Poor Payment Security Could Be Costing Your Company Millions
By Alliant / November 15, 2024
Listen to the audio version:
Cybercrime is rapidly becoming one of the most significant threats to businesses, encompassing a range of incidents that specifically target the theft of money. Unlike traditional cyber risks, which often focus on data breaches, cybercrime involves financial theft, blurring the lines between cyber insurance and crime coverage. While cyber insurance typically addresses the loss of sensitive information, crime coverage is designed to protect against the loss of funds. The intersection of these two coverages highlights the growing complexity of cyber risks, making it essential for businesses to understand how they might be exposed and where their policies provide protection.
Cybercrime incidents may not involve the largest claims; however, these incidents are frustrating to manage, with limited coverage options available in the market. For this "death by a thousand cuts" exposure, it's crucial for businesses to take proactive measures to reduce the risk of falling victim to social engineering or other forms of fraud.
The Intersection of Cyber Threats, Hacking and Fraud
Cybercrime entails a convergence of cyber threats, hacking and fraud. A particularly vulnerable area that is often exploited is wire procedures, emphasizing the need for enhanced safeguards in this space. Unlike data breaches or system outages, the focus here is on money being siphoned from organizations through misappropriation of assets. These attacks often exploit vulnerabilities in wire procedures, leveraging human error and weak verification practices. Cybercriminals are using a combination of phishing and other tactics to misrepresent payment instructions, exploiting the human element to achieve their goals.
Formalizing Wire Transfer Procedures
To combat this, organizations must formalize and strengthen procedures surrounding wire transfers, ACH payments and any online banking activities. This means implementing strict processes for how changes to payment instructions are communicated, validated and authorized. One key control is out-of-band authentication (OOBA), which requires validation of payment changes through an independent communication channel, such as a phone call or secure messaging system, outside of the initial request. The same rigor should apply when communicating payment updates to clients or business partners.
OOBA is often a requirement for triggering coverage under many cyber insurance policies. Failure to implement OOBA or other robust verification methods can result in coverage being denied when a fraudulent transfer occurs. This additional layer of validation is meant to ensure that payment instructions come from legitimate sources and significantly reduces the risk of wire fraud or phishing schemes.
Authenticity and Validation
The key to preventing cyber fraud is ensuring that all payment instructions are authentic and properly validated. This involves not just verifying email communications but also using secure methods such as postal mail and encrypted email for confirming changes. Encouraging third-party partners and customers to verify the authenticity of instructions before making any payment changes is crucial to minimizing the risk of attacks, such as man-in-the-middle or phishing schemes.
The Human Element
While technologies, business processes and industries may differ, the common thread in cybercrime is the exploitation of human beings. It's not enough to rely on insurance and security controls. Organizations must make a concerted effort to address the human element — the vulnerability that exists between the person and the keyboard. Influencing human behavior is key to fostering a culture of professional skepticism. By doing so, employees can become more vigilant and better equipped to recognize and defend against complex or hybrid cyber attacks targeting business processes. This proactive approach can be instrumental in preventing cybercrime.
Key actions your organization can take now may include:
- Regular Training and Workshops: Implement ongoing training sessions that educate employees about the latest cyber threats, social engineering tactics and best practices for identifying and responding to suspicious activities.
- Phishing Simulations: Conduct simulated phishing attacks to test employees’ responses. This hands-on approach helps them recognize potential threats and reinforces training by providing immediate feedback.
- Clear Communication Channels: Establish and promote clear channels for reporting suspicious emails or activities. Encourage employees to speak up about any concerns without fear of reprimand, fostering a culture of vigilance.
Risk Transfer: The Role of Insurance
Even with the best practices in place, no system is foolproof. To minimize the risk of falling victim to cyber attacks, companies need to implement specific controls and ask critical internal questions. However, even with robust security measures, a single weak link can lead to significant losses. As such, despite efforts to secure organizations, attacks can still occur, prompting the need for risk transfer solutions, such as insurance. There are various types of coverage available to address cybercrime, which can be categorized into three main areas:
- Fraudulent transfers of funds: Fraudulent transfers of funds refers to unauthorized transactions where funds are moved directly from an organization's bank account without consent, often due to compromised banking credentials. These transfers typically fall outside the scope of cyber insurance and are more commonly covered under bond or fidelity policies, as they do not ordinarily involve a compromise to the insured’s network.
- Fraudulent inducement: This scenario involves an employee of the insured receiving an email from someone pretending to be a trusted customer or a high-ranking company official. Believing the impersonator, the employee may change wire transfer instructions or make payments to the fraudster. This tactic, also known as social engineering, phishing or fraudulent inducement, relies on the cooperation of the deceived employee. Unlike direct unauthorized access to a bank account, this scenario requires human error, and coverage for such incidents is typically available under either a cyber or crime policy.
- Invoice manipulation: In this case, a customer of the insured makes a payment to a fraudster instead of the insured organization due to fraudulent inducement. This can occur if the customer’s or the insured's credentials are compromised. As a result, the insured ends up with a bad receivable since the customer is unwilling to pay the invoice twice, even after having received products or services. Coverage for invoice manipulation is generally not included in standard cyber policies but can be added through an endorsement.
It’s important to note that all three scenarios discussed are typically subject to sub-limits in coverage. Understanding the nuances of cyber policies, as well as crime and fidelity coverages, is vital for ensuring comprehensive protection. Policies can vary in terms of what they cover, with some offering full coverage for fraudulent transfers, while others may only cover partial losses. Businesses must work closely with their insurance brokers to ensure that their policies address the right risks and that adequate safeguards, such as OOBA, are in place to satisfy coverage requirements.
Conclusion:
Combating the misappropriation of funds in today's cyber threat environment requires a multifaceted approach. Formalizing and securing payment procedures, validating all changes through out-of-band authentication and investing in employee awareness training are essential steps. Additionally, having the right insurance coverage can protect businesses from the financial fallout of cybercrime. By integrating robust processes, enhancing human vigilance and leveraging the right insurance solutions, businesses can mitigate their exposure to these increasingly common threats.
Alliant note and disclaimer: This document is designed to provide general information and guidance. Please note that prior to implementation your legal counsel should review all details or policy information. Alliant Insurance Services does not provide legal advice or legal opinions. If a legal opinion is needed, please seek the services of your own legal advisor or ask Alliant Insurance Services for a referral. This document is provided on an “as is” basis without any warranty of any kind. Alliant Insurance Services disclaims any liability for any loss or damage from reliance on this document.