More and more, corporate boards are mandating cyber insurance to transfer risk, but watch out, because you might not get what you paid for. A recent International Monetary Fund (IMF) report estimates that annual banking losses could be as high as "9% of net income or $100 billion annually."
Bank breaches impact the viability of both the bank and the customer’s ability to transfer funds or access our accounts. JP Morgan reports that "78% of companies were targets of payment fraud last year... 54% of business email compromise (BEC) scams targeted wires and 28% were subject to ACH debit fraud."
In the 2016 Bangladesh Bank cyber heist, $81 million disappeared in no time, and - but for a typo made by the hackers - it could have been $1 billion. The SWIFT messaging system serves over 11,000 banks and relies on each bank to keep access to its service secure.
More recently, the Bank of Chile lost $10 million to hackers after SWIFT was used to send the money to Hong Kong. The bank is now working with insurers to recoup its losses. Bloomberg reports that in May of this year, $15 million was stolen from Banxico, as hackers attacked the domestic payments system SPEI. And Bancomext was targeted by North Korean hackers attempting to steal $110 million and resulted in the international payments system being frozen across the country.
The Silence Before the (Banking) Storm
Criminal syndicates have been using malware for years in multi-stage attacks that take advantage of unpatched systems, untrained users and weak processes. These kinds of hackers are incredibly patient and creative.
Industry veteran Scott Scheferman described the attackers as “a criminal ring with many operative layers that work in coordination.... it’s not unusual at all for the threat to stay in ‘monitor’ mode for extended periods of time before performing the ‘power moves’ at the end of the heist."
For example, the notorious FIN7 or Carbanak Gang, known for its multi-purpose malware, stole over $1 billion from more than 100 banks over several years. What made Carbanak so successful in hacking banks? Their malware combined keylogging, form grabbing, point-of-sale (POS)/ HTTP monitoring, and desktop video capture for stealing banking data.
In August of 2018, the Department of Justice indicted the Carbanak gang leaders on 26 counts, including conspiracy to commit wire and bank fraud and computer hacking. FIN7 had started their own pen testing company Combi Security to cover their activities and used instant messengers Jabber and HipChat to share files and instructions.
It’s hard to disentangle the many aspects of these breaches. Some are targeted or use insiders, others utilize social engineering, and many are the result of malvertising from innocent browsing. Users click on shady links or enable dangerous macros in Word documents which come to them in the form of fake invoices or bogus IRS communications - as in this example. And with so much data scraping from LinkedIn, Facebook and online dumps from recent data breaches, the phishing threat vector is likely to establish the foothold hackers need.
Many 2017 bank hacks utilized utilized Emotet banking malware, which evades sandbox detection and uses Powershell and other ‘living off the land’ techniques to download additional malware payloads.
The current one-two punch is from Smokeloader and Trickbot (a data stealer). Clients can be pwnd in seconds and unless they have protections against scripts and sophisticated malware variants, their systems may become part of a multi-stage attack. Hackers will collect username/passwords, move to other workstations, repeat and use video and keystroke capturing malware to watch how the user transfers money in third-party systems like SWIFT, SPEI, STAR Network or Navigator.
The ability to access these third-party services means that the hackers can destroy the integrity of account data by temporarily inflating customer balances, which they can then harvest.
The Impact of GDPR on Banking Fraud
It's no wonder we are seeing stringent rules emerge for the monitoring of networks and multi factor authentication (2FA) in the newly published GDPR and US regulations. Hackers are monitoring users, collecting passwords and then accessing payment systems to wire out funds or send payment card data for use in ATM cash-out schemes. Authentication systems that are used to access payment systems should leverage more attributes about the user and apply a real-time score that verifies the identity and correlates any anomalous activity to that of malicious activity.
But even with regulations in place, breach reports cite a lack of controls or technology capable of preventing one or more phases of the attack. A good red team will surface these weaknesses before the bad guys do.
Most people agree that risk transfer via insurance is necessary to account for gaps in security. For example, Brian Krebs recently reported on a bank hack on the National Bank of Blacksburg (NBB). Account balances were increased, credentials stolen with access to the First Data STAR network for ATMs, and a mule cash-out operation successfully yielded $2.4 million over two separate incidents. In another example in May 2016, it is thought that NBB was phished by Russians and $569k was taken from ATMs. Later, in January 2017, an additional $1.8 million was stolen in the same manner.
