As a major cyber risk insurer that helps our insureds find and retain various third-party cyber security
service providers, we are in an opportune position to add our voice to this chorus in affirming the validity
of these findings. The Chubb Cyber IndexSM, which tallies cyber-related insurance claims filed by our
policyholders, indicates (as of this moment) that the records of 593,225,691 of our insureds have been
exposed during the past 20 years. It’s not surprising that during the past three years, social threats, which
include phishing, have been a top action causing cyber incidents. In just 2019 alone, for example, social
threats accounted for 31% of actions that caused a cyber incident, versus 20% for human error and 18%
for hacking, according to Chubb data.
Human Behaviors and Other Frailties
Phishing is often used as a primary attack method because it is relatively easy to create legitimate looking
emails and texts, and to send said messages to trusting unsuspecting recipients. To paraphrase bank
robber Willie Sutton, who robbed banks because “that’s where the money was,” hackers deploy phishing
scams because that’s where the “phish” are—“phish” referring to individuals that take the bait and believe
that a fraudulent email or text is legitimate.
With regards to texts, a growing number of studies indicate that phishing also occurs, with some rapidity,
on mobile devices. Many people tend to have more faith in the validity of texts, rather than emails.
However, the problem is that mobile devices, such as smartphones, are generally connected outside
company firewalls and lack endpoint security.
It’s easy to blame everyday people for phishing’s alarming success rate, but the truth is more nuanced.
Companies, and in particular their information security organizations, bear the burden of responsibly
training employees, not just to identify a possible phishing attack, but also to report any potential evidence
immediately. Simply deleting a suspicious email will not thwart the next phishing attack or do much to
curtail this preferred hacking practice.
Incident reporting is a crucial component of cyber risk management. Our analysis of recent cyber-related
claims indicates that nearly 40% of policyholders who called our hotline to report evidence of a cyber
event, like phishing, ultimately were able to avoid additional losses when they filed a claim. This is
because these insureds activated the available third-party incident response services to counter the
situation and mitigate the outcome.