Cyber-attack – the heart attack of the companies

Cyber-attack – the heart attack of the companies

From a cyber perspective, there are only two types of companies: Those that have been hacked and those that will be hacked.

When an agricultural producer gets hit by a ransomware attack, it comes close to collapsing its business. The last two years of our lives will forever be marked as the years hardest hit by the global pandemic COVID-19. But this period has also brought us other threats, namely the digital pandemic in the form of the rise of Ransomware cyber-attacks.

What is Ransomware?

It was an ordinary morning for the agricultural company which is one of the main dairy products producers in the region. The director of the company arrived, as usual, sometime before the workers came to the factory, turned on his business laptop and noticed a disturbing message: “You are under a ransomware attack, please follow the link for further steps.”

Ransomware is a type of malicious software or encryption program, placed by a hacker, that works by encrypting data on a network. To regain access to the data, it asks you to pay a ransom in exchange for a decryption key. Some researchers (Coveware) show that a minority of companies that choose the ransom payment route, end up being forced to make additional payments or never getting access to their data.

Ransomware attacks have been one of the most common threats in the last couple of years. Business interruption periods increased from an average of 15 days (2020), now to an average of 23 days (2021). It should be also noted that the business interruption costs sometimes are as high as the ransom payment, or even exceed the amount. IBM’s 2020 Cost of Data Breach Report shows us that it took around 280 days to even identify a breach in a system, which gives us an insight into the ability and power of hackers to move stealthily and silently through a victim’s system.

Cognyte company, the security analytics agency, claims that the Manufacturing and Financial Services industries are the leading targets of ransomware hit, followed by the Transportation, Technology, Legal and Human Resources industries. Some examples are:

  • In 2016, Delta Airlines faced a major network outage that lasted for five hours and cost the company 150 million USD.
  • In October 2016, there was a DDoS attack on Dyn, a company that administers a major element of the web, that took down widely used websites such as PayPal, Twitter, Netflix, Amazon, and others.
  • In 2017, Maersk, a Danish shipping company, faced a cyber-attack that disrupted operations for two weeks, resulting in a loss of about 300 million USD.

Weak point RDP

According to the UK security company Sophos, one of the most distinguished ways is the widespread use of Remote Desktop Protocol (RDP). RDP is a system which allows remote users to connect to the desktop of another computer via a network connection. Usually, it is used by organizations to allow employees to gain access to their networks while they are working remotely. If the port, that an organization uses for RDP access, is exposed directly to the internet, it is easy for malicious actors to find it, and they then attempt to gain access to an organization’s computer systems.

After the hackers gain access to the system, the next step is to break into the organization´s local administrator account. This means that the attackers are using a computer program trying to crack the passwords by trying various password combinations in quick series. The longer and more complex password, the more difficult the job will be for hackers to crack the system. Unfortunately, in our case, the local administrator´s account had a weak password combination. Additionally, the absence of Multi-factor authentication (MFA) for RDP access, allowed the hacker to gain access to the organization’s network without having to go through a second verification procedure, such as entering a verification code.

The production was blocked and unfortunately, the company did not have an offline backup stored on external storage that could be used to restore them. After the activation of the business incident plan and connection with the external incident response team, the company decided that a ransom will be paid. After the payment and receiving the decryption key, recovery was started. As the whole process was time-consuming, it took around 14 days for the system to get fully recovered.

The benefits of cyber insurance against a cyber-attack

Due to having a cyber insurance policy, the company was able to carry out the whole process of recovery of data and ransom payments with highly skilled IT professionals. The costs which were covered under this cyber-attack were, above mentioned ransom payment, business interruption losses, business incident response, forensic investigation costs, crisis PR, privacy liability, and compliance with the data protection regulatory bodies (GDPR) under the law regulated time.

Some important statistics (Indusface):

  • Organizations saw a record 225% increase in losses from ransomware attacks in 2020;
  • 53% of attacked businesses stated that their brand and reputation were damaged after a successful attack;
  • Around 26% of enterprises had to shut down operations permanently because of a ransomware attack.

If you are interested in the possible insurance offers and the level of vulnerability of your company to cyber threats, contact us and a team of our specialists will provide you with all necessary information about the further steps.

Related Insights

War in Ukraine and Cyber Insurance

Since the start of the war in Ukraine, fears of cyber-attacks due to parallel hybrid war are increasing. In this article we explain how the insurance industry is reacting and how the war clause affects conditions.

