Business Email Compromise (BEC), a form of phishing that involves attackers manipulating individuals into unintentionally facilitating fraudulent activities, an often overlooked cyber threat, is considered to be one of the most financially damaging cyber threats across the sector, according to Guy Carpenter, the global risk and reinsurance specialist and business of Marsh McLennan.
In a new report, Guy Carpenter investigates the threat and impact of BEC attacks. The report was published in conjunction with Marsh McLennan’s Cyber Risk Intelligence Center.
One key takeaway from the report, is that with the frequency and sophistication of BEC attacks continuing to rise, Guy Carpenter states that organisations must do better to understand the complexity of this threat, in order to implement robust defenses and safeguard their assets, reputation and operations.
It’s important to highlight that BEC attacks usually tend to involve impersonation schemes, in which cybercriminals masquerade as trusted entities, such as company executives, vendors or business partners, to deceive employees into revealing very sensitive information, authorising fraudulent transactions or compromising corporate networks.
The consequences of a successful BEC attack can be extremely devastating, ranging from financial losses and regulatory penalties to irreparable damage to a businesses reputation and customer trust, the report states.
According to data from the FBI’s Internet Crime Complaint Center (IC3), every year reported economic losses associated with BEC attacks exceed billions of dollars.
In addition, an analysis of Marsh’s proprietary claims database over the last five years found more than 550 successful BEC events impacting Marsh clients with either a cyber or crime insurance policy in place.
Of these events for which loss data is available, the data reveals that the greatest number have a loss around 0.1% of the company revenue. For a company with $1 billion in revenue this amounts to a $1 million loss.
However, despite the considerable financial threat, Guy Carpenter explains that commercially available cyber vendor models seem to have mixed approaches as to whether BEC claims should be accounted for in their catastrophe event catalogue.
At the time of the report, only one industry-leading vendor reportedly incorporated BEC as an explicit cyber peril into its models, with loss contribution limited to the attritional component of the model.
Guy Carpenter warns that BEC is not a new threat vector, and that like many cyberattack vectors, it is gaining in popularity due to its relatively low technical lift, making it highly effective and lucrative from the threat actors’ perspective.
Erica Davis, global co-head of cyber, Guy Carpenter, commented: “Cyber threats such as ransomware attacks, zero-day vulnerability exploits, and cloud service provider outages dominate the headlines. The consequences of a successful BEC attack, however, can also be devastating for an organization and create large losses for cyber (re)insurers. By driving awareness of the right cybersecurity measures, we can collectively improve the resilience of organizations against BEC threats and mitigate its impact on underwriting profitability.”
