The following is an opinion piece written by Andrew Hodkinson, regional head for Australia & New Zealand at Charles Taylor, Jim Smith, senior engineering & resources adjuster at Charles Taylor and Chris Zietsman, senior liability adjuster at Charles Taylor. The views expressed within the article are not necessarily reflective of those of Insurance Business.
Cyber risks are more apparent today than before with companies being under constant threat of being the victim of a cyberattack as technology progresses at a quick rate (almost accelerating) and impacting negatively on the cyber insurance landscape. Defence Connect, an Australian publication, reported that the estimated cost to the Australian economy from cyber crime is a staggering $1 billion annually.
Increased reliance on technology
Businesses and governments are increasingly relying on technology to provide a competitive edge in a global market. This heavy reliance on technology has resulted in an explosion of data being generated. It is estimated that 2.5 million terabytes of data are generated each day, of which 90% of that data in the world have been generated in just the last two years alone. It is further estimated that by 2020 data production will increase by 4300% annually.
Attack frequency is rising, and criminal organisations appear to be well-funded, as the manifestation of a new strain of Dharma Ransomware is going undetected by security software. In February 2018, the largest next generation Distributed Denial of Service (DDoS) attack occurred operating at an unprecedented level of 1.7 Terabytes per second.
Responding to cyber risks
Large organisations are aware of the risks associated with the technological reliance, and they have generally adopted or revised their risk management policies to mitigate these new and evolving risks. It also helps that large organisations usually have the institutional depth in their risk departments to implement policy changes, and they have the financial ability to purchase insurance cover against cyber risks.
The situation is somewhat different at small and medium-sized enterprises (SMEs) with limited resources. As SMEs adopt greater use of technology in their operations, they find themselves unable to address the associated cyber risks.
In most instances, SMEs do not have a concrete incident response plan in place, and this leaves them in ‘no man’s land’ following a cyberattack. Such attacks could ultimately deal a fatal blow to small organisations.
Limiting exposure to cyberattacks
The true extent of cyber risks has yet to be assessed – let alone managed; but what SMEs can do is to limit their exposure to these attacks by having the following in place:
- Staff Computers
- When using software packages similar to Office 365, activate 2 Factor Authentication
- Changing passwords frequently with a password of at least eight characters and containing uppercase, lowercase, numbers and symbols
- Frequent training of staff on phishing emails
- Business Operations
- Reviewing what type of customer information is being stored on the network and eliminating as much personal information on data subjects as possible which is not required in the standard business operation. Storing high risk information such as credit card information, Tax Filing Numbers, proof of identity documents and the like should be avoided.
- Frequent back-ups of all business information, with back-up drives to be physically separated from the network, ideally. We have seen in recent times ransomware encrypting all data including backup drives plugged into the network.
- Have a suitably qualified and vetted vendor undertake a vulnerability assessment of the insured’s network and systems.
- Have a response plan for when the business falls victim to an attack addressing the following: contain, remediate and restore
The ultimate goal is to make the business a difficult target within a reasonable budget while mitigating the risk to third parties and ensuring the business is being supported by a quality cyber insurance policy which can be called on in the event of the business falling victim to an attack.
Dealing with a cyberattack
When a business suffers a cyberattack, the focus is on getting an understanding of the business, with the guidance of insurance solutions providers. The insurance solutions provider is therefore at the proverbial coalface, being the first point of contact for an insured following a cyberattack.
The insurance solutions provider as the incident manager, will identify the nature of the breach and extent of the crime by extracting information regarding the system. The type of breaches can extend to include network breaches, crypto lockers, ransomware, social engineering, just to name a few. But above all, it is the duty of the incident manager to prevent further escalation of the incident.
Once there is a better understanding of the incident, the focus shifts towards determining whether the breach contains personal or potentially harmful information, placing the incident into a category of compulsory reporting as prescribed in the Privacy Act of 1988. This would prompt the incident manager to arrange for the insured to receive appropriate legal advice on how to meet their statutory obligations.
With an understanding of the nature of the breach, the incident manager, together with Lloyd’s underwriters as well as local insurers, along with relevant expertise from leading forensic IT consultants and accountants, solicitors and public relations firms, is responsible for assisting the insured in restoring business operations and to minimise their subsequent impact, and where it would fall within the relevant legislation in terms of compulsory breach notifications. These considerations also require some reflection on the cost implication, which makes the initial information gathering process critical to claim success.
Looking to the future, the cyber risk insurance market has come a long way with policies originally being an extension of a D&O (Directors & Officers) type of policy – which focus primarily on third party indemnity coverage and defence. They have since developed into standalone policies which provide not only for third party indemnity but also first party coverage for risks such as regulatory notifications, incidence remediation, data restoration, crisis management and public relations. Cyber policies presently operate across several lines including but not limited to financial lines, casualty and crime.
Cyber insurance is a very young and exciting insurance line when compared to the more traditional lines. Development and advancements are frequent and as more information is being obtained regarding these attacks the more robust and relevant products can be produced by insurers.