How can insurers control cyber claims costs?

"Most people have no idea," says cyber forensics expert

How can insurers control cyber claims costs?


By Daniel Wood

“When an incident occurs, most people have no idea who they need involved, why they need to be involved and what support those parties can offer,” said Lucas Bressanutti (pictured above).

The financial and forensic accountant is with the cyber team for global claims management provider Crawford & Company Australia. He recently presented a webinar: “Navigating the minefield of a cyber claim.”

IB listened in for what turned out to be a compelling session. The presentation detailed how Crawford goes into action for an insurer when an attack on a client occurs. More broadly, the presentation suggested how insurers and brokers should be risk managing and mitigating cyber threats.

“We're trying to look at it from a point of view of mitigating the financial exposure that's tied to the insurance policy,” Bressanutti said. “But also making sure that the business, their systems, their data, and their applications are all protected and being restored, or, rebuilt in the most efficient and proficient way possible.”

Cyber incidents: Time is critical

Crawford’s cyber attack response team, he said, works on a 48-hour timeline.

“Time is critical when it comes to cyber incidents,” Bressanutti said. “One hour can be the difference between an entire system compromised and maybe one server being compromised.”

Ideally, he said, the cyber incident is under control and recovery is underway in much less time.

“Normally, if a claim or a call comes through [reporting a cyber attack], we're jumping on that immediately and looking to engage whoever needs to be engaged within, hopefully 30 minutes, or as quickly as possible,” he said.

Next, he said, comes the investigation and attack containment “as promptly as possible.”

“Then figuring out where the timeline of this incident is going to take the next day, the next week, the next two weeks, the next month – whatever it happens to be, because all cyber claims have different complexities involved,” he said.

Cyber Event Life Cycle

Bressanutti brought up a slide called “The Cyber Event Life Cycle,” dividing the life of cyber attack into six stages:

  1. Preparation
  2. Detection
  3. Containment
  4. Investigation
  5. Remediation
  6. Recovery

The next part of the presentation was likely of particular interest to brokers trying to understand what their clients could actually claim under a cyber policy.

What can be claimed after a cyber attack?

The cyber forensics expert broke down the different types of costs that he said “normally get claimed” after a ransomware attack. He added that a ransomware attack “is a very expensive claim for insurance, especially when it's a successful ransomware attack.”

“You'll have, at a minimum, forensic IT costs to investigate how the threat actor actually got into the system,” Bressanutti said.

The second item usually covered is legal costs.

“Most ransomware attacks also include a bit of a data extraction and obviously that gives rise to legal implications requiring notification of the regulatory bodies, as well as the individuals that have been impacted,” he said.

Public relations issues, he said, could also be an impact.

“Depending on how big the business is there's always that potential that stakeholders to the general public will be quite unhappy with what's happened,” Bressanutti said. “So we have to consider those services as well.”

What he called “specialty IT costs” are another item on the possible claims list.

“With a ransomware attack, sometimes the threat actor is able to conceal what they've done in the system,” Bressanutti said. “Maybe they've been in it for four or five months and there might not be logs available for that extended duration.”

He said this limits investigators in terms of what they can review.

“In those circumstances, we look to potentially the engagement of a dark web monitoring service, or potentially even a ransom negotiator,” Bressanutti said.

Restoration costs could come next.

“If the backups aren't sufficient, or we're missing a week, two weeks, or a month of data, then you're going to have to restore that information and that’s going to come at a cost,” he said.

Finally, the last element of the costs is usually the business interruption component.

“Obviously, the third-party exposure is always there but ideally, in a preferred and ideal approach to dealing with a ransomware attack, we should be able to mitigate any third-party exposure through the resources of legal support as well as public relations support,” Bressanutti said.

Which cyber attacks are on the rise?

Bressanutti also noted the types of cyber attacks that are on the rise in Australia.

Unsurprisingly, this included ransomware. The cyber specialist said Australia is “definitely seeing a rise” in these attacks. He also mentioned system breaches, zero day exploits (code vulnerabilities unknown to software vendors), email compromise and social engineering.

Social engineering is probably better known as a term for how dictatorial regimes mould the psychology of their citizens to suit political ends. Today, it also refers to a type of cyber attack that psychologically manipulates human behaviour to access sensitive data.

Bressanutti suggested that in Australia this is the most common form of cyber attack.

“More commonly, we're seeing social engineering being quite successful in being able to divert funds from business bank accounts,” he said.

What don’t you understand about cyber insurance policies? Please tell us below.

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!