author photo
By SecureWorld News Team
Sat | Dec 21, 2019 | 7:28 PM PST

Global insurer AIG just issued a new cyber claims report from its EU office, and it reveals that Business Email Compromise (BEC) now makes up the largest percentage of cybercrime insurance claims.

BEC listed as the top type of cybercrime

BEC is so prevalent, it makes up nearly one-in-four cyber insurance claims according to the report, which focuses on Europe, the Middle East, and Asia (EMEA).

"A relatively simple type of scam, BEC attackers often target
individuals responsible for sending payments, using spoof accounts to impersonate the company C-suite or a supplier and requesting money transfers, tax records and/or other sensitive data."

It may be a relatively simple type of scam, but it is also rampant in the United States right now.

According to Stephen Dougherty, Cyber-Enabled Financial Fraud Investigator for the U.S. Secret Service, Business Email Compromise is run by increasingly complex criminal organizations who have a huge financial incentive to perpetrate the crime.

"The average loss from a bank robbery is about $3,000. The average loss from a successful BEC attack is nearly $130,000."

[See Stephen Dougherty speak at SecureWorld St. Louis, SecureWorld Twin Cities, and SecureWorld Seattle.]

One of the craziest BEC cases we've come across was a CEO fraud that led to $18.6 million gone in a week.

What does a cyber policy cover in a BEC case?

So what would cyber insurance cover if you get hit with BEC or CEO fraud?

The AIG reports sums it up like this:

"For covered BEC and impersonation fraud claims the cyber policy
provides for the cost of an IT forensic investigation to determine whether the insured's system was compromised and identify the compromised data.

The policy also covers legal advice on reporting and notification obligations to data subjects and regulators, though insurance cover for financial loss due to criminal activity is often restricted."

Yes, be sure to read the fine print on your policy for those restrictions.

What are companies failing to do before a BEC attack?

The report  reiterates what security teams know, which is that most BEC attacks start with some sort of phishing email to harvest credentials and gain access to email, to make spoofing a CEO or CFO easier.

However, what surprised us in reading through the top cybercrime report is that many companies have tools they could use to reduce the risk of BEC but fail to use them.

"Poor password hygiene is a recurring issue for firms targeted by
BEC, with cyber-criminals exploiting companies that have not
activated their Microsoft Office 365 security functions, where the
default settings do not enable all the necessary security features
such as multi-factor authentication. This remains a high frequency
incident that is reported to AIG's cyber claims team on almost a
daily basis...."

Now there's something to take a look at within your organization.

The list: 10 top cybercrime insurance claims

So BEC is a dominant number one risk based on insurance claims, but what about the rest of the top 10 cybercrime list? Let's take a look.

The list shows the percentage of claims involving each listed type of cybercrime during the last year.


Ransomware was the number one cybercrime claim in 2017, but dropped to number two in the past year. However, AIG says ransomware is morphing and likely on the upswing again.

And ransomware cases are becoming more expensive for a number of reasons.

"... the ransom requests have increased in size. While the
initial amounts demanded by WannaCry ransomware attackers
were between $300 to $600, in 2018 there have been cases
where cyber-criminals have requested tens of thousands to millions
of dollars.

Meanwhile, the disruption and BI costs associated with such attacks have risen. And in an era of GDPR, there is also the need to establish whether sensitive data has been compromised."

Insurance: the hidden cost of GDPR?

The AIG report also looks at what it calls the GDPR effect, which SecureWorld reported on several months ago. Organizations were over-reporting data breaches just to be safe.

Says AIG:

Claim activity from our First Response hotline has increased by over 50% for claims where data subjects and/or the data authority were notified, with insureds receiving legal advice and assistance in preparing their regulatory notices.

"We're seeing a lot of work for our firm, and obviously increased fees incurred by the insured and/or by the insurer, in managing GDPR issues for breaches that are really quite minor," says Norton Rose Fulbright's Jonathan Ball. "The kind of incidents that pre-GDPR an organisation would probably have dealt with themselves without external legal counsel."

With all the numbers in this report, you can already imagine the actuarial tables at the insurance companies pointing to the future of cyber insurance: rate increases.

[DOWNLOAD: AIG top cybercrime claims list]