Using malicious software that gave them long term access to banking systems, a group of Russians, Chinese and Europeans dubbed “Carbanak” were able to siphon off around $300 million in one of the world’s largest bank robberies ever, from banks in Russia, Japan, the Netherlands, Switzerland and the United States. In some cases, the hackers even had direct remote access to the internal ATM networks which they used to remotely withdraw cash.
This incident has highlighted the importance of risk management coupled with properly scoped insurance covers, with many assuming that such a financial loss would be covered under a cyber insurance policy.
This type of loss would not fall under a cyber risk policy, but would be catered for under either a Blended Financial Lines Policy which includes computer crime cover as well as fraudulent internet transactions, or a Commercial Crime Policy which also provides computer crime cover.
The importance of having the right cover in place cannot be emphasized enough. There is still a sense of mystery as to what Cyber Risks policies actually cover and when an incident like this is reported, the assumption is that the loss would be covered under a cyber policy. However this is not the case as cyber policies cover loss of data and security protection specifically.
Most cyber policies cover first party costs and any resultant liability arising from a loss of data or a breach of network security – with data being defined as personally identifiable data and corporate information. First party costs include legal services, IT services, data restoration costs, reputational protection, notification costs, credit and ID monitoring, cyber extortion, and the loss of profits following from a network interruption.
Cyber liability covers damages and defence costs arising from a claim made against the insured in respect of an actual or alleged breach of personal information and corporate information, a security failure, failure to notify or a breach of information holder protocols in respect of the processing of personal or corporate information.
The loss suffered from the banks in this case however is a tangible financial loss, in other words loss of money in the custody, care and control of the banks, caused by a third party infiltration into the banks computer systems. This type of financial loss, although as a result of cybercrime, is catered for under a Computer Crime Policy. Financial institutions purchase what is known as Blended Financial Lines Policies which include computer crime cover as well as internet transactions. The coverage is also available under a Commercial Crime Policy which covers employee dishonesty and computer crime.
Computer Crime policies provide coverage in respect of a direct financial loss resulting from computer crime or computer virus damages. Computer Crime is usually defined as the unauthorised introduction of electronic data or electronic computer instructions, the unauthorised modification, corruption or deletion of electronic data or electronic computer instructions and so forth. Computer virus damage means the loss or destruction or amendment of electronic data or electronic computer instructions or the insured having paid or delivered funds upon the reliance of electronic data or electronic computer instructions affected by such malicious electronic instruction.
Regardless of size or status, no business is safe from hackers, unless it includes security as its ultimate priority. There is no one size fits all approach to cyber risk insurance. It all depends on the size of the company, nature of its business and its unique levels of exposure. In this regard, consulting with a professional risk advisor is an invaluable exercise in protecting your reputation, data, clients and bottom line.
Kerry Curtin, Manager: Financial Institutions & Professional Risks at Aon South Africa