Last month, a former private security officer in California was ordered to pay nearly USD 319,000 in damages for attacking his employer’s computer systems.
Yovan Garcia reportedly accessed payroll records to inflate his wages, as well as steal data to set up a rival business. Whether with malicious intent or just a case of human error, insiders are a significant cause of cyber incidents.
A recent survey of 4,500 CIOs by Harvey Nash and KPMG revealed that the insider threat is among the fastest-growing security risks. It found that insiders were responsible for 47% of attacks compared with 40% in the previous survey.
Analysis of cyber incidents by IBM in 2016 also identified an increasing threat to companies from employees and contractors. It found that some 60% of cyber incidents involve an insider, up from 55% in the previous year’s survey. According to IBM, one third of attacks involved “inadvertent actors” – such as an employee that mistakenly enables a cyber-criminal to access systems - while almost 45% of attacks involved a malicious insider.
A separate study by NetDiligence in 2016 revealed that 30% of cyber insurance claims were attributable to the actions of insiders. Of these 77% were unintentional and caused by human error while the remaining 23% were caused or abetted by rogue employees.
Gaps in cover
Cyber security procedures can help reduce incidents of human error, but the malicious actions of insiders are a more difficult risk to prevent. Pre-employment screening and cyber security procedures and processes can go only so far, but cyber insurance can cover losses associated with insider related cyber incidents.
But not all incidents that involve IT systems are cyber. Comprehensive protection from the financial impact of malicious insiders calls for both a modern, broadly drafted crime policy as well as a cyber policy.
Crime insurance and standalone cyber will both cover cyber crimes perpetrated by malicious insiders, and if both policies are as broad as current market conditions allow, there are neither gaps nor overlaps.
A recent development in the market has seen insurers offer combined cyber and crime insurance. These polices should be attractive for smaller companies, but they can also be used to provide larger companies with additional capacity.
Financial institutions, for example, have come to realise the need for larger limits as the true extent of their cyber-crime exposures have been revealed. In 2015, criminals attempted to steal USD 1 billion from the Bank of Bangladesh. In contrast, crime insurance policies have limits of around USD 200 million to USD 400 million.
Download Cyber Decoder – June 2017
For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on firstname.lastname@example.org