For small to medium size
businesses, it results in over $40,000
in costs per incident, on average. The
cost of falling for phishing is more than
$48,000 per incident, he said.
Since the report was published,
Pozhogin said, Kaspersky Lab has seen
a huge jump — eight times as many —
in ransomware attacks on companies,
which mostly result from phishing.
Beazley reported in January that
ransomware attacks quadrupled in 2016
over the previous year, and it expects
the attacks to double again in 2017.
According to the FBI, business
email compromise, which it defines as
sophisticated scams targeting businesses
working with foreign suppliers and/
or businesses that regularly perform
wire transfer payments, affected 7,066
businesses from October 2013 to
August 2015, for a total loss to U.S.
companies of $750 million.
The loss increases to $1.2 billion,
when combined with international
Pozhogin said the biggest
challenges in implementing employee
training “are underestimating the risk
(both probability and potential impact
of a cyber incident) and significant
friction when implementing yet
Tom Dunbar, senior vice
president and head of information
risk management at XL Catlin, said
employees take educational efforts
seriously when organizations discuss
the consequences and risks of lax cyber
“When you demonstrate why you
are doing it, why it has meaning, then
you get the cooperation,” he said.
Dunbar, who earned a 2014 Risk &
Insurance® Risk All Star award for his
innovative cyber security work, said his
company engages employees by using
humorous gamification in its online
training to focus on specific cyber
security risks, and then it tests them
— throughout the year — to keep the
Last year, it also ran a video
campaign on cyber security risks
and responses. For every view by an
so stupid?’ people aren’t going to tell
you,” he said.
And that knowledge is important
or hackers could be in a company’s
network for months without the
company being aware.
Marsh’s Parisi said his favorite
testing exercise is when companies
send out fake emails and when the
link is clicked, the worker’s computer
displays a note that the system was
taken over by a hacker. After 10
seconds or so, the display changes to a
notification that the worker failed the
cyber security exercise and must sign
up for the next training class.
“I find it odd at times that a lot
of companies aren’t as energetic or
enthusiastic about training rather than
building the latest and newest firewall,”
CRIME OR CYBER?
When underwriting policies, XL
Catlin’s Coletti looks at not only IT
system defenses, but also turnover
within key areas and outsourcing
changes that may result in disgruntled
employees. He also looks at segregation
of data access, to ensure that employees
are limited to necessary data only.
“I think most of the
companies we look at
have very good employee
campaigns. Companies are
extremely sensitive to the
fact that phishing is the
easiest way for a hacker
to get a foothold in your
organization,” he said.
When it comes
to social engineering
schemes, such as when an
employee wires funds to an imposter,
that can create problems with
insurance coverage, he said.
“My sense is that doesn’t sound
like cyber coverage to me,” Coletti
said. “If I trick you into wiring funds
to somebody and you do, I’m not
sure why that becomes a cyber claim.
There’s nothing cyber about that. ... To
me, that’s crime coverage.
“From a coverage perspective,” said
Marsh’s Parisi, “it doesn’t matter if a
person has criminal motivation or did
something stupid. They will cover it.
There’s no stupidity exclusion in cyber
But it depends on the type of loss
that results from a social engineering
scheme, he said. If it leads to a breach
of privacy or data breach, that would
be covered by a cyber policy. If
the scheme results in an employee
transferring funds, then it would be a
crime or fidelity policy.
He noted there also is an
“intentional acts limitation” in policies
that relates to “the control group,”
which generally is seen as the C-suite.
If a C-suite executive engaged in
fraudulent activity, that may not be
covered by insurance, while an act by a
“rogue employee” would be covered.
In the last 18 months or so, social
engineering fraud endorsements have
been available for crime coverage, he
“Cyber is not a panacea for all
things that involve a computer. There
are a lot of ways technology can cause
loss or harm that isn’t necessarily
picked up under a cyber policy,” Parisi
said. “But what we have seen is an
increasing reluctance of traditional
P&C markets to cover cyber-related
perils, creating a vacuum that the cyber
markets can fill.”
Rosenzweig of Risk Strategies said
there “is not a consistent response
across the marketplace” as to whether
a social engineering claim is covered
under a cyber or crime policy.
“There is still a bit of finger-pointing on this,” he said. “That’s a
point of frustration for clients.
“If the program isn’t structured
correctly, sometimes these types of
claims can fall wtihin the cracks.”
Andy Lea, vice president,
underwriting for E&O, media and
cyber, at CNA, said that while cyber
policies are becoming broader as
they relate to social engineering and
data, the “available policy language
and philosophy differ from carrier
to carrier, and coverage can be very
fact and circumstance specific, if they
provide coverage at all.” &
ANNE FREEDMAN is managing editor of
Risk & Insurance®. She can be reached at
employee, the company donated $1
to charity, he said. His department
also uses blogging as well as computer
screen savers and wall posters to
reinforce the messages.
The training teaches employees, for
example, to “mouse over” the link of
an email or the firm name and address
to see if there are clues to a phishing
The company also sends out false
emails to employees to see “how many
we hooked and how many swam away”
from a phishing attempt, Dunbar said.
Then it sends out the email again
highlighting the elements that should
have clued in employees that the email
It does the same with phone calls.
Using a third-party, employees may
get a phone call from the help desk or
vendor asking for information.
“It’s really trying to get colleagues
to understand that attackers, the
phishers, will try to come from any
angle,” he said.
Dunbar said his team partners with
legal, compliance, HR, marketing
and other areas “to make sure we
have support and things resonate but
the actual program — creating it,
designing it, is done by us.”
The phishing “exercises create a lot
of awareness,” said John Coletti, chief
underwriting officer for cyber and
technology at XL Catlin. “They are
very highly discussed internally and
people will say, ‘Hey, did it get you?’ ”
total responsibility for cyber security to
the IT department.
“I think it primarily belongs to the
risk manager,” Frappolli said. “The risk
manager, the HR department and the
IT folks should be in lock step on how
to educate employees and how to close
Companies must also create an
environment that is open, said Kaiser of
the National Cyber Security Alliance.
“If the response to [clicking on a
phishing email] is, ‘How could you be
“If the program isn’t
sometimes these types
of claims can fall within
—Rob Rosenzweig, vice president and national
cyber risk practice leader, Risk Strategies Co.
“Given the option between the effort
of hacking code or getting the average
employee in the organization to hand
you the key, they clearly see a better
return on time spent.”
—Roger Miles, professor of risk-related psychology, Cambridge
University and the UK Defence Academy