Read more …

Bogdan Santovac

Bogdan Santovac

Liability & Financial Lines Specialist

T +420 778 521 276

War in Ukraine and Cyber Insurance

Since the start of the war in Ukraine, fears of cyber-attacks due to parallel hybrid war are increasing. In this article we explain how the insurance industry is reacting and how the war clause affects conditions.

Is there an increased cyber threat from the war in Ukraine?

Officials like the German BSI are currently assuming an “increased threat level”. However, there is currently no immediate threat to information security in connection with the situation. However, there are already suspicions of individual cyber-attacks in connection with the war. The German wind turbine manufacturer Enercon, for example, was no longer able to carry out remote maintenance on its own systems. The reason for this was a disruption in the satellite network.

How are cyber insurers reacting?

Immediately after the outbreak of the war, our cyber specialists contacted cyber insurers in order to know their reaction. The general feedback was that the situation was being assessed and, especially in the area of critical infrastructure, that decisions will be taken with even more restrictions.

Does the war exclusion clause apply?

Cyber insurances usually have so-called war exclusion clauses, according to which damage caused by war or war-like events are not insured. The classic exclusion of war means that there is generally no coverage in the case of a targeted action by an attacking state using physical force.

If the cyber-attack is originated by so-called state sponsored hacker groups, there is no direct-targeted action by an attacking state, and therefore no war in the sense of the definition. In addition, Russia is at war with Ukraine and not with other countries, a point to be considered when insurance wordings are interpreted. Even if a cyber-attack on a company is directed by a state, this is still no official war action. It is the insurer who must provide evidence that the cyber-attack is originating from a state if he thinks that the exclusion is applicable. It will be very difficult for the insurer, however, to prove such a fact, because hackers usually do not announce that they are acting for a government.

How about the ransom payment?

Ransomware cases are currently the No. 1 cyber threat. Access to data or services is blocked and a ransom is demanded for activation. The ransom payment is generally insurable. If the blackmailers are Russian hacker groups, policyholders must expect that the insurers will not make any payment without a positive sanctions and compliance check. Due to the extensive sanctions against Russia, ransom payments to Russian hacker groups are usually subject to sanctions and insurance payments are therefore contractually and legally prohibited.

Summary

We are currently not observing cyber-attacks in connection with the war in Ukraine that would occur in Austria and Central and Eastern Europe. Cyber insurers still take responsibility for protecting this number one corporate risk. In our opinion, the traditional war exclusion would not apply in the event of an untargeted attack. Ransom payments might be subject to the sanctions and therefore forbidden.

Related Insights

War in Ukraine and Cyber Insurance

Since the start of the war in Ukraine, fears of cyber-attacks due to parallel hybrid war are increasing. In this article we explain how the insurance industry is reacting and how the war clause affects conditions.

Read More …

Stephan Eberlein

Group Practice Leader Financial Lines

T +43 664 962 40 60

Technology Insurance: What you need to know before hitting the market?

A couple of years ago, my friend from a law firm decided to learn some coding just for the fun. After some lessons, he discovered how similar contracts and software are in nature – writing a code is like drafting a contract. Both have an idea how it should work to become a functional piece of program or contract.

Like business relationships, technology can also let you down. The biggest software failures in recent history have affected some of the biggest companies and millions of customers around the world. Very often software companies developing and supporting their systems are to be held liable for damages.

Case studies: how technology can cut us off

Imagine you are having a nice Sunday with your family and scrolling your phone to check e-mails just to discover one of the largest airports in Europe has cancelled over 100 flights due technical issues. This happened twice in London Heathrow Airport back in 2019 and 2020. Who are to blame? Technology companies who created, maintained and amended the systems.

Or something more recent – a major outage affected several high-profile websites, including Amazon, Reddit and Twitch. It was discovered that the outage was caused by service configuration that triggered disruption in specific locations. For these companies’ outages cost around $250.000 per hour and it is claimed back from the service providers.

The problems can start out of contractual relations too, and the technology company can find itself in the middle of a court case. Facial recognition start-up Clearview AI was sued in a potential class action lawsuit that claims the company crabbed up photos from employment sites, news sites, educational sites, and social networks out of “pure greed” to sell to law enforcement. It is currently difficult to estimate the final cost and claimed damages related to this case.

How to save the business in these situations?

You can’t do much to avoid technology failures totally, but there is a way to find some redemption in the complicated situations. When it comes to mitigating the risk and finding a proper insurance policy, technology insurance is one of the very first insurance products recommended for technology companies.
This is covering the liability arising from the technological activity. For instance,

  • damages related to the errors
  • failures to perform, breach of contract
  • security failure
  • media liability
  • intellectual property breach
  • legal expenses related to the actual or alleged claim.

