Major hack highlights new side to cyber risk

Major hack highlights new side to cyber risk | Insurance Business Australia

Major hack highlights new side to cyber risk
The branch of a multi-national business based in Brisbane has been the target of an online attack with extortion playing a key role.

The unnamed business was the target of a ransom-style attack, where records and computers were frozen until a ransom was paid, but upon payment the attackers began targeting the family of a senior executive, The Guardian reports.

The ransom, which is believed to have been thousands of dollars’ worth of online currency bitcoin, was paid out after an initial attack earlier in the year but the company refused a larger ransom and the attackers began to target the children of one senior executive.

“This was a very serious attack on an organisation and quite traumatic for the business, the victim and his family,” Queensland police acting assistant commissioner Brian Hay said.

The extortion element of the attack highlights a key aspect of cyber coverage that many may not think of but one that is part of the new cyber landscape.

Michael Gonos, Gratex International’s director of IT & infrastructure services, noted that any company that falls victim to an attack like this should seek help immediately and brokers can play a key role.

“Any organisation or individual affected by any form of extortion should seek professional help from an organisation or a government body that can properly asses risks related to ransom and take necessary steps and actions to minimise extortion recurrence,” Gonos told Insurance Business.

“The broker should seek the help of an organisation specialising in IT security forensics to identify and block attack vectors and analyse type of data affected by the theft to identify the impact on business operation and privacy breach.”

Gonos believes that this style of attack will continue to gain a hold in the Australian and global market and businesses of all types must be aware of the extortion threat which surrounds cyber risk.

“The ransom-ware is increasingly popular in different forms such as malwares affecting access to information systems or more commonly, in preventing access to files by encrypting them.

“From another point of view, any successful security attack resulting in a data breach has the potential to become an extortion with ransom which is a worrying factor.

"Attackers will be targeting systems and organisations processing information that can be easily exploited to gain a financial benefit for an attacker.”

Neil Fergus, chief executive of Intelligent Risks – a leading specialist management services company which deals with crisis management, noted that “every medium and large sized business in Australia should have an insurance policy that provides it with cover for extortion, and preferably provides access to skilled and experienced crisis management responders.”

Fergus continued that companies attacked like this should be in no rush to pay a ransom but should be in touch with their broker or insurer immediately.

“In the event of an extortion threat being received by a company the first step is to immediately notify the broker and insurer and have the crisis management specialists activated to assist,” Fergus said.

“No company should rush to pay an extortion demand. 

“Not only is it likely to result in further demands for additional payments by the perpetrators, in some cases it is illegal (depending on the jurisdiction the event occurs in) and in some circumstances it could place a company in potential breach of the extra-territorial provisions of the UK Bribery Act,” Fergus warned.

“However in certain circumstances, in close collaboration with police investigators, what we term a ‘controlled’ extortion payment might be made to the perpetrator or perpetrators as a tactic to identify and apprehend them.”

Fergus warned that without a plan in place and the appropriate insurance, the costs of extortion can be astronomical.

“In the numerous extortion cases that we’ve assisted client companies to resolve it is undoubtedly the situation that the costs and damage associated with a case are significantly larger when a company has not considered fully its potential crisis management exposures and has not taken out appropriate insurances or ensured specialist capabilities will be available to assist it mitigate the risks.   

“The indirect costs to a company, including damage to reputation and brand and even share price, can be dramatically more expensive than the costs associated with directly managing the extortion event.”