"Repeat attacks are common and often successful because they know the environment," adds Cylance’s Scheferman. Now two years later, we are learning the details because the insurer is denying coverage. This hack is very similar to the RBS Worldpay incident, when hackers broke encryption on debit cards and used over 2,000 ATM's to cash out $9 million over a single weekend.
Sign of the Changing Times
The National Bank of Blacksburg incident doesn’t read like a garden variety phishing scam. The malware, monitoring, lateral movements and control over financial workstations enabling debit card production (used by money mules) is a persistent sophisticated hack. International cybersecurity expert Bryan Cunningham points to a problem with insurance cover: "There remains vigorous disagreement – and little clear legal precedent – on basic definitions of terms in cyber insurance policies."
And as the cyber insurance market has added new policy forms to cover emerging risks like social engineering, they then exclude those types of attacks from existing policies. "Traditional crime and FI bond policies are designed to cover losses that arise from embezzlement by employees [where] social engineering attacks are made by external actors, not employees," offered David Lewison, co-leader of the AmWINS Financial Services National Practice. And with the new products, "carriers have sublimited social engineering fraud to low levels due to high volume of claims," adds Ryan Gibney at Lockton, the world’s largest privately held independent insurance broker.
NBB had purchased an $8 million Computer & Electronic Crime rider to its financial bond. The CE Rider points to a "loss resulting directly from an unauthorized party acting alone or in collusion with others, entering or changing Electronic Data or Computer Programs [which] causes property to be transferred, paid or delivered..." NBB also purchased a $50,000 Debit Card Rider to cover lost or stolen debit cards that might be used at ATMs.
NBB argues that the primary attack was against the NBB network which enabled the hackers to access the STAR and Navigator systems, change balances, steal account data and ultimately cash out via the ATMs. And, there was an exclusion of coverage for “loss resulting directly or indirectly from the use or purported use, of credit, debit [cards] used in [ATMs]."
So, the Debit Card Rider which specifically names the ATM becomes the operative policy? "We would expect many crime carriers to try and pigeon hole the coverage through a small sublimit that they apply for social engineering fraud due to the phishing email initial access and behind the scenes criminal activities," said Gibney.
I recently spoke with coverage counsel Scott Godes about NBB and his reaction was, "The loss should be seen as within the heart of the coverage of the policy, particularly the crime rider. One would hope that the insurance carrier should carry the burden of proving that a sublimit applies, as a restriction on coverage."
Recurrent Attacks: a Reasonable Expectation?
Based on the bank hacks going back to the RBS Worldpay incident, what happened in Blacksburg seems likely to occur, or 'reasonable' to expect. "Exclusions and limitations on coverage in insurance policies should be read narrowly, and insurance carriers should not be rewarded for reading them broadly", noted Scott N. Godes, a cyber insurance and commercial litigator.
Here, the exclusion seems to swallow the coverage. The insurer is calling this a single incident. "The crime policy is most likely an occurrence-based policy and the bank should not have coverage limited because the event happened multiple times," stated Lockton’s Gibney.
Buying these policies is complex, however. Godes adds that "insurance carriers should sell products with robust coverage, so that policyholders do not fall through hidden trapdoors at the time of a claim." NBB’s position that the ATM cash-out could not have occurred but for the internal hack on their systems has support from a recent federal court decision in the Second Circuit, Medidata Solutions, Inc. v. Federal Insurance Co. In Medidata, Godes noted, the court ruled that the crime insurance policy provides coverage for a fraudulent scheme and wire transfer, even though the insurer claimed it was not a direct loss.
The court rejected the arguments that the loss was not “direct” because there were steps in between the original fraudulent message and the wiring of funds. This result is favorable for victims of complex phishing and malware attacks.
For those currently looking for cyber insurance, David Lewison suggested some practical steps to get the right coverage.
· "Work with a broker that specializes in Cyber-liability and Crime/Bond, from the same brokerage;
· Hold an underwriting/broker meeting or conference call so you can ask questions about who has the ball when something bad happens;
· Prior to binding coverage, put both policy forms and all endorsements side by side and verify that the coverage has been assembled as intended;
· It may also be worthwhile for larger insurance buyers to include a claims leader from the insurance company on a call, so you know who you are dealing with at the time of claim."
And, to avoid ending up in court, involve counsel and review your existing and proposed new policies before you buy.