The core of this insurance is professional indemnity, which is rather related to errors and negligence and not directly to bodily injury or property damage like general liability policies.

Shortly, this is the solution to transfer your company’s financial risk and meet the contractual requirements. Insurance should be the first risk mitigation measure to consider while starting technology company, concluding the first contract or considering service or product launch.

Simple steps to get the insurance policy done

Buying your first technology insurance policy is far much easier than creating the technology itself. We only need your input to introduce your company to the insurance market and obtain quotes. The rest is for you to decide if and when you need the coverage be effective.

Related Insights

Helen Evert

Practice Leader Liability & Financial Lines – Estonia

T +372 5824 3096

Cyber insurance comes of age

Cyber insurance, now out of its infancy, has become an essential part of risk management. Stephan Eberlein, cyber expert at GrECo Specialty, reports on how you can get tailored cyber insurance with the best conditions, even in the current market environment.

For years, GrECo has been concerned with communicating to its clients that cyber incidents can be major loss events with serious effects on the company’s success or reputation. Risk transfer via an insurance solution is an important measure for effective cyber risk management.

At the beginning, there was still a lack of risk awareness among domestic company managers, who were “still” convinced of the effectiveness of their firewalls & co. The available cyber insurances were also still in their infancy and their complexity was not easy to understand. However, there was a euphoria in the insurance industry, which provided plenty of capacity at very low premiums to generate market share.

Cyber threats: the No. 1 business risk

Since 2019 at the latest, the world has entered a new cyber era. Although the IT landscape has faced viruses, security breaches and other forms of cyber attacks for years, cyber criminals have become increasingly sophisticated. Meanwhile cyber threats now represent the top business risk (source: Allianz Risk Barometer 2020).

Due to the large number of reports of cyber attacks and their serious financial consequences, many business leaders around the world have taken out cyber insurance at favorable premium costs. In early 2020, Munich Re valued the European cyber insurance market at more than 1 billion USD.

The digitalization accelerated by the Corona crisis not only led to a further sharp increase in cyber insurance policies last year, but also to a rapid increase in claims. Insurers had to deal with ransomware attacks on a large scale. Acting as an accelerant to the negative claims figures are incidents such as SolarWinds, the latest global cyber incident that even compromised government systems. Experts estimate that the insurance industry will have to pay about 90 million USD for this incident.

Cyber insurers are now complaining that claims payments far exceed premiums. Insureds are now feeling the consequences in their policy renewals: capacities are being cut and premiums are being increased, sometimes sharply. In addition, the application process for large companies is becoming more and more burdensome. In other words, market hardening has not stopped at cyber insurance.

Key to best possible conditions

In the current market environment, a “risk-based” approach and transparency are the key to a tailored insurance solution at the best possible conditions, both for contract renewals and new contracts.

However, companies often do not have sufficient answers to questions such as: Which “crown jewels” need to be protected? What is the financial impact of an intervention on these assets? We therefore recommend assessing the cyber risk as part of a loss potential analysis in order to derive the insurance requirements.

Cyber security audits are used to determine the maturity level of IT security, because insurers now consistently demand minimum protection standards. This means that it is worth checking in advance whether the technical and organizational security measures correspond to the state of the art.

Regular awareness trainings for employees and penetration tests also have a very positive effect on risk assessment by the coverage market. On one hand, these measures serve to raise awareness, and on the other hand, they allow companies to test an emergency situation and derive important conclusions for their cyber risk management from the results.

Support in risk and insurance issues

GrECo’s experts accompany you throughout the entire phase of preliminary work up to the completion of the customized solution. They identify potential for improvement in IT security, shed light on the market environment and coverage options. They manage the marketing process, in which detailed questions often have to be answered. We are currently in a seller’s market. This means that the more transparent and better the company’s individual risk situation can be presented, the greater the insurers’ appetite for risk and the more attractive the outcome of the negotiations. So-called “underwriter meetings” also have a positive influence on the results of negotiations. In these meetings, the insurers’ risk engineers have the opportunity to ask detailed questions directly to the company’s managers. This facilitates the application process and promotes trust.

Cyber insurance, the new fire insurance

It is now undisputed that cyber insurance can effectively reduce or compensate for the financial loss in a cyber incident. The current loss events have demonstrated this clearly. Thus, it is more true than ever that cyber insurance should be a standard part of every company’s insurance portfolio. It is now considered the fire insurance of the 21st century.

However, it is important not to see them as a substitute for information security. In addition, companies should be prepared for the fact that insurers subject their risks to an individual review. The better the preparation, the more transparent the risk situation and the more comprehensible the corporate decisions in this area are, the smoother contract renewals and new contracts for cyber insurance will run.

