State-sponsored Cyber-Attacks: A Tool of Modern Warfare

Cyber War – State-sponsored Cyber Attacks Against Companies: A Tool of Modern Warfare

Helen Evert, Practice Leader at GrECo Estonia, shares insights about the pitfalls of cyber-attacks and how the small nation of Estonia successfully steels itself against attacks.  

In April 2007, the government of Estonia relocated the bronze soldier statue of Tallin, a Soviet-era monument. After two long nights of riots and lootings, the first state-sponsored cyber-attack against the websites of Estonian organizations took place. Targets included the parliament, banks, ministries, newspapers, and broadcasting corporations.

On 24th February 2022, Russia invaded Ukraine. Yet, Russian cyber-attacks against Ukrainian organisations and companies started much earlier. They increased ever since the illegal annexation of Crimea in 2014.
It, therefore, comes as no surprise that Estonian public institutions and its private sector once became the targets of extensive cyber-attacks in August 2022 after another war monument from the Soviet era – a T-34 tank – was removed from the border city of Narva. Except in a few cases, most websites though remained up and running after the attack and only some private media companies were temporarily offline.

Why are companies being targeted?

State-sponsored cyber-attacks usually have three goals – exploiting infrastructure weaknesses, gathering information or skimming off money to recover losses from sanctions. Such attacks are politically motivated, the targets can be identified at first sight, and they may change over time.

Companies have become favourite targets of such cyberwar attacks. Directly attacking a government or military system is far more complex and requires the attacker to use more resources. Companies are often less protected and provide hackers with an easy entry point into a country.

State-sponsored hackers often wait a long time undetected in corporate systems. This makes it difficult to manage the threat they pose. Removing it is an even bigger challenge. Once companies have been hit, they often require technical assistance from experts or national safety authorities.

Attackers like to focus on public service providers, supply infrastructure and infrastructure companies where they can cause a significant disruption by taking the target offline (gas, electricity, water, telecommunication, IT technology and Internet, the medical sector, transport, waste management, educational institutions).
Local government agencies, valuable brands and brand-name companies as well as those with sensitive data or high asset values in intellectual property are also preferred targets.

Cyber-attacks are on the rise

In the future, wars will become more frequent, more physical, and more high-tech. Everything can be used as a weapon – spreading false information, causing a stock market crash, diminishing currency credibility, launching and conducting a smear campaign or organizing a cyber-attack.

State-sponsored attacks can be anything, from simple DDoS attacks to massive disruptions of supply chains.
In 2021, the group behind the SolarWinds Hack, known as Nobelium and linked to the Russian foreign intelligence service SVR, targeted about 140 organisations, each an integral part of the global IT supply chain.

According to Microsoft experts, the actions taken by Nobelium support the notion that Russia tries to gain long-term, systematic access to numerous points along the technology supply chain to install a surveillance mechanism and monitor targets – now or in the future – that could be of interest to the Russian government. Furthermore, state-sponsored hacker groups have devoted themselves to cybercrime, using cyber-attacks as a good and relatively risk-free source of income once they have stolen sensitive data from their victims.

Why did the Russian cyber-attacks have hardly any effect on Estonia?

In Europe, Estonia has become a front-runner in digitization. The country has even been nicknamed “e-Estonia”. There are good reasons why the recent cyber-attacks seemed to have gone unnoticed and were largely ineffective. Apart from a few short and insignificant exceptions, websites remained up and running the entire day. The attack did not result in substantial losses, nor did it cause any inconveniences in the provision of national digital service.

Besides, the massive attacks back in 2007 showed Estonians just how important cyber security is. Being a neighbour to a hostile country, comprehensive surveillance and defence mechanisms against all kinds of attacks, whether physical or in cyberspace, has become essential.

During the last couple of years, cyber-attacks launched at public institutions and media companies in Estonia were the order of the day. After Russia attacked Ukraine on 24th February 2022, Estonian state-owned enterprises and private companies registered a significant rise in (attempted) attacks. Hence, IT security is on top of the country’s agenda and increased investments in cyber security on part of the government have thus done much to minimize the impact of cyber-attacks.

RIA is the national IT authority responsible for cyber security. Some 1,000 state employees protect Estonian cyberspace. They are backed by a highly developed IT system that automatically fends off intruders. Highly motivated computer scientists who would support their country in the event of an emergency and ensure up-to-date expertise act as a volunteer IT fire department.

Estonia aims to retain its lead in cyber security. In doing so, the country received support from NATO which operates a cyber defence centre in Tallinn. Simulated cyber-attacks are in the pipeline for training purposes.
Companies managing and operating critical infrastructure are also obliged to continuously improve their cyber protection by implementing best practices.

Cyberwar should not be taken lightly. Who will be the next target?

