Cyber related crimes are significant and growing fast, and investors and startups are exposed. What is not often publicized is that SMBs (small and medium-sized businesses) are prime targets, and that data breach is not the most significant exposure.
Venture capital funds (VC funds), angel investors and startups fall into the target category and should be cognizant of cyber crime exposures and the preventive steps available. VC funds, angels investors and startups are all actively involved in capital raises, and most of these transactions involve wire transfers, prime targets for cyber criminals.
Keep in mind that IT security is very important, but that people are the primary vulnerability. Criminals gain access to user credentials (user names & pass words) primarily through phishing emails, using what is called social engineering fraud (SEF, see here). SEF involves deceiving users into doing something that criminals can take advantage of, like clicking on a link or opening an attachment. It sounds simple to prevent, but some criminals have taken this to a new level. The best phishing emails are extremely well constructed and are very difficult, sometimes impossible, to detect as fraudulent.
The result can be a theft of money, including significant amounts, or other forms of crime such as ransomware. Accurate numbers are very hard to come, but SMBs Cyber Risk insurance incidents have run approximately 20% data breach, 30% theft of money and 30% ransomware over the last few years (very rough). However, ransomware attacks have been on the increase and may be running close to 50% now, with theft of money a close second, which doesn’t leave much for data breach.
There are three primary cyber exposures these days: theft of money, ransomware and data breach.
Theft of Money – Cybercrime
Stealing money using technology has many variations, and many names as well. Some of the terms you might have heard include BEC (business email compromise), social engineering fraud (SEF – see here)., wire transfer fraud and consumer phishing. You will also have heard of phishing, which is often a key element in these scams.
Criminals have developed a variety of methods for stealing money directly from victims using deception to gain access. The most common, and often most effective method is simply deceiving the victim into sending money to the criminal – called social engineering fraud (SEF, noted above, see here, and also here, here).
For example, a criminal might gain access to a victims email through an effective phishing email and then monitor emails to find an opportunity. If the victim is buying a house and receives wire transfer instructions, the criminal may send an email noting that there was an error in the instructions, and substitute alternative instructions instead. Typically the victim will send the wire transfer based on the new, false instructions and the funds will disappear, to the criminal’s benefit. A New York judge lost $1.0 million in a similar fraudulent phishing scheme (see here).
Imagine if this were your VC fund or startup, and one of your key investors wired funds to the wrong place (the criminal) based on instructions in an email that appeared to be from you.
Some attacks are more sophisticated, targeted and effective:
- A cyber crime attack on a family recreational facility is a prime example of how effective and devastating a targeted attack against a small business can be (see here).
- A sophisticated attack against an investment fund service company was effective because the service company did not pay attention or follow basic procedures (see here, here), and resulted in a devastating loss for a client hedge fund and a difficult lawsuit.
- Payroll processing cybercrime is another variation, although the returns for criminals seem modest and this approach has not taken off (see here).
- Bank account takeover, where a criminal steals the victims bank account user name/password, is an older attack vector that has declined in use, likely due to increased security monitoring by banks (see here).
- A tech-enabled variation on invoice fraud, an old scam, can also be effective. For example, a criminal may gain access to a corporate email account, monitor the emails, then send a fake invoice with altered payment instructions. A real life situation: A client of a chemical distributor received an invoice for $120,000, not out of the ordinary, and paid it based on new payment instructions. Unfortunately, the client did not send the invoice and the funds were lost to a criminal.
Ransomware has been around for quite a while, but has gotten more sophisticated, targeted and expensive (see here, here, here). While an extortion payment for a ransomware attack might be relatively insignificant, an effective attack can completely shut down a business and the business interruption losses can be significant.
The recent spate of ransomware attacks against municipalities have been effective and costly, and are good examples of the impact of ransomware (see here). Baltimore suffered a massive ransomware attack (see here) and refused to pay the (reported) $75,000 demand, resulting in significant business interruption losses.
Data breach has traditionally gotten the most attention because the biggest breaches are massive and impact the largest companies (think Equifax, Anthem, Target). But SMBs are victims as well. All states now have data breach laws, and compliance with these laws can be expensive even for a small breach (see here).
In addition, some states have passed laws that are specific to insurance organizations. For example, New York has a comprehensive (and onerous) set of regulations, and compliance applies to all companies and individuals with insurance licenses in New York (including non-residents, see here). For example, an individual agent with a non-resident insurance license in New York is required to comply.
Protections – What can you do:
There is plenty of risk management information and resources available (see here, here) – the problem is that developing a plan can be time consuming. Recalling that people are the primary vulnerability, suggested steps can include:
- Awareness training – for all employees
- Phone confirmation of wire transfer instructions
- Outsource functions, such as responsibility for execution of funding during a raise
- Notices to clients, vendors & investors – warning of cybercrime potential
- Strong IT security
- Cyber Risk Insurance
Risk management approaches are critically important, but do not seem to be able to keep up with the criminals and state actors. Cyber Risk Insurance is inexpensive and an important component of any risk management strategy. Policy forms vary widely, so make sure you work with an expert, and that coverage is comprehensive. For example, it should include coverage for fraudulent funds transfer and business interruption.
VC funds, angel investors and startups must be cognizant of their cybercrime exposures and the preventive steps available, particularly those related to fund transfers.
Innovate Insurance – Innovation & Entrepreneurship in Insurance