The last thing you want is to have your business disrupted by a cybersecurity failure. Nobody expects to be the victim of a ransomware attack, funds transfer loss, or data breach. But, once a cyber incident occurs, it’s important to know you have a team of experts ready to help you figure out what happened — and what happens next. This series shares real stories from Coalition policyholders who navigated a cyber insurance claim. The organizations will remain anonymous to protect their privacy and security.

Today, organizations are connected like never before: a significant amount of both work and commerce takes place online, and business needs from IT, to storage, to staffing are outsourced to trusted third-party vendors. As a result, organizations accept all kinds of digital risks as part of their daily operations. Of course, we already know that cyber incidents can prove devastating to business operations, but what impact can they have on business relationships?

In early October, a manufacturing company received an invoice from their staffing firm. The accounts payable department transferred the $207k payment, sensing nothing out of the ordinary, only to be surprised when the staffing firm reached out to check on the status of their late payment. Realizing that they had sent a fraudulent payment, the manufacturing company reached out to Coalition.

When our Claims team responded to the incident, they knew a funds transfer fraud (FTF) incident had taken place, and they would need to act quickly if there was any hope of clawing back the funds. Funds transfer fraud (FTF) is one of the easiest ways for attackers to monetize cyber crime, and FTF events have increased in both frequency and severity over the last year. During the first half of 2021, funds transfer fraud was the second most common incident type — a 28% increase. 

A quick and successful clawback

Attempting to clawback funds is a time-sensitive process: we are more likely to recover funds within 48-72 hours of the transfer. Immediately we filed an IC3 report with the FBI and put an interbank agreement in place to freeze the funds. Thankfully, both banks were domiciled in the United States and we were able to clawback all $207k.

Recovering funds may seem like the end of the incident, but it’s critical to address the underlying cause of the fraudulent transfer. In this matter, digital investigations revealed no signs of a threat actor in the manufacturing company's network, leading Coalition Incident Response (CIR) to suspect the staffing firm was the source of the compromise.

A surprising root cause for the incident

As it turned out, the staffing firm had been compromised by a business email compromise (BEC). BEC can lead to a wide array of losses — in 2020, 41% of BEC attacks evolved into an FTF incident resulting in the direct loss of funds. In this case, the attacker compromised the staffing firm and changed the banking information in their payment invoices. Unexpectedly, both the manufacturing company and the staffing firm were Coalition policyholders.

As happens in the insurance industry, we were ultimately noticed by the staffing firm, as they too were a Coalition insured. With that information, our claims team worked to keep an ethical wall in place to protect both companies' privacy. CIR worked to remove the threat actor from the staffing firm’s network and ensure no sensitive data was compromised.

We also worked to ensure that the relationship between the two policyholders was preserved through the resolution process. Due to the hybrid work environment brought on by the COVID-19 pandemic, many organizations have found there are fewer vendors available. Thus, when a policyholder experiences a claim, preserving the relationship with their vendor is often as critical as resolving the claim itself.

How to recover — speed is essential

Funds transfer fraud losses can be devastating for any business, but there are steps your organization can take in the event of a fraudulent transfer. We recommend policyholders take immediate action to maximize their chances of recovery.

1. Notify Coalition’s claims team of the loss as soon as possible, ideally within 72 hours of the transfer.

2. Immediately notify your bank of the fraudulent transfer, and request a clawback of the funds.

3. File a report with the FBI at IC3.gov.

4. File a report with your local police department.

5. Repeatedly inquire with your bank and the receiving bank on the status of the recovery.

Additionally, we recommend implementing multi-factor authentication (MFA) to reduce the risk of a BEC attack and a cybersecurity education program to enable employees to recognize and report potential email compromise attacks.

Protect your business: Get insured

Cyber insurance is a key factor in addressing and mitigating these new and ever-increasing cyber risks, and can really save your business time and money if it’s ever the target of a cyber attack.

Coalition offers a wealth of resources to help businesses implement good cybersecurity practices, including our Cybersecurity Guide, which outlines the key tenets of a cybersecurity program — a critical factor in reducing your organization’s cyber risk.

For questions about Coalition’s claims process, or to be connected to a broker, reach out to our team.

Are you a broker interested in offering Coalition cyber insurance to your clients? Click here to get appointed.