Cyber crime is rarely far from the headlines these days. From the alleged Russian state sponsored attack of the U.S. Democratic party, to the attack on the U.K. telecoms giant, Talk Talk, the number of incidents are clearly on the increase and the perpetrators are employing increasingly sophisticated methods to commit them. Let’s take a high-level look at the basics of cyber incidents and the things employers must be mindful of when addressing their risk.
What types of attacks do we commonly see?
Common attacks seen by personal, small to medium enterprises and corporate customers can be summarized as follows:
Ransomware – an attack whereby a customer’s data is encrypted resulting in the data becoming unusable. The criminals then leave details of how to pay a ransom to release the data, usually via Bitcoin or another digital currency.
Malware – software specifically designed to disrupt, damage or gain unauthorized access to a computer system. Malware can be used to steal personal information or covertly monitor network operations.
Data theft – the act of exfiltrating digital information with the intent of compromising privacy or obtaining confidential information. Data theft is an increasing problem for small to medium enterprises.
There are more and more instances of these attacks being perpetrated by organized criminal gangs who convert the data/information they take from victims for the purposes of their own financial gain. This affects how the wider insurance market responds to customers where coverage exists to meet a quantified liability.
Insurance coverage: does it exist for these attacks?
For certain types of claims under traditional policies, the simple answer has been ‘no’. To the ultimate customers, the broker and the policyholder, this often comes as a surprise.
This is a new and emerging threat not all those involved in arranging the customer’s coverage are aware of. This is evident when we’re asked to investigate if liability rests under a particular policy or coverage.
Traditional computer policies are based on a tangible damage trigger. In some cyber incidents, such as denial of service attacks or some instances of infection by malware, this can cause real issues. For example, in denial of service attacks the network is blocked, which is highly problematic for online retailers. But as there’s no equipment damage, the trigger for the material damage and associated business interruption policy isn’t activated. With some instances of infection by malware, traditional policies only cover the cost of removing that malware. If the systems themselves aren’t damaged, the customer can find themselves in a position where the policy doesn’t engage as they would expect it to.
With the average cost of repairs to compromised networks running into tens of thousands of dollars and ransoms being presented at several thousand, it’s easy to see why some are tempted to pay the ransoms. The key issue here being that paying a ransom doesn’t guarantee that criminals will unlock encrypted data. And ransom payments often fund development of the next generation of malware with criminals selling on details of parties that are prepared to pay up. If the market decides to increase premiums or applies terms to policyholders that have historically paid ransoms or insurers that have facilitated them, the industry may need to make a U-turn on giving the perpetrators what they want.
Cyber attacks are at the cutting edge of modern organized financial crime. They’re often perpetrated by organized criminals who seek personal data that has a re-sale value or the means to extort funds.
It’s important for all claims handlers and brokers involved in cyber losses arising from ransomware and malware attacks to be aware that any decision to pay a ransom isn’t only morally wrong, but also potentially a breach of the regulatory framework around financial crime. Certainly, payment of the ransom demand by any web currency only serves to fund further attacks and financial crime.
Our view is: if the policy is liable then any indemnity arising from a ransomware attack should be dealt with on the basis of reinstating the network/data as determined by the policy coverage rather than meeting the demand and paying the ransom – even if the indemnity could end up costing more and the repair work taking longer to complete. It’s this scenario that is the most challenging for claims handlers and brokers alike.
The ultimate question is, do you stick or twist? Stick with the sometimes costlier and longer approach to resolve the claim, or twist and pay the ransom? For us there’s only one viable option. Paying the ransom is:
- Morally wrong
- Helps funds further attacks
- Helps fund financial crime
- Increases the likelihood of further attacks to the business
- Goes against the principles of the regulatory framework around financial crime
At Sedgwick, we recognize this growing risk for clients and their customers and in response we’ve developed holistic cyber capabilities for investigating cause and determining liability, business mitigation and recovery.
For more information on how we might be able to help you or your clients, please contact us.