The report, Cyber's Sleeper Threat: Business Email Compromise, was published in conjunction with Marsh McLennan’s Cyber Risk Intelligence Center and investigates the threat and impact of BEC attacks – sophisticated forms of phishing that exploit human vulnerabilities rather than technical weaknesses. In these scenarios, attackers impersonate trusted entities to deceive employees into transferring funds, making it difficult for traditional security measures to detect and mitigate the risk effectively.
An analysis of Marsh’s proprietary claims database over the last five years found more than 550 successful BEC events impacting Marsh clients with either a cyber or crime insurance policy in place. Of these events for which loss data is available, the report reveals the greatest number have a loss around 0.1% of the company revenue. For a company with $1 billion in revenue that amounts to a $1 million loss.
Despite the considerable financial threat, commercially available cyber vendor models have mixed approaches as to whether BEC claims should be accounted for in their catastrophe event catalogue, the report says. The report found that only one industry-leading vendor has incorporated BEC as an explicit cyber peril into its models.
“Cyber threats such as ransomware attacks, zero-day vulnerability exploits, and cloud service provider outages dominate the headlines. The consequences of a successful BEC attack, however, can also be devastating for an organization and create large losses for cyber (re)insurers,” said Erica Davis, global co-head of cyber, Guy Carpenter. “By driving awareness of the right cybersecurity measures, we can collectively improve the resilience of organizations against BEC threats and mitigate its impact on underwriting profitability.”
You can access the full report here
|