Related Insights

Stephan Eberlein

Group Practice Leader Financial Lines

T +43 664 962 40 60

Cybercrime is also targeting your business

Some industries, such as online retail or banking, handle large amounts of sensitive and possibly lucrative data. By the very fact that the services they offer are to a wide extent are virtual, the exposure is rather obvious. With others, like manufacturers, telecommunications and healthcare, it is their obvious dependency on IT which makes them an attractive target for attacks in the cyber sphere. And indeed, participants of industries where neither apparently applies are sometimes lead to believe that this topic is of subordinate relevance or relevant to others.

Unfortunately, this is far from true, as an even quick analysis and recent events show. It is a misperception that a company has to have a widely known brand, a particular product or media coverage to become a target. Falling prey to one of the ominous phishing mails or an inconsiderate click of an employee on a seemingly harmless attachment are equally relevant for each and every company. Recent events and our claims experience show us that both large and small businesses are targeted by cyber criminals.

The top three cyber strategies of businesses

In our daily discussions with clients we encounter broadly three classes of responses:

  • Denial / minimum response: The initial response is that this risk is relevant for other industries, but not so much the own. Publicly available examples are discarded as singular incidents or consequence of particularly unsuitable use of IT tools. Often, this approach is also driven by the fact that the acknowledgement of an exposure would require a reaction, which may result in costs. An insurance premium would be such an additional cost. The topic of cyber and IT security is seen as a responsibility of the IT-department. Since the details of any exposure would inevitably be technical in nature (and impossible to understand for anybody but an IT professional) this is where the matter resides best. In smaller companies, without dedicated departments, the responsibility is seen to lie with suppliers of software or hardware/infrastructure.
  • Awareness and prevention: Media coverage on the topic has become ubiquitous and hard to avoid, even to a level where not addressing the topic could lead to the management’s reaction in this respect being questioned with hindsight. It is understood that the exposure is not merely technical, but also comprises soft facts like social engineering and human error which has to be actively managed in a company. The focus here often lies on prevention.
  • Comprehensive approach: In addition to prevention also comprising mitigation and business continuity analysis based on having developed a number of actual scenarios. Similar to fire drills, real exercises are being conducted and key personnel (not limited to the IT department) trained in how to react when servers go dark and communi

This simplified classification is of course exemplary and in reality more like a continuum. It can also be observed that when the conversation is brought to Cyber and insurance it is either the complexity of what is covered under which line of insurance (property, cyber, professional indemnity, D&O and crime being the ones which could immediately be triggered, depending on the loss scenario) which may be challenging. A certain saturation given the ever increasing media alerts and the fear this could only be the insurance industry seeking the next product it can sell are other reservations.

The risk, of course, is real and can be effectively managed by a combination of prevention and mitigation, where insurance falls under the latter.

Related Insights

Stephan Eberlein

Group Practice Leader Financial Lines

T +43 664 962 40 60

When Cyber infects the construction site

Cyber risk management and insurance in Construction

The construction industry becomes more connected through electronic solutions and remotely accessible systems. Until now, labour productivity in the construction sector has not seen the same increase like in general manufacturing but it is expected that this will change in the foreseeable future. Despite an improved procurement and supply-chain management it is particularly digital technology, new materials and advanced automation that promise the largest gains.

A specific trait of companies in the construction sector is the fact that each building is, to a varying extent, different to any other. As a consequence, builders and joint venture partners, vendors, subcontractors, suppliers and financial institutions are mixed together in changing constellations every time. They co-operate on a contractual framework specifically drafted for this definite project and tasked with creating something which has not been done in this exact configuration before. At the same time trying to perform as efficiently as possible to produce works fit for the purpose and free of defect, while securing the sometime slim operating margin the industry offers. This is contrary to any stationary industry, where locations and stakeholders are a lot easier to oversee processes more standardized and accessible for optimization and immunization to threats.

