News Release

Carbanak Attack Costs Banks $300 million

But will cyber liability insurance policies respond to direct financial loss?

The announcement on 14 Feb 2015 of a sophisticated global cyberattack affecting more than 100 banks in 30 countries has been a shocking wake-up call to institutions and businesses across the globe to get their cyber risk management in order. In particular, ensuring they are appropriately insured in terms of the type of losses their businesses can suffer as a result of a hack is paramount.

Using malicious software that gave them long term access to banking systems, a group of Russians, Chinese and Europeans dubbed "Carbanak" were able to siphon off around $300 million in one of the world's largest bank robberies ever, from banks in Russia, Japan, the Netherlands, Switzerland and the United States. In some cases, the hackers even had direct remote access to the internal ATM networks which they used to remotely withdraw cash.

This incident has highlighted the importance of risk management coupled with properly scoped insurance covers, with many assuming that such a financial loss would be covered under a cyber insurance policy.

Kerry Curtin, Manager: Financial Institutions & Professional Risks at Aon South Africa explains that this type of loss would not fall under a cyber risk policy, but would be catered for under either a Blended Financial Lines Policy which includes computer crime cover as well as fraudulent internet transactions, or a Commercial Crime Policy which also provides computer crime cover.

"The importance of having the right cover in place cannot be emphasized enough. There is still a sense of mystery as to what Cyber Risks policies actually cover and when an incident like this is reported, the assumption is that the loss would be covered under a cyber policy. However this is not the case as cyber policies cover loss of data and security protection specifically," explains Kerry.

"Most cyber policies cover first party costs and any resultant liability arising from a loss of data or a breach of network security – with data being defined as personally identifiable data and corporate information. First party costs include legal services, IT services, data restoration costs, reputational protection, notification costs, credit and ID monitoring, cyber extortion, and the loss of profits following from a network interruption," explains Kerry.

Cyber liability covers damages and defence costs arising from a claim made against the insured in respect of an actual or alleged breach of personal information and corporate information, a security failure, failure to notify or a breach of information holder protocols in respect of the processing of personal or corporate information.

"The loss suffered from the banks in this case however is a tangible financial loss, in other words loss of money in the custody, care and control of the banks, caused by a third party infiltration into the banks computer systems. This type of financial loss, although as a result of cybercrime, is catered for under a Computer Crime Policy. Financial institutions purchase what is known as Blended Financial Lines Policies which include computer crime cover as well as internet transactions. The coverage is also available under a Commercial Crime Policy which covers employee dishonesty and computer crime," explains Kerry.

Computer Crime policies provide coverage in respect of a direct financial loss resulting from computer crime or computer virus damages. Computer Crime is usually defined as the unauthorised introduction of electronic data or electronic computer instructions, the unauthorised modification, corruption or deletion of electronic data or electronic computer instructions and so forth. Computer virus damage means the loss or destruction or amendment of electronic data or electronic computer instructions or the insured having paid or delivered funds upon the reliance of electronic data or electronic computer instructions affected by such malicious electronic instruction.

Regardless of size or status, no business is safe from hackers, unless it includes security as its ultimate priority. There is no one size fits all approach to cyber risk insurance. It all depends on the size of the company, nature of its business and its unique levels of exposure. In this regard, consulting with a professional risk advisor is an invaluable exercise in protecting your reputation, data, clients and bottom line," concludes Kerry.

Aon welcomes relevant dialogue and commentary on our thought leadership materials posted to our website. However, we reserve the right to delete any content that is harmful, obscene, or spam before it is published to the site.

If you elect to comment or engage with our content via third-party social media websites, you authorize Aon to have access to certain social media profile information. Please click here to learn more about information that may be collected when using these tools on

All Comments(570)

Open for comments. Sign in or create your Aon South Africa account to join the discussion.
Tom Hatcher 7 Jun 2014 14:58 Comments Policy
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed luctus nulla ac sem viverra, quis adipiscing lectus elementum. Fusce semper bibendum pellentesque.
Sandy Smith 25 May 2014 11:44 Comments Policy
Lorem ipsum dolor et al.
John Smith 12 May 2014 17:09 Comments Policy
Lorem ipsum dolor et al. Lorem ipsum dolor et al. Lorem ipsum dolor et al.
Show all comments...
Previous 1 2 3 4 5 Next

Quick Forms

Contact Me
Compliments & Complaints

Twitter Feed