orangeblock
Menu

Carbanak attack costs banks $300 million

10 March 2015 | Non-life | General | Kerry Curtin, Aon

Kerry Curtin, Manager: Financial Institutions & Professional Risks at Aon South Africa.

But will cyber liability insurance policies respond to direct financial loss?

The Feb news headlines of a sophisticated global cyberattack affecting more than 100 banks in 30 countries has been a shocking wake-up call to institutions and businesses across the globe to get their cyber risk management in order. In particular, ensuring they are appropriately insured in terms of the type of losses their businesses can suffer as a result of a hack is paramount.

Using malicious software that gave them long term access to banking systems, a group of Russians, Chinese and Europeans dubbed “Carbanak” were able to siphon off around $300 million in one of the world's largest bank robberies ever, from banks in Russia, Japan, the Netherlands, Switzerland and the United States. In some cases, the hackers even had direct remote access to the internal ATM networks which they used to remotely withdraw cash.

This incident has highlighted the importance of risk management coupled with properly scoped insurance covers, with many assuming that such a financial loss would be covered under a cyber insurance policy.

Kerry Curtin, Manager: Financial Institutions & Professional Risks at Aon South Africa explains that this type of loss would not fall under a cyber risk policy, but would be catered for under either a Blended Financial Lines Policy which includes computer crime cover as well as fraudulent internet transactions, or a Commercial Crime Policy which also provides computer crime cover.

“The importance of having the right cover in place cannot be emphasized enough. There is still a sense of mystery as to what Cyber Risks policies actually cover and when an incident like this is reported, the assumption is that the loss would be covered under a cyber policy. However this is not the case as cyber policies cover loss of data and security protection specifically,” explains Kerry.

“Most cyber policies cover first party costs and any resultant liability arising from a loss of data or a breach of network security – with data being defined as personally identifiable data and corporate information. First party costs include legal services, IT services, data restoration costs, reputational protection, notification costs, credit and ID monitoring, cyber extortion, and the loss of profits following from a network interruption,” explains Kerry.

Cyber liability covers damages and defence costs arising from a claim made against the insured in respect of an actual or alleged breach of personal information and corporate information, a security failure, failure to notify or a breach of information holder protocols in respect of the processing of personal or corporate information.

“The loss suffered from the banks in this case however is a tangible financial loss, in other words loss of money in the custody, care and control of the banks, caused by a third party infiltration into the banks computer systems. This type of financial loss, although as a result of cybercrime, is catered for under a Computer Crime Policy. Financial institutions purchase what is known as Blended Financial Lines Policies which include computer crime cover as well as internet transactions. The coverage is also available under a Commercial Crime Policy which covers employee dishonesty and computer crime,” explains Kerry.

Computer Crime policies provide coverage in respect of a direct financial loss resulting from computer crime or computer virus damages. Computer Crime is usually defined as the unauthorised introduction of electronic data or electronic computer instructions, the unauthorised modification, corruption or deletion of electronic data or electronic computer instructions and so forth. Computer virus damage means the loss or destruction or amendment of electronic data or electronic computer instructions or the insured having paid or delivered funds upon the reliance of electronic data or electronic computer instructions affected by such malicious electronic instruction.

Regardless of size or status, no business is safe from hackers, unless it includes security as its ultimate priority. There is no one size fits all approach to cyber risk insurance. It all depends on the size of the company, nature of its business and its unique levels of exposure. In this regard, consulting with a professional risk advisor is an invaluable exercise in protecting your reputation, data, clients and bottom line,” concludes Kerry.

 

Carbanak attack costs banks $300 million
quick poll
Question

If you had to hazard a guess, when do you reckon the COFI Bill will be signed into law?

Answer
View the Results arrow
FAnews April 2026
THE LATEST EDITION FANEWS MAGAZINE
  • Geopolitical risk: the rising threat to global trade and insurance markets
  • The regulatory tightrope: achieving consumer protection without overregulation
  • Liability disclaimers and consumer protection: key lessons from recent case law
  • From promise to payout: the real test for employee benefits
  • Retirement planning: when the maths doesn’t math
Products & Services
Useful Links
Important Links
Jobs

© FAnews | Privacy Policy | Site Map | Website Design by Online Innovations