We buy cyber insurance policy to lessen the blow of a successful cyber attack. Unfortunately, it doesn't always work as expected.
Phishing happens every day. It's at the start of virtually every cyber attack.
We all hear about it. We see it.
The reality is that it works, and it's here to stay.
So here's a short story about a title company's legal battle with their cyber insurance carrier over a misdirected wire. It started with a Phish and ended with a lot of lost money. And if you're reading this, it's relevant for you or someone on your team.
For starters (and forgive me for the simplification), title companies are your trusted intermediary for closing your home purchase. They're the ones who check all the boxes and make sure that cash passes to the seller and title passes to the buyer. Normally, the process simply hums along and deals get done without (much) stress.
But then there are the times when things go awry, and it can turn very bad.
In this case, Star Title Partners of Palm Harbor accidentally sent a wire to the wrong destination. A cybercriminal posed as the mortgage company to whom the wire was to be sent. This typically happens when an attacker has Phished their way into a network and simply waits until it's time to pounce.
This is awful. I don't want to downplay the sinking feeling when you realize a huge some of money is gone. But that's actually not the point of this post.
Fortunately, the title company had cyber insurance. So they go ahead and make their wire fraud claim.
The claim gets denied.
Next step, the attorneys cheerily get involved.
This has court battle has gone all the way to Florida's Eleventh Circuit Court of Appeals. And to the dismay of Star Title, their insurance carrier is still not on the hook.
So far, the judge in the Middle District of Florida found that Star Title's claim is not valid, as they did not verbally confirm the wire instructions prior to sending. Additionally, their cyber policy "excluded coverage for wire fraud that did not directly involve Star Title’s employees, customers, clients or vendors." Unsurprisingly, this fraudster was none of those.
The insurer also points out that the policy excludes coverage for losses that relate to any person “purporting to be a representative of any financial institution, asset manager, broker-dealer, armored motor vehicle company, or any similar entity.”
And that might be the nail in the coffin. Most of these con artists "purport" to be exactly one of the above.
So what do you do about it?
You want to first keep the hacker out of your network to prevent this kind of snooping and well-timed emailing.
You've already got spam filters that do some of the work. If you're not already, you should be using multi-factor authentication to protect against malicious login attempts.
Next, you want to train your people to avoid these attacks! They need to know how to avoid the initial Phish and the fraudulent wire instructions.
These are key protections from a robust Security Awareness Training program.
In fact, cyber insurers are overwhelmingly requiring Security Awareness Training. And it's even gotten to the point where they will check to ensure that the program was active and not just a check box. That's not a road you want to go down.
Cyber insurance is still a must-have and needs to be paired with a layered security approach to protect your business and your assets.
And here's a quote we love from one of Partners - Davis Tran at C3 TECH:
"As an MSP, our goal is to protect our client’s network and stay in compliance with regulations. Our goal is also to be the trusted advisors when it comes to cyber security insurance. Cyber Security Insurance Premiums have been ramping up at an exponential rate year over year. To help lower premiums, C3 Tech has positioned tools like INFIMA to address the concerns of the insurance firms. INFIMA produced a cyber security policy document and training report that was brought up in a board meeting. We were able to address one of the cyber security controls and thus saving the company money on their premium."
INFIMA simply makes it easy to provide a complete, fully automated Security Awareness Training program.
If you're an MSP and want to learn more, go check out how we work with Partners here. If you like what you see, book a time to chat!
Join the newsletter to receive the latest updates in your inbox.