[BreachExchange] BEC overtakes ransomware and data breaches in cyber-insurance claims

Destry Winant destry at riskbasedsecurity.com
Tue Sep 3 09:58:54 EDT 2019


Business email compromise (BEC) has overtaken ransomware and data
breaches as the main reason companies filed a cyber-insurance claim in
the EMEA (Europe, the Middle East, and Asia) region last year, said
insurance giant AIG.

According to statistics published in July, AIG said that BEC-related
insurance filings accounted for nearly a quarter (23%) of all
cyber-insurance claims the company received in 2018.

Ransomware-related incidents came in in second place, accounting for
18% of all cyber-insurance claims in the EMEA region, followed by
claims for data breaches caused by hackers and data breaches caused by
employee negligence (e.g. sending data to the wrong person), both with

All in all, AIG said that cyber-insurance claims nearly doubled
between 2017 and 2018 and that they received more cyber-insurance
claims last year than in 2016 and 2017 combined.

The fact that BEC attacks ranked first is no surprise for industry
experts. In April 2019, the FBI said losses caused by BEC (Business
Email Compromise) scams doubled in 2018, compared to 2017 figures, and
reached a whopping $1.3 billion, based on victim reports received by
the agency's Internet Crime Complaint Center (IC3).

AIG blamed the recent rise in BEC-related cyber-insurance claims on
the poor security measures victim companies had in place, such as the
use of poor passwords for email accounts, companies not using
multi-factor authentication, or the lack of employee training in
regards to email-based attacks.


But despite BEC ranking first, AIG expects that ransomware may soon
reclaim its top spot, which it held in the previous year, in 2017,
when ransomware-related claims accounted for 26% of all
cyber-insurance claims.

The number of ransomware-related cyber-insurance claims dropped in
2018 because ransomware attacks, in general, became more targeted.

Nowadays, ransomware gangs tend to go after companies and government
organizations, rather than home consumers. The incidents are fewer,
but the payouts for criminal gangs are larger.

But despite the smaller number of ransomware infections, AIG believes
the number of cyber-insurance claims will go up, as enterprise and
government victims learn that they can offset losses by filing a
cyber-insurance claim.

A trend like this has already become widespread in the US. A recent
ProPublica investigation discovered that insurance companies are now
advising victims to pay the ransom demand and then file a
cyber-insurance claim. This recent tactic, seen predominantly in the
US, is a win-win strategy where the victim regains access to its files
and the cyber-insurer gets away with covering a smaller claim for the
ransom demand, rather than a bigger one for rebuilding a victim's
entire IT network.


But the most interesting trend from the AIG report in regards to
cyber-insurance claims filed in 2018 in the EMEA region is one that's
related to the EU's new General Data Protection Regulation (GDPR).

AIG noted a pronounced "GDPR effect," meaning that companies started
filing more cyber-insurance claims after the GDPR came into effect in
late May 2018.

The reason may be that companies can't hide data breaches anymore,
facing steep GDPR penalties, so they choose to go public and file a
cyber-insurance claim to cover some of their costs and the impending
GDPR fine.

AIG said that around a fifth of all cyber-insurance claims it received
in 2018 in the EMEA region also included a public GDPR notification.
Those insurance claims, AIG noted, included costs significantly higher
in comparison to claims that didn't result in a GDPR data breach

More information about the BreachExchange mailing list