Mimecast opened InfoSecurity Europe 2016 with a stark warning to organisations relying on cyber insurance: your policies may not be fully up-to-date in covering new social engineering email attacks, leaving companies at risk of taking the full financial brunt of these attacks.
New Mimecast research, based on a survey of 436 IT experts at organisations in the US, UK, South Africa and Australia in March 2016, found that as the cyber-insurance industry grows and email attack techniques evolve, almost half (45 percent) of firms with cyber insurance are unsure if their policy is up-to-date for covering new cyber social engineering attacks, and only 10 percent believe it is completely up-to-date.
Just 43 percent of firms with cyber insurance are confident that their policies would pay out for whaling financial transactions. Nearly two-thirds (64 percent) of firms don't have any cyber insurance at all.
Mimecast has said that the rise of ‘whaling' attacks, where an attacker might pretend to be the CEO to trick an employee into transferring large sums of money to an attacker's bank account, has created an attack climate where many insured organisations may not be protected from fraudulent transactions because they fall outside of the coverage scope as it stood when their policies were originally signed.
While over half (58 percent) of organisations have seen an increase in untargeted phishing emails, 65 percent have seen targeted phishing attacks grow and 67 percent have seen a spike in whaling attacks. Additionally, 50 percent said they have seen social engineering attacks that utilise malicious macros in attachments increase.
“Cyber insurance uptake is growing quickly but a lack of employee training on the latest email attacks is leaving organisations at great risk of breaking policy terms,” said Steven Malone, director of security product management at Mimecast.
Malone advised, “While insurers often pay for clean-up fees after a breach, it is important that organisations check that their policies protect them if an employee is tricked into sending a large amount of money to a fraudulent account. Attacks where employees are tricked into sending personal data or intellectual property are even less likely to be fully covered.”
Mimecast said that with the cyber-security landscape constantly evolving, cyber insurers will have great difficulty keeping their coverage up-to-date. A comprehensive cyber resilience strategy is only effective alongside regular employee training on the latest threats combined with appropriate technological fail-safes.