What can insurers do in the fight against cybercrime?

Digitalisation is both a blessing and a curse. While we all love the simplicity of having products and services a click away, we forget that a simple click relies on complex IT solutions. Like any sophisticated system, these IT solutions are imperfect and have pitfalls that can be exploited by those who don't mind breaking the law. Here we take a real-world case and outline what companies and insurers can do to avoid becoming victims. By Dmitry Pikalov, Senior Specialist at IA Group.

Over the past two decades, we have become dependent on the internet. Unfortunately, without paying sufficient attention to the issue of security, information has been shared without hesitation or an assessment of risks and consequences, making it easy for cybercriminals. 

According to a survey by PWC, cybercrime accounts for over 35% of all the crimes committed against companies and organisations.^[1] The World Bank, meanwhile, expects approximately $5.2 trillion in global value to be at risk between 2019 and 2023.^[2] Further, Ivana Vojinovic, Editor-in-Chief of DataProt.net, predicts that by 2027 companies will spend $10 billion a year on employee cybersecurity training.^[3]

IA Group has first hand experience with the impact of cyber fraud on international trade. While each case is different, there are commonalities. For instance: (i) weaknesses in internal business processes, (ii) vulnerabilities in IT systems, and (iii) human error.

While the first line of responsibility lies with companies and organisations, as a provider of investigation and debt collection services, IA Group understands this must be a joint effort where credit insurers and policyholders work together.

A nasty surprise for the holidays

This is a real world case, after which we’ll share ideas on what credit insurers can do to prevent their clients from being robbed in cyberspace.

Seller Ltd had been trading with Buyer Srl since 2015. Seller Ltd supplied raw materials from China to Buyer Srl based in Italy. Following the General Supply Agreement, monthly shipments with quarterly payments were agreed upon. In addition, Seller Ltd had a credit insurance policy covering each shipment, so Seller Ltd had no problem agreeing to payment after receipt.

Overall, the trade relationship had worked like a well-oiled machine, until Buyer Srl couldn't pay due to the pandemic. Because of the good commercial relationship between the parties, Seller Ltd agreed to continue shipping goods while Buyer Srl agreed to pay Seller Ltd $1,150,000 by December 2020.

Fast forward to November 2020. Ms Maria (purchase manager at Buyer Srl) confirms to Mr Zhang (sales manager at Seller Ltd) that the agreed payment has been scheduled. Maria also mentions that she will be on vacation and that her colleague Mr Alessandro will follow up. 

During Maria's absence, Alessandro receives an email seemingly from Zhang. The email includes Seller Ltd's new bank account in Hong Kong and a request to remit the payment to this account. With accounting's green light, Alessandro hits ‘reply’, confirms that the payment can be made to Hong Kong, and requests a picture of Zhang holding a piece of paper bearing the new account details. This email is sent to zhang@seller.co.cn. 

On the same day the photograph is received, Buyer Srl remits $1,150,000 to the bank account in Hong Kong. Alessandro creates a new email and sends a SWIFT reference to Zhang at zhang@seller.co.cn. The next day, Christmas Day, Zhang emails Alessandro to inform him that Seller Ltd does not have an account in Hong Kong. By then, neither Maria nor Alessandro are in the office. 

Maria and Alessandro had a rough start of the year. By the time they see Zhang's email, the money is long gone. They have been victims of cybercrime.

Both companies conducted investigations and, luckily, Buyer Srl had insurance for losses arising from cybercrime. However, as it was not possible to pinpoint which party was responsible for the breach, the insurance company found that both were equally responsible and agreed to compensate 50% of the loss to Buyer Srl.

What could they have done differently?

While we cannot imagine this happening to us, the reality is that it can happen to anyone. Cybercrime is increasing dramatically, and it is crucial that everyone at all levels in society are aware of the risks. 

Here are some ways in which credit insurance companies can play a crucial role in preventing their clients from becoming victims of cybercrime:

• Train your clients' employees (and your own if you haven't already done so) about the risks of cybercrime and the simple steps you can take to reduce the risk. For example:

1. Type email addresses manually for important emails rather than using the "reply" and "reply to all" buttons.
2. Turn off the autocomplete function for email addresses.
3. Add a disclaimer to all emails informing the recipient that the sender never announces changes to their bank account details via email.
4. Stipulate in all commercial contracts that bank accounts details can only be changed by signing an additional agreement or through certain formalities.
5. Use certified digital signatures instead of (or in addition to) scanned copies of signatures/stamps.

• Verify that the insured has internal policies or guidelines regarding cybersecurity
• Request the insured to have internal processes in place, such as:
  Clear communication channels, especially for payments
  Processes outlining what to do during busy periods and holiday seasons.
• Add clauses regarding cybercrime to the insurance policy.

The takeaway

Evolving as quickly as the internet itself, cybercrime is already affecting millions of businesses around the world. Awareness and secure digital infrastructure are key to stopping and eventually reversing the trend. Credit insurers can play a significant role in making this happen as it's in both their interests as insurers, and in the interests of their clients, too.

1. https://www.pwc.com/gx/en/forensics/gecsm-2022/pdf/PwC%E2%80%99s-Global-Economic-Crime-and-Fraud-Survey-2022.pdf ↑
2. https://www.worldbank.org/en/programs/cybersecurity-trust-fund/overview#::text=To%20give%20a%20rough%20idea,%2453%20billion%20in%20economic%20losses. ↑
3. This compared to the $1 billion spent in 2014. ‘More than 70 Cybercrime Statistics - A $6 Trillion Problem’, Ivana Vojinovic, July 8, 2022 https://dataprot.net/statistics/cybercrime-statistics/ ↑