SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Cyber insurance not always up to scratch
Wed, 8th Jun 2016
FYI, this story is more than a year old

Organisations are being warned about their cyber insurance policies, and are being urged to check if they are cover new social engineering email attacks.

New research from email and data security firm Mimecast into the growing cyber insurance industry has revealed 45% of organisations with cyber insurance are unsure if their policies are fully up to date to cover the ever-evolving threat landscape.

Mimecast says this leaves firms at risk for taking the full financial brunt of these kinds of attacks.

According to the research, just 43% of firms with cyber insurance are confident that their policies would pay out for whaling financial transactions. Nearly two-thirds (64%) of firms don't have any cyber insurance at all.

Mimecast says the rise of whaling (CEO fraud) has created an attack climate where many insured organisations may not be protected from fraudulent transactions because they fall outside of the coverage scope of when their policies were originally signed.

While over half (58%) of organisations have seen an increase in untargeted phishing emails, 65% have seen targeted phishing attacks grow and 67% have seen a spike in whaling attacks, where a cybercriminal dupes employees into making fraudulent transactions on behalf of a CEO or CFO.

Additionally, 50% said they have seen social engineering attacks that utilise malicious macros in attachments increase.

“Cyber insurance uptake is growing quickly but a lack of employee training on the latest email attacks is leaving organisations at great risk of breaking policy terms,” says Nicholas Lennon, country manager ANZ, Mimecast.

“While insurers often pay for clean-up fees after a breach, it is important that organisations check that their policies protect them if an employee is tricked into sending a large amount of money to a fraudulent account,” he explains

“Attacks where employees are tricked into sending personal data or intellectual property are even less likely to be fully covered.

"With the cybersecurity landscape constantly evolving, cyber insurers will have great difficulty keeping their coverage up-to-date,” Lennon says.

“A comprehensive cyber resilience strategy is only effective alongside regular employee training on the latest threats combined with appropriate technology fail safes.