishing, spoofing, and CEO Fraud. To be proactive and stay one step ahead of the criminals, you and your employees must be educated about the different kinds of cyber threats, how to recognize them, and what to do to block them.
Phishing websites lure your email recipients and Web users into thinking that a spoofed website is legitimate. The criminal’s goal is to acquire private, confidential data like credit card numbers, personal information, account usernames, and passwords. The victim eventually discovers that his personal identity and other vital information was stolen and exposed. By this time, the hacker is long gone.
Spear Phishing is a variation on phishing where criminals send emails to groups of people with common identifiers. A spear phishing email looks as if it’s from a trusted source but in reality, it’s a hacker trying to obtain classified information. The email may pretend to be from the president of the company, CEO, CFO, or even from a large financial institution. This is a form of CEO Fraud.
CEO Fraud (or what the FBI terms as BEC – Business Email Compromise) is where criminals spoof company email accounts and impersonate executives to try and fool an employee into performing unauthorized wire transfers. As you can see from the Medidata example, anyone can be fooled.
We’ll stay abreast of the situation and keep you informed if anything new comes up in this regard. OSIS IT wants our clients’ businesses to remain safe and productive.
If you’d like to stay up to date on IT issues, be sure to visit our online Media Center.
Here are a few blogs you might enjoy reading.
I hope this information helps!