Companies that want to transfer some of the risk of a breach are increasingly turning to cyber insurance. As this story from Krebs on Security shows, they're not always getting what they think they're paying for.

The short version of the story is that a forged email, claiming to be from the CEO, convinced someone in accounting to wire a bunch of money to fraudsters. That money isn't coming back and the insurance company doesn't want to pay out. This is certainly not the first company to get rolled by this scam and their loss is minuscule compared to some others. This type of attack is known as "Business Email Compromise" (BEC) or simply "CEO Fraud".

There are lessons to be learned here. We don't know the inner working of this particular company but many businesses tend to treat any risk that has anything remotely to do with computers as an IT problem and/or buy a "cyber" insurance policy if they can't stomach the costs of improving their own systems and processes. This presents 2 problems related to preventing this type of scam and dealing with the consequences.

Pushing security responsibility down to IT will always expose organizations to these types of attacks where the technology merely facilitates the attack rather than being the direct attack vector. Computers may have been used to send the email and transfer money but this breach, if we can call it that, was fundamentally a failure of people and processes rather than anything technological and I would be hard pressed to call this a cyber attack. There is no technical solution for spear-phishing and IT personnel rarely have the knowledge or authority to implement the organization-wide process controls that would be a more appropriate defense against this type of attack. In order to be effective, real security responsibility belongs at the executive level where policy and process changes can be implemented with IT only playing a part in the overall risk management strategy.

Insurance policies are also not a license to be reckless and we are well past the point where blindly trusting an email should be considered as such. It shouldn't be surprising that insurance policies are written in such a way as to avoid covering high-impact scenarios that could be easily prevented, like someone willingly sending a large amount of money without any secondary verification. Businesses should be aware of this type of attack by now and have implemented proper financial controls around large transactions. As the insurance company in this case is pointing out, there is a big difference between falling for a convincing forged financial document versus a sketchy email purporting to be from an executive.

A smart business will implement a security program that includes both technological and process controls to prevent breaches and consider an insurance policy only as a supplement to their own solid risk-based security program, not a replacement for it.