Cyber Brief for CFOs: October 2024
Each month, the team at Eftsure monitors the headlines for the latest accounts payable (AP) and security news. We bring you all …
Fraudulent Funds Transfer, or FFT, is now the leading cause of cyber-insurance claims, according to Corvus Insurance.
At the same time, cyber-insurance policy providers are indicating that current approaches won’t be sustainable forever. In fact, the chief executive of Zurich, one of Europe’s largest insurers, recently told the Financial Times that cyber risks will become “uninsurable.”
These developments point to big changes in cyber-insurance trends in 2023. Learn what this means for your organisation – and why stronger cyber-crime prevention should be part of your approach.
Fraudulent Funds Transfer (FFT) is a type of cyber-attack where criminals use social engineering tactics to trick Accounts Payable (AP) staff into transferring funds to illegitimate bank accounts.
FFT is closely linked with Business Email Compromise (BEC). While not all cases of FFT involve compromised email accounts, it’s estimated that 70% of FFT cases do involve BEC.
Reports are now showing that FFT has overtaken ransomware as the most common type of cyber-incident that results in a cyber-insurance claim. FFT accounted for 28% of cyber claims in 2022, and ransomware accounted for 23% of claims. The growth in FFT incidents doesn’t seem to be slowing anytime soon, with FFT accounting for a whopping 36% of all cyber-insurance claims in Q3 2022.
Just as FFT rates continue to surge, insurers are now contemplating whether they can afford to continue providing coverage for cyber-incidents.
There are signs in the US that insurance carriers are adapting as threat landscapes evolve, which can help rates stabilise. But this means carriers are more likely to require a certain baseline for cybersecurity standards, such as multi-factor authentication (MFA). US broker Risk Placement Services claims that prices will ease but that there will be more industry-specific underwriting.
While brokers may have incentives to paint a rosier picture, there are other signs that premiums are increasing and will continue to increase as the number of cyberattacks grow – especially in Australia. Australian experts have noted a similar pattern with tightening security standards, but it’s unclear whether this will stop premiums from increasing in the long term.
More critically, cyber-insurance does not always cover all types of losses associated with a cyber incident.
Losses from cyber-incidents continue to escalate strongly year on year. It’s a worrying trend that has insurance providers deeply concerned over whether standalone cyber-insurance policies will be tenable in the future.
The sector’s underwriters have introduced a suite of measures that limit their financial exposure to cyber-incidents. Those include increasing premiums, plus coverage changes that see clients carrying a greater portion of any financial losses.
However, rising premiums and tighter limitations on payouts could dissuade many organisations from buying cyber-insurance, further undermining the viability of standalone cyber-insurance as a product.
According to a report by the Actuaries Institute, only about 20% of Australian small to medium-sized enterprises (SMEs) currently have standalone cyber-insurance. The figure for larger businesses is higher, where 35% to 70% have taken out policies.
Despite the fact that many Australian organisations don’t currently have standalone cyber-insurance, there’s still a strong trend in that direction. In the first half of 2021, there was a 23% increase in the uptake of standalone cyber-insurance in Australia – possibly because of growing awareness around cyber-threats.
But as insurance providers begin to charge higher premiums and impose tighter restrictions around payouts, the trend toward cyber-insurance could change.
We’ve already seen standalone cyber-insurance premiums rise up to 80% in the wake of rising cyber-crime. Organisations need to carefully consider whether standalone cyber-insurance represents good value for money, or whether they would be better off investing in additional prevention measures.
After all, the best way to avoid financial losses from cyber-crime is to prevent it from happening in the first place.
Until recently, some standard insurance policies offered a degree of cover for a range of damages related to a cyber-incident. This was known as “silent cyber.” Typically, the standard insurance policy would cover direct damage to property (like ICT systems) that resulted from a cyber-incident.
However, many insurance providers are now explicitly excluding cyber-incidents from their standard policies, as a way of encouraging policyholders to take out standalone cyber-insurance.
Standalone cyber-insurance covers a range of financial losses that can result from a cyber-incident, including:
The challenge for standalone cyber-insurance providers is the lack of historical data – it can make pricing risks notoriously difficult. For example, it can be hard to determine the full cost related to data breaches, like the one we saw with Optus.
Plus, many organisations suffer long-term reputation damage following a major cyber-incident. Insurers face an impossible task trying to put a price on those sorts of risks.
As the standalone cyber-insurance market matures and more data becomes available, insurers are beginning to understand the extent of the liability they’re carrying. And it’s prompting many insurers to worry that they can’t continue to provide coverage without significantly increasing premiums – or limiting payouts.
FFT is now the leading cause of cyber-insurance claims. At the same time, insurance providers are warning that cyber-incidents risk might become uninsurable without significant premium increases or harsher limits on payouts.
Every organisation needs to carefully consider whether investing in standalone cyber-insurance is the right strategy to cover the losses associated with an FFT incident.
An alternative option is to invest in prevention measures that mitigate the risk of facing an FFT incident in the first place.
One of the most robust defences against issues like an FFT incident is a cyber-crime strategy. That means aligning your cybersecurity measures with your internal controls. Because finance and AP teams are usually on the frontlines of financially motivated cyber-crime, the CFO is often best-placed to drive a cyber-crime strategy and protect their organisation from cyber-related financial losses.
So how can you create – and, more importantly – implement a cyber-crime strategy? There are five key elements:
A cyber-crime strategy will be especially important since record cybersecurity spending hasn’t correlated with a decrease in cyber-incidents. Along with the complexity of cyber-insurance, CFOs will need to take a forward-looking approach to protect their organisations’ finances.
Each month, the team at Eftsure monitors the headlines for the latest accounts payable (AP) and security news. We bring you all …
The finance industry is undergoing a major transformation thanks to the rapid adoption of AI technology. Much of this trend has been …
Discover how Australia and the US are tackling payment fraud, using the UK’s proactive measures as a benchmark. Learn why prevention is key to staying ahead of scams.
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.