The main attack vectors in the construction industry in cyber are:

  • Social engineering: psychological manipulation of people into performing actions or divulging confidential information. People and companies change from project to project and also within projects fluctuation of personnel happens.
  • Access points: construction trailers, site offices and decentralized IT are often more vulnerable and easier to access physically than on-site premises or offices in buildings
  • Increasing digitisation of the value creation change, from project management software over electronic flow of designs and BIM to Internet of things (IOT) and automatized machinery
  • Ransomware: a piece of malicious software that blocks access to a system, encrypts it or threatens to publish the victim’s data unless a ransom is paid (extortion)
  • Dependency on subcontractors and suppliers: if a subcontractor or supplier is affected by a cyber attack it may negatively influence the timely completion of a project
  • Hacktivists identifying companies as targets because of their involvement in certain areas/projects (fossil fuels, nuclear power plants, some sort of industrial plant)
  • Human error / malicious (ex-)employees

Some of these assets are at risk by a cyber-incident:

  • Intellectual property, proprietary assets, information protected by non-disclosure agreements including contractual fines if information gets disclosed
  • Architectural drawings / specifications, building schematics and blueprints
  • Compromised core systems (finance and accounting, logistics, communications) and as a consequence theft of funds, loss of contracts and contractual penalties
  • Business interruption events, literally paralyzing a company partly or in whole
  • Loss or theft of confidential information
  • Third party liability arising from any of the above
  • Loss, theft or extortion of funds
  • Reputational risk

To illustrate cyber claims examples in the construction industry, we consider the following units of a construction company and claims we have observed:

Recent media coverage of incidents only support our illustration. In October 2018 for instance, Ingérop was victim of a cyber attack where perpetrators were able to get documents relating to nuclear plants, jails/correctional facilities and railway lines. The breach comprised 65 Gigabytes, including the exact locations of video surveillance intended for use in a French high-security prison as well as plans to an ultimate disposal site for nuclear waste and sensitive details on more than 1.200 employees of Ingérop.

Two of the largest construction companies in Austria were affected recently as well. In one instance in 2020, the company’s communication system was affected internationally, including encryption of files on network drives, ultimately rendering the company unable to act for several days, while the actual impairment of operations (and correspondingly, increased IT costs) went on for several months thereafter. The second well known incident in Austria was a Phishing email disguised in an email titled “Information on the Corona Virus”. In this case, the actors gained access to the data of the project owner, a municipality, and consequently tried to extort them.

Also in 2020, a ransomware attack on Bouygues led to internal applications, intranet and the email-system had to be taken offline, with even phone services failed intermittently. The hacker group Maze consequently demanded 10 million EUR in ransom based on the attack, which presumably originally affected only part of the system in Toronto and Montréal, and consequently affected systems worldwide.

Do you need insurance?

It is and entrepreneurial decision which risks to take and which ones to transfer. The cyber arena provides exposures which simply did not exist 5-10 years ago. And just like the business environment changes, so does the response of the companies adapt to those changes.

As of today, insurance premiums are still low and wide coverages available. In the wake of the numerous cyber incidents registered in recent times the premiums are however bound to go up and covers to get more restrictive. Costs following a cyber-breach can easily reach millions of Euros, composed of – depending on the loss scenario:

  • First party losses such as business interruption and immediate costs of crisis management and first response, including technical experts and forensic experts
  • Third party losses stemming from legal liabilities such as the GDPR, including financial loss due to contractual penalties, and crisis communication requirements

As even the most advanced IT security cannot guarantee full safety (think of the recent Solarwinds hack which even affected the source code of widely used Microsoft products, though the full extent is yet to be assessed), it seems prudent to install a safety net which will step in should security measures fail and covers the worst case scenario of company closure.

The mere question of when a cyber-insurance policy is triggered is simple:

  • Data breach (violation of data protection laws (e.g. GDPR)
  • Network security breach: targeted or non-targeted cyber-attack (e.g. computer virus)
  • Operator Error: error or omission that results in a damage of data (e.g. programming error)
  • Technical failure: computer system malfunction (e.g. overheating)

The way ahead and how we can help

The evolvement of technology will continue to coin and form the value creation in construction. A conscious analysis will help to contribute to the resilience of the organisation and minimize negative effects cyber incidents may have. GrECo Risk Engineering offers specialized services supporting in the assessment of cyber exposures and choosing adequate insurance levels. With CyberSolid, GrECo exclusively offers an insurance solution with extensive cover and easy and simple application.

Related Insights

Richard Krammer

Group Practice Leader Construction & Real Estate

T +43 5 04 04 119

Stephan Eberlein

Group Practice Leader Financial Lines

T +43 664 962 40 60

“We are the friendly face who is there to ensure that the process runs smoothly.”

Brian Alexander, Group Practice Leader Financial Institutions, talks with Robert Lloyd, Director at ASL about trends in Crime & Cyber claims, the effects of Covid-19 on claims and the neutral and objective position of the loss adjuster.

Alexander: Can you tell us a little bit about how you got into adjusting?

Lloyd: I qualified as a chartered accountant in 2009 specialising in audit. Whilst this was great experience, I wanted more variation in my day to day work and the opportunity to travel internationally.

