Will your cyber insurance pay for email attacks?
If you’re relying on cyber insurance, check if your policies are up-to-date in covering new social engineering email attacks that are leaving firms at risk for taking the full financial brunt of these attacks.
New Mimecast research into the growing cyber insurance industry and evolving email attack techniques reveals that 45% of firms with cyber insurance are unsure if their policy is up-to-date for covering new cyber social engineering attacks, and only 10% believe it is completely up-to-date.
Just 43% of firms with cyber insurance are confident that their policies would pay out for whaling financial transactions. 64% of firms don’t have any cyber insurance at all.
The rise of whaling (CEO fraud) has created an attack climate where many insured organizations may not be protected from fraudulent transactions because they fall outside of the coverage scope of when their policies were originally signed.
While 58% of organizations have seen an increase in untargeted phishing emails, 65% have seen targeted phishing attacks grow and 67% have seen a spike in whaling attacks, where a cybercriminal dupes employees into making fraudulent transactions on behalf of a CEO or CFO. Additionally, 50% said they have seen social engineering attacks that utilize malicious macros in attachments increase.
“Cyber insurance uptake is growing quickly but a lack of employee training on the latest email attacks is leaving organizations at great risk of breaking policy terms,” said Steven Malone, director of security product management, Mimecast. “While insurers often pay for clean-up fees after a breach, it is important that organizations check that their policies protect them if an employee is tricked into sending a large amount of money to a fraudulent account. Attacks where employees are tricked into sending personal data or intellectual property are even less likely to be fully covered.
With the cybersecurity landscape constantly evolving, cyber insurers will have great difficulty keeping their coverage up-to-date. A comprehensive cyber resilience strategy is only effective alongside regular employee training on the latest threats combined with appropriate technology fail-safes.”