Cyber attacks are on the increase, but who is the real victim?
The 2016 annual Crime Survey of England and Wales concluded that more than 5.5 million cyber offences now take place each year, which accounts for almost 50% of crime in England and Wales.
According to telecommunications specialists, Beaming, British firms were each subjected to an average of almost 230,000 cyber attacks in 2016. In addition, the average volume of attacks hitting individual company firewalls passed the 1,000 per day mark for the first time in November 2016. So what options do insurers and their customers have if an attack is successfully executed?
Man in the middle
Take the following situation: an insured company deals in foreign currency exchange and liaises with its customers via registered and verified email addresses. The insured receives instructions from a customer’s registered email address to transfer its funds to a third party’s account in say, Spain. The insured actions the request, but it is subsequently discovered that their customer’s email account had been hacked and a fraudster had sent the email instructions from the legitimate email account (known as a ‘man in the middle’ attack). The customer is unaware of the transaction until he discovers that his money is not where it should be. In that scenario, the insured has simply followed instructions, believing them to be from their client, but the client is left out of pocket.
Putting to one side arguments that the insured’s verification procedures could have been more stringent in the above example, who is liable to compensate the client?
An insured, be it a company or a financial institution, will look to its cyber insurers. However, the majority of policies currently offered will only provide cover in circumstances where the insured’s own computer systems or data have been manipulated or attacked. Equally, although some financial loss policies will cover electronic crime, many do not specifically cover phishing attacks - again limiting cover to manipulation of computer systems by a third either party or an employee. The result can be a gap in cover.
Alternatively, the financial institution’s financial loss policies may respond under professional negligence cover - on the basis that, if an insured does not compensate a client for the missing funds, a negligence claim would follow (on the basis that the insured did not take adequate steps to protect the client’s money).
The situation is slightly different where money is obtained fraudulently from a client of a firm of solicitors who receives an email purporting to be from their solicitor advising of a change to their firm’s client account details. The Solicitors’ Accounts Rules oblige a solicitor to account to the client for the shortfall and, as such, professional indemnity insurers may find themselves indemnifying their insureds - despite technically no negligent or wrongful act having taken place.
On 9 January 2017, The Telegraph reported an incident involving TSB Bank. A Mr Burton had purchased a motor home for £3,400 via eBay in 2014. He transferred the money to the vendor’s TSB account via Paypal and was told that the vehicle would be delivered within four days. The motor home never appeared and the vendor’s contact number no longer existed.
Mr Burton reported the issue to his bank, Barclays. The bank advised that there was nothing it could do. The money had been siphoned from the TSB account as soon as it was paid in. Mr Burton complained to the Financial Ombudsman, which held that TSB was not at fault. Mr Burton contacted the police, who advised that the vendor’s TSB account had been opened using false identity details. The Ombudsman maintained its rejection of the complaint and it was only when Mr Burton contacted Telegraph Money that TSB agreed to refund Mr Burton.
A changing tide?
Other victims may try to rely on this outcome in support of their own positions. Whether or not Mr Burton’s outcome is truly “landmark” waits to be seen. The adverse publicity here is likely to have influenced the bank’s decision to exercise its discretion to compensate Mr Burton. However, this decision could represent a shift in banks’ attitudes where they do not do everything they can to prevent fraudsters setting up bank accounts.
In order to try to limit their potential exposure to cyber attacks, both insurers and their customers should ensure that:
- They have appropriate firewalls in place to prevent hackers accessing internal systems.
- Staff are fully trained to identify and respond to possible fraudulent communications and phishing attempts.
- They have appropriate insurance cover specifically designed to cover cybercrime.
Underwriters should also consider whether their financial and professional indemnity policies are inadvertently exposed to losses arising from these kind of cyber attacks, and if so, appropriate exclusions should be included.
If the worst happens and an insurer or insured is targeted, the action taken on identifying the issue is crucial.