Business email compromise is often overlooked cyber threat: Guy Carpenter

The past five years saw 550 email compromises, affecting clients.

Business Email Compromise (BEC) is a significant, yet often underestimated cyber threat that forms must be on the lookout for. 

“Cyber threats such as ransomware attacks, zero-day vulnerability exploits, and cloud service provider outages dominate the headlines. The consequences of a successful BEC attack, however, can also be devastating for an organization and create large losses for cyber (re)insurers,” Erica Davis, global co-head of cyber at Guy Carpenter said in a media release. 

“By driving awareness of the right cybersecurity measures, we can collectively improve the resilience of organizations against BEC threats and mitigate its impact on underwriting profitability.” Davis added.

BEC attacks, a sophisticated form of phishing, exploit human vulnerability to deceive employees into fraudulent financial transactions, stated a recent report from Guy Carpenter, in collaboration with Marsh McLennan's Cyber Risk Intelligence Center, “Cyber’s Sleeper Threat: Business Email Compromise.”

Despite its pervasive impact across industries, BEC incidents are not always included in cyber vendor catastrophe models, limiting awareness and preparedness.

Marsh's analysis over five years identified over 550 successful BEC events impacting clients, with losses typically amounting to 0.1% of company revenue—equating to substantial financial setbacks, even for large organisations. 

The cyber insurance industry's response has varied, with only a leading vendor explicitly including BEC in its risk models.