If I’m being completely honest, I came across ASL by chance. The role sounded extremely interesting – so I went for it. I met the Senior Directors at the time and they talked about trips to Latin America, cash being stolen from armoured cars and bank robberies. It was fascinating and I’m still captivated 11 years later!

Alexander: How does the adjusting process work?

Lloyd: We’re appointed by Insurers to investigate the facts of a claim and the amount of the loss. To do this, we provide the Insured with one or more written lists of information and documentation required.

If it’s a small loss, we may just correspond with the Insured through the Brokers. Alternatively, if it’s a large and/or complex loss, we will typically travel to the Insured, wherever they are in the world, and go through our questions with them face to face. Video meetings are increasingly playing a part too.

Once we have all the information, we prepare a report to the Insurers setting out our findings. Based on our report, the Insurers decide whether or not the claim is payable and, if so, how much.

It’s important to note that, whilst we are appointed by the Insurers, we provide a neutral and objective assessment of the claim.

Alexander: What are the benefits of the adjusting process to an insured (client)?

Lloyd: The loss adjuster facilitates the entire claims process. At the outset, we can help guide the Insured as to what they should and shouldn’t do – we can help them try to mitigate their loss and prevent a recurrence.

Then, by asking targeted questions, and requesting only relevant documentation, the adjuster is able to efficiently extract the information required by the Insurers to determine policy response. The adjuster also ensures that the Insured’s representations are properly and clearly communicated to the Insurers.

Additionally, the loss adjuster is someone that the Insured can speak with, along with their Broker, to discuss the status of the claim or simply to explain how the process works – we deal with crime and cyber claims every day and are therefore very comfortable with the process and the issues that arise. The adjuster should be a friendly face who is there to ensure that the process runs smoothly and that the correct outcome is achieved for all parties.

In those instances where coverage issues arise, and in order to manage expectations, the adjuster is also able to work with the Broker to explain these to the Insured.

Alexander: What are the current trends you see in Crime and Cyber claims?

Lloyd:

  • An ever-increasing number of social engineering frauds where an Insured is tricked, usually over email, into paying away money by fraudsters pretending to be a colleague, client or supplier. This affects both Banks and commercial entities with cover potentially available under crime and cyber policies.
  • More ransomware attacks. This is where criminals insert malware into an Insured’s computer system and encrypt data. It typically takes a week or more to get the systems back online resulting in a loss of income, which can be claimed under the business interruption section of a cyber policy.
  • Frauds involving transactions made via mobile telephone / cellphone – exacerbated by the growth of mobile banking in developing countries.
  • We continue to see numerous loan frauds across the world – and particularly in Eastern Europe. These often involve dishonest employees within Banks colluding to issue loans in return for kickbacks.
  • We’re seeing fewer claims involving the forcible theft of cash from Banks’ premises, ATMs and in transit. Perhaps that’s because running into a branch with an automatic weapon gives a much higher risk of being caught than trying a social engineering fraud or hacking into a Bank’s system. The amount that can be stolen by forcible theft is typically is much lower too!

Alexander: Has Covid-19 seen an increase in claims from what you see?

Lloyd:

  • We’ve seen a marked increase in ransomware attacks and social engineering frauds because remote working has presented the ideal conditions for these types of fraud.
  • There’s been a temporary drop off in more conventional fraud being notified – such as individuals stealing money from their employers. However, this is likely because Insureds have only recently returned to their offices, or are yet to do so, and so have not yet uncovered these schemes. The pandemic has created the ideal environment for fraud and we’re expecting to see significantly increased volumes of crime claims later this year and into 2021.
  • There have also been more loan frauds notified by the large Trade Finance Banks. This is because the pandemic has caused a number of their corporate clients to default – and the Banks’ subsequent enquires have led them to believe that some of those loans may have been obtained under false pretences. The Banks therefore notify the matter to their crime policies.

About ASL
ASL are market leading loss adjusters and forensic accountants. We specialise in dealing with crime claims made by Banks and commercial entities. We also handle cyber claims.

ASL’s professional staff includes chartered accountants and lawyers. This gives us the necessary expertise when it comes to quantifying complex losses and providing coverage analysis for the crime and cyber Insurers.

We have offices in London and Dubai and, since 1988, have handled assignments in over 100 countries.

Related Insights

Brian Alexander

Group Practice Leader Financial Institutions

T +43 5 04 04 342

Cyber security – the fire protection of the 21st century

Companies in the 21st century face the great challenge to advance digitization. This means to increase efficiency, reduce costs and deploy new, innovative IT-products and –services that also enhance cyber security.

