Identifying (re)insurance Cyber Risk Scenarios

Underwriters, brokers, and reinsurers face a range of cyber threats. No insurance company wants to pay a fraudulent claim, no broker want to be leaking personal data, no reinsurer wants to be paying a reinsurance claim where there is the right information or the cedant is waiting to receive the pay-out – but there are plausible scenarios where hackers might be one step ahead.
Imagine a scenario where there is a major “big ticket” claim that is being processes on, an incident like the Costa Concordia, for example.

Now imagine a point in time when a major incident occurs, there is a reinsurance layer and everything is being put in place to pay out on what will be a sizeable claim. Hackers have infiltrated the business and are perhaps monitoring the email traffic between the reinsurer and the insurer.

The reinsurer comes back to the insurer and says OK we need to look at this last piece of evidence and once we have that we will pay out on the claim. Well imagine a situation where that last piece of evidence has been provided and the claims has been agreed. At that point the hackers then step in to say you need to transfer the money to this account which is our “Costa Concordia” account.

Please transfer the money now. XX Millions is then transferred to an account that doesn’t belong to the ceding insurer!
The reinsurance company has received an email, the timing seems to be right, the reinsurer has even received an email from the insurance company’s mail server so it’s “trusted” and at the point the reinsurer pays up. It’s only a week later that the insurance company chases up to ask when are you going to make that payment that the fraud comes to light!

It is not a far-fetched scenario. There are different ways of committing the fraud but the end goal is the same, which is to trick businesses into transferring large sums of money into fraudulent bank accounts, in schemes known as “corporate account takeover” or “business email fraud.”

According to a recent Wall Street Journal report, companies across the globe lost more than $1 billion from October 2013 through June 2015 as a result of such schemes, according to the Federal Bureau of Investigation.

To prevent corporate account takeovers happening in the insurance scenario above, the IT and Finance departments need to have a process in place where the reinsurance company will contact the CFO or the reinsurance manager and they’ll speak on the phone. There will be a degree of voice recognition person-to-person communications and they’ll confirm that the bank details are going to transfer.

Or imagine a consumer-based insurance scenario where claims pay-outs are automated at a £100 maximum agreed threshold across the board when suddenly there is a spike of £99 claims. On an individual level they are tolerable but the aggregate claims pay-out is less agreeable. Yet they are slipping through because they are beneath the radar and that is a weakness that needs to be identified if there is a possibility that a process has been identified externally. That is why organisation’s processes and procedures need to be treated as IP.

Identifying cyber risks is about monitoring, knowing the information that is being bridged and identifying your data. Know which data is valuable to your organisation and do not be too prescriptive or narrow in your approach to identifying these risks.