About Us | The New Age of Cyber Risk: Part II - June 22, 2010

The New Age of Cyber Risk: Part II (2 of 2)

By Steve Haase & Thomas C. Heath

(Read Part 1 of 2)

The Incident

About ten months later, as Tom walked into his agency to start yet another hectic day of work, he noticed the agency's bookkeeper pacing back and forth outside of Tom's office. The bookkeeper, who now saw Tom, started a brisk run at him, "We've been hit!"

Tom could see the absolute horror on his face, "By what?" he asked. "Someone gained access to our bank account and $85,000 is missing!" "What?" Tom shouted back. "How did this happen, we have put up just about all possible safeguards! Have you called the bank to see if they could stop the transfer?" "I have, but the bank doesn't open for another two hours, I've left messages!" the bookkeeper shouted in fear.

"I looked at the account this morning and saw that a check was issued for $100 two days ago to a company called iTech Solutions Co., which is very similar to one of our vendor's names. Apparently that was just a test and late yesterday before we closed they issued 10 separate checks to the same company for a total of $85,000! I've tried finding this company name but it doesn't exist. It's just a fronting company for the hackers."

Tom couldn't believe that this was happening. It felt just like a bad dream. "How did this happen? We keep our anti-virus software updated, we only use two different computers to handle our banking transactions; you, me, and Jane are the only ones who have access to those accounts. Have you noticed anything strange or different in the past few weeks?" Tom asked.

The bookkeeper replied, "Yesterday there was a pop-up on my computer asking to update the Microsoft operating system, but it had the Microsoft logo on it." Tom asked, "Are you sure? People can easily copy those logos these days." "I don't know, I'm pretty sure!" the bookkeeper said franticly.

Tom wasn't sure what to do but knew he had to act quickly, "Alright, first and foremost, you need to keep trying the bank until you get someone who can try and stop that transfer. I'm going to contact our lawyer. Also, get into our accounts and see if you can change our passwords for the meantime; and whatever you do, do not save them in the computer!"

Reporting the Incident

As the bookkeeper darted out of Tom's office Tom immediately dialed Matt, the agency's lawyer. Tom started speaking before Matt could even get the phone to his ear, "Matt, this is Tom Wellington from Wellington Agency, we have an issue." "What's going on?" Matt asked. "Our system has been hacked into and we have a large amount of cash missing, I need to get your take on this."

Matt asked, "Has any customer information been taken or tampered with?" Tom had no idea how bad the damage was and this scared him. For all he knew, the hackers could have stolen every piece of information and wrecked the entire system. "I don't know, I just found out about the attack and haven't had time to check." Matt replied, "That is something you need to verify. If private information has been breached, we may need to notify affected parties to try to avoid potential regulatory action. You better hire a computer forensics person to check the logs and determine what the hackers had access to. Also, you might want to think about hiring a PR company. Some of the biggest damages associated with cyber attacks are due to loss of reputation. Also, call your insurer and notify them of the claim but at this point there is no need to notify public officials. I will be in touch soon."

After hanging up the phone Tom immediately called his cyber insurer, "Andrea, it's Tom from Wellington Agency." "Hey Tom is everything alright?" Andrea asked. "Not exactly, I'm calling you to let you know that someone has hacked into our bank account and stolen $85,000." "Oh no, did this just happen today?" Andrea asked. "No, it was late yesterday afternoon. They hacked in at the close of the work day." Tom replied. "Alright Tom, I just need to ask you a few questions and we will assign a claims person to your agency right away." Tom couldn't stop thinking about the possible damages the agency might have on their hands. He knew that if a lot of their customer information was stolen that the lawsuits could be significant. Additionally, the cost of notifying third parties can be over $200 per file, he has been told. He knew his agency might be put on the brink of survival. "Alright, what do you need from me?" he asked.

Conclusion

After several weeks of investigating, it was determined that it was unlikely that sensitive third party data was breached. Thus, Wellington Agency was able to avoid having to incur notification costs and PR expenses. After many hours were spent talking with the claims adjuster; however, it was determined that the cyber policy provided no coverage for the money stolen out of the agency's account. At first, this was very disappointing to Tom, but after reviewing the agency's other insurance policies, he soon realized that he had adequate coverage under his crime policy. The computer fraud endorsement attached to the policy covered theft of money resulting from computer fraud. Therefore, Tom was able to continue the operations of his agency with little loss besides the deductible paid and the time spent on resolving the claim.

After experiencing a cyber loss first-hand, Tom made sure to warn all of his customers about the event and made sure that they had adequate crime coverage, including both computer fraud and wired funds endorsements. He suspected that many of his clients, like him, would assume an attack like the one he experienced was a cyber risk claim; when, in fact, the loss would normally be picked up under a properly constructed crime policy with adequate limits.

In doing further research, Tom learned that in similar incidents hackers were able to wire funds out of bank accounts. In other instances they were able to view processed checks and see the routing number and account number. This enabled them to actually recreate the checks and attempt to deposit them in an account in which the funds were then wired to an offshore account. He found that this type of scenario is hitting firms at an almost epidemic rate.

Alternative Scenario

Tom also wondered what alternative scenarios could have occurred. He remembered that one of his clients spun off a subsidiary, and their bookkeeper continued to do bookkeeping for the spin off as well as manage their bank account and implement their accounting system. This type of scenario could be vulnerable to the same type of attack but with a completely different coverage outcome. A breach of security at their network that led to economic harm at the former subsidiary's bank could be claimed under the third party network security liability section of the policy.

In the end, Tom and his agency learned a lot about cyber attacks the hard way. Fortunately though, the agency had assessed the company's cyber risk exposures fairly well and had purchased basic coverage. After the loss, Tom and Jane decided that every twelve months they would perform a company-wide risk assessment and review of the available coverages.