Various studies and statistics show a clear tendency: crime is increasingly shifting to the Internet. Just in Austria, the authorities recorded a 27.5% increase in Internet-based crimes between 2018 and 2019. According to the IT-trend-study 2020 by Capgemini, almost 63% of companies in German-speaking countries now intend to increase their IT-spending, compared to around 44% in the previous year.

With this tension, between the necessity for digital transformation and the existence-threatening cyber-attacks, cyber-security comes into play. Pursuing a sustainable security strategy is almost indispensable for companies. From the entrepreneurial point of view, cyber security is now at least as important as fire protection, for which usually each company has an understanding. For companies fire-protection is primarily a personal safety issue with official regulations that must be observed. Cyber security, on the other hand, is (only) a data protection issue from the point of view of the authorities, and this is probably the biggest difference in the perception of companies when it comes to the willingness to invest in security.

Identify weak points

The fire-hazard is evaluated by site inspections and tests of the fire-protection-equipment by experts in order to uncover weak points and identify potential for improvement. The same approach is used to manage cyber-threats.
The cyber-risk potential of the entire company is recorded and evaluated within the scope of a risk assessment, whereby organizational aspects (e.g. security policy, employee training) and technical aspects (e.g. design of the server landscape, firewalls) will be considered. This is usually done based on relevant standards such as an ISO 27001 or the COBIT basic-protection.

A further or additional welcome step is for example a penetration test. Here the digital “fire-protection-gates” of a company are tested under strict security-regulations or a “fictitious digital-fire” is set to see how the IT-security reacts in case of an emergency.

Companies also are hold regular fire drills to train employees for emergencies. In the event of a cyber-attack, unqualified employees are the greatest weakness, while trained employees are the greatest strength when it comes to averting or mitigating cyber damage. Regular cyber awareness training ensures that cyber-dangers are recognized timely and that the right measures are taken in case of an emergency.

Related Insights

Stephan Eberlein

Group Practice Leader Financial Lines

T +43 664 962 40 60

Buyer’s guide Risk-based purchasing of cyber insurance

New cyber threats are evolving almost every day along with insurance concepts.

However, it is clear that the cyber insurance policies available on the market pursue different objectives: some providers look primarily to cover damage and losses caused by a business interruption resulting from a cyber incident, while others focus on liability cover for a claim based on data breaches. Only focusing on the price of different products can lead to nasty surprises in the event of damage. In addition to the suitable scope of cover and an adequate risk premium, it is also important to choose the right sum insured for cyber insurance.

Before taking out cyber insurance, we recommend that you identify and quantify your own cyber risks within the company and define a strategy for risk management. Our buyer’s guide shows how you can use the GrECo cyber risk assessment to make the best possible decision in terms of cyber insurance.

Step I: Identification of the company cyber risk

The cyber risks of a company, such as cyber attacks, data breaches or IT errors of employees, are diverse. Companies must first of all face the challenge of identifying these risks. Here are some examples of the most significant risks for most businesses: data risk, operational risk, criminality risk and reputational risk.

The most significant cyber risks for companies

Step II. Determining the adequate sum insured

If the company’s cyber risks are identified, we recommend qualifying and quantifying these risks. Cyber risks can also be prevented or at least reduced in most cases by specific risk management, but a residual risk almost always remains. The residual risk of a potential major loss is covered by cyber insurance. Choosing the right sum insured and deductible commensurate with the risk involved can be a challenge. The evaluation approach must be chosen, based on the risk type. The evaluation of the loss potential resulting from data theft follows approaches other than the evaluation of a business interruption following a cyber attack on IT infrastructure and key systems. The insurance market currently has sufficient capacities, even if high sums insured are required as is the case with multinational companies. The specialists of GrECo Risk Engineering are on hand to help you prepare loss potential analyses for cyber risks. Read the article “Identify your risks. Don’t burn your money.”.

Step III. Evaluation of cyber resilience

Cyber resilience is a comprehensive strategy for enhancing the resistance of a company’s IT systems to cyber attacks. International standards such as ISO 27001 or the cyber security framework of the international standardisation authority NIST offer recognised models for establishing, implementing, examining and continuously improving the company’s own cyber resilience.

But it is not appropriate to introduce these standards for all companies. These certifications are often too complex and cost-intensive, especially for SMEs. However, cyber security services such as cyber penetration tests, awareness training courses and cyber scoring reports are available to help SMEs to build up their cyber resilience.
The cyber scoring report allows companies to establish their digital footprint quickly and cost-effectively. Leaked, publicly available company data (e.g. email addresses, passwords, user names, etc.) is searched for during a desktop scan of the internet and darknet. The result of the report shows the company’s digital footprint, from which it can be concluded how the employees move in cyberspace, how visible the company is for cyber attacks (reputation in cyberspace), whether recent attacks can be detected, etc.

