New data reveals top vulnerabilities exploited by cyber criminals
Understanding cyber trends and implementing effective protections are essential steps for businesses aiming to navigate the complex cyber threat environment and ensure long-term resilience.
Informed by recent data shared at an insurance industry cyber seminar, this article sets out emerging trends in cybercrime as reported by legal and insurance professionals specialising in cyber risk.
Cybercrime by numbers
Statistics collated by the expert panel at the National Insurance Brokers of Australia (NIBA) cyber seminar covering the 12 month period to June 30 2024:
- The financial impact of cybercrime events worldwide in FY24 was estimated at $10.5 trillion
- Funds transfer fraud (FTF) is now the most frequent cyber event that insurers are responding to accounting for 28% of claims
- Business email compromise (BEC) is the second most frequent Cyber Event accounting for 25% of claims
- Businesses with Microsoft suite are twice as likely to experience a cyber event claim compared to other G suite operators. This is due to the access and prevalence of this operating suite
- Australian SME businesses have reported 29 billion cyber attacks this year.
Fastest growing areas of cybercrime
Put simply, FTF involves a malicious or system attack in which a threat attacker obtains a company’s usernames, passwords, or other banking information to steal and transfer money.
Cybercriminals are finding innovative ways to exploit vulnerabilities in the online systems company’s trust, using sophisticated ways to make businesses unwittingly hand over money to fraudsters.
As an example, threat attackers might use deceptive emails or fake websites that look legitimate to trick businesses into sharing sensitive information. FTF claims are rising expeditiously with the average cost of $278,000 per claim. This includes the actual funds themselves along with investigation and forensics costs.
It should be highlighted that recovery of money is most successful when it is reported within a 72-hour period. It is also imperative to note that insurers require their customers to notify the police, as insurers will not be able to work with banks unless a police report number is filed.
Business email compromise (BEC) is where threat attackers use a form of phishing to gain money, business information or goods out of businesses. Usually, threat attackers posture as representatives of a company to gain access into various items.
The five most frequent scams we see are:
- CEO fraud: Where the attacker impersonates being the CEO via email and typically request funds to be transferred to the threat attackers’ account.
- Account compromise: An employee’s email account is hacked and is used to request payments to vendors. Payments are then sent to fraudulent bank accounts owned by the attacker.
- False invoice scheme: The threat attacker acts as if they are the supplier and requests fund transfers to fraudulent accounts.
- Legal impersonation: This is when an attacker impersonates a lawyer or legal representative. Usually employees are commonly targeted through these types of attacks where one wouldn’t have the knowledge to question the validity of the request.
- Data theft: These types of attacks are to attempt to obtain personal or sensitive information about individuals within the company.
Incident response best practice
Best practice steps to follow in the event of a cyber incident are:
- Identify
- Contain
- Eradicate
- Resolve
Over recent years, companies, especially within the SME market who rely on outsourced providers (MSPs) are skimming over step two and three due to the additional time and cost to find and resolve the root cause.
However, step two and three, being containment and eradication are the most critical in ensuring the vulnerability is minimised and further impacts or additional attacks are prevented.
Ensuring appropriate coverage
Generally all cyber insurance policies provide coverage for similar events however coverage can vary greatly depending on the wording issued. It is vital, that clients are securing the broadest level of coverage, making certain that events for security and system failures are triggered, not just security related events.
This coverage concern has been brought to the forefront recently due to the Crowdstrike event. See our recent article here.
Regulatory developments
Currently, the Federal Government is undergoing extensive review of the Privacy Act 1988. According to Law firm Clyde and Co, there are 116 proposed amendments which are set to be brought to parliament in November 2024. Some of the key concerns that will affect the Cyber, Insurance and SME landscape are as follows:
- Currently, there is a 30 day notification period for breaches of the Act. This is to assess whether the notification is accurate and allows the client to notify the regulator and their clients in a timely manner.
The proposed amendment will see that this 30 day period be substantially reduced to 72 hours. This development may drastically change the landscape of directors and board obligations. The intent is to align with UK law around privacy, whereby a “light” notification is to be issued within a 72 hour period, then an assessment can be conducted and if required the notification can then be ‘wound back’ after any investigations and business case is put forward.
- The SME market currently has an exemption under the Privacy Act for notification if they meet a certain threshold. Under the proposed changes, this exemption is to be removed. This would equate to an additional 2 million businesses that would not only be subject to breach notification but the above expediated amendment. Understandably, SME associations are pushing back on this amendment with fierce objection.
- Ransomware events have drastically reduced in frequency over the last two years however, it remains the most expensive and complex claim to resolve. Many businesses, not understanding the ramifications, pay the ransom without proper consultation with experts. This has led to claims being denied, deemed illegal and even criminal charges being laid. With evidence collected over many years, insurers and cyber experts now have a ransomware sanction list. Typically, paying a ransom is no cause for concern under an insurance policy, however if ransom is paid to one of the known sanctioned entities, charges can be brought against clients.
The contractual and regulatory environment is ever evolving with more onerous clauses continuing to emerge. As outlined above, further developments and obligations are being sought. As such, it is essential for clients to partner with risk advisors adept at navigating these exposures, and where possible transferring these exposures via cyber liability insurance.