Cyber insurance ultimately safeguards corporate assets …
The awareness of the possible loss potential is an essential requirement for the decision on an insurance solution and its characteristics. Cyber resilience safeguards material and immaterial corporate assets and supports the purchase of cyber insurance in terms of quality and price.

As every minute counts with cyber damage, cyber insurance also offers important services such as immediate telephone protection, an IT expert network, and legal and PR support in order to overcome the cyber incident in the best way possible and prevent a negative impact on the company’s reputation. After the crisis has been overcome, cyber insurance takes responsibility for first-party and third-party liability losses.

Related Insights

Stephan Eberlein

Group Practice Leader Financial Lines

T +43 664 962 40 60

Guido Teutsch

Specialist Employee Benefits

T +43 5 04 04 – 247

How hackers work…

Crisis manager Crawford & Company explains

Cyber criminality can take on a number of forms – but one aspect always remains constant: the criminal energy of the attackers!

The hackers’ motivation is to seriously disturb a company’s operations and to gain a financial advantage from the criminal act – with correspondingly negative consequences for the parties concerned. If this scenario occurs, the following are crucial: good preparation and professional and coordinated actions!

Attackers usually gain access to the IT systems of the parties concerned and the sensitive data stored on these systems. In the past, the main focus of the risk assessment was often on the associated data protection and regulatory aspects. These aspects must always be taken into account, as otherwise there is the potential for hefty fines from the supervisory authorities. The recent past shows that authorities are increasingly imposing these types of fines due to data breaches (e.g. in accordance with the GDPR).

Fraudulent emails and encryption Trojans

The usual attack vectors are still often email fraud or attacks with encryption Trojans (ransomware). Over the past 12 months, we have been monitoring the trend towards increasing targeted attacks that are often based on social engineering (e.g. by phishing emails) in conjunction with complex, smart and automated malware (such as e.g. Emotet which is deemed to be one of the most destructive and cost-intensive malwares).

The damage and losses resulting from cyber incidents may take on significant proportions in many cases. In addition to the regulatory aspects mentioned and data protection, the potentially significant damage to the company’s reputation and the financial losses of this company must also be taken into account.
The financial losses incurred are not restricted to the monetary expenditure for restoring data, IT forensic analysis and the evaluation of the attack, and to the costs of involving specialist lawyers and PR consultants. Financial losses that result from the temporary standstill of businesses or even entire corporate groups are increasingly playing a leading role in the risk assessment.

Crisis management with professional help in the event of damage

In addition to preventative measures for defence against and prevention of attacks, acting quickly and professionally in the event of damage or loss is usually the key to best overcoming cyber incidents and reducing the resulting damage and losses. In terms of crisis management, an external crisis manager may coordinate the management processes involved centrally together with the companies involved. With access to a carefully chosen and extensive network of external specialists as a result of framework agreements with IT forensic experts, lawyers and PR consultants, Crawford has the resources to offer active support in the event of damage or loss. Experts experienced in major damage and losses work at Crawford as crisis managers to offer support during the whole process, from the initial analysis and mitigation of the incident to the subsequent damage claims process as part of cyber insurance. This fully integrated crisis and claims management process represents a smooth and efficient solution for the entire cyber insurance claim.

GrECo best practice recommendations for mitigating the damage of a cyber incident

Florian Sättler is Head of Cyber Services, Germany/Austria and works as a Cyber Incident Manager at Crawford & Company (Deutschland) GmbH. The qualified industrial engineer started working as an expert in insurance claims for Crawford Global Technical Services (GTS) in 2014 and investigated various large national and international claims in the commercial and industrial sector. He has been an accredited Crawford GTS Cyber Incident Manager since 2017 and is responsible for crisis management/incident response in the event of cyber incidents, with a focus on Germany, Austria and Switzerland in cooperation with Crawford network partners.
Crawford & Company is the world’s largest listed and independent claims provider and has been helping policyholders and insurers with the solution-oriented processing of claims resulting from cyber criminality since 2014, using the Crawford CyberSolution. Crawford & Company has approximately 9,000 employees globally and has already processed well over 1,000 cyber claims.

Related Insights

Stephan Eberlein

Group Practice Leader Financial Lines

T +43 664 962 40 60

Guido Teutsch

Specialist Employee Benefits

T +43 5 04 04 – 247