Cyber-attacks are part of an information war and are often used as a reaction to the political decisions made by a government. Cyber-attacks on key trade routes between Europe and Asia, in regions of armed conflicts or those against strategic targets, have spiked during the last few years. It is often hard to predict which targets are next on the list of cyber-warriors. However, it is safe to say that state-organised attacks, preying on political instability or a social divide, are set to increase.

Given their geopolitical situation, the Baltic States are constantly threatened by cyber-attacks. The same thought applies to allies and countries that express negative views about Russia, its allies, and the ongoing war.

Helen Evert

Practice Leader Liability & Financial Lines – Estonia

T +372 5824 3096

Related Insights

Webinar “Cyber risks in Food & Agri industry”

Cyber risks in agriculture

In our recent webinar “Cyber risks in Food & Agri industry” we shared information about the role of cyber insurance, case study examples of claims handling and Security Operation Center (SOC) as a service.

The food and agriculture industry has adopted the use of smart technology, such as automated farming techniques or automated high-bay warehouses. In addition, the industry is highly dependent on automation to keep prices low and distribution running smoothly. With all the benefits of digitalization, it is important to address the cyber exposures that come with this technology reliance.

In our recent webinar “Cyber risks in Food & Agri industry” we shared information about the role of cyber insurance, case study examples of claims handling and Security Operation Center (SOC) as a service. With more than 70 internal and external participants, we dived into the topics of cyber risks in the food and agriculture industry with a desire to show the importance of proper cyber insurance solutions for clients in this industry.

Speakers included Stephan Eberlein, GrECo Group Practice Leader in Liability & Financial Lines, Rob Lloyd, Director ASL, and Alexandra Rusnakova, Cyber security analyst at AXENTA CyberSOC.

You can find the full webinar recording on our Youtube profile.

Related News

Maksym Shylov

Group Practice Leader
Food & Agriculture

T +48 22 39 33 211

Cyber-attack – the heart attack of the companies

Cyber-attack – the heart attack of the companies

From a cyber perspective, there are only two types of companies: Those that have been hacked and those that will be hacked.

When an agricultural producer gets hit by a ransomware attack, it comes close to collapsing its business. The last two years of our lives will forever be marked as the years hardest hit by the global pandemic COVID-19. But this period has also brought us other threats, namely the digital pandemic in the form of the rise of Ransomware cyber-attacks.

What is Ransomware?

It was an ordinary morning for the agricultural company which is one of the main dairy products producers in the region. The director of the company arrived, as usual, sometime before the workers came to the factory, turned on his business laptop and noticed a disturbing message: “You are under a ransomware attack, please follow the link for further steps.”

Ransomware is a type of malicious software or encryption program, placed by a hacker, that works by encrypting data on a network. To regain access to the data, it asks you to pay a ransom in exchange for a decryption key. Some researchers (Coveware) show that a minority of companies that choose the ransom payment route, end up being forced to make additional payments or never getting access to their data.

Ransomware attacks have been one of the most common threats in the last couple of years. Business interruption periods increased from an average of 15 days (2020), now to an average of 23 days (2021). It should be also noted that the business interruption costs sometimes are as high as the ransom payment, or even exceed the amount. IBM’s 2020 Cost of Data Breach Report shows us that it took around 280 days to even identify a breach in a system, which gives us an insight into the ability and power of hackers to move stealthily and silently through a victim’s system.

Cognyte company, the security analytics agency, claims that the Manufacturing and Financial Services industries are the leading targets of ransomware hit, followed by the Transportation, Technology, Legal and Human Resources industries. Some examples are:

  • In 2016, Delta Airlines faced a major network outage that lasted for five hours and cost the company 150 million USD.
  • In October 2016, there was a DDoS attack on Dyn, a company that administers a major element of the web, that took down widely used websites such as PayPal, Twitter, Netflix, Amazon, and others.
  • In 2017, Maersk, a Danish shipping company, faced a cyber-attack that disrupted operations for two weeks, resulting in a loss of about 300 million USD.

Weak point RDP

According to the UK security company Sophos, one of the most distinguished ways is the widespread use of Remote Desktop Protocol (RDP). RDP is a system which allows remote users to connect to the desktop of another computer via a network connection. Usually, it is used by organizations to allow employees to gain access to their networks while they are working remotely. If the port, that an organization uses for RDP access, is exposed directly to the internet, it is easy for malicious actors to find it, and they then attempt to gain access to an organization’s computer systems.

After the hackers gain access to the system, the next step is to break into the organization´s local administrator account. This means that the attackers are using a computer program trying to crack the passwords by trying various password combinations in quick series. The longer and more complex password, the more difficult the job will be for hackers to crack the system. Unfortunately, in our case, the local administrator´s account had a weak password combination. Additionally, the absence of Multi-factor authentication (MFA) for RDP access, allowed the hacker to gain access to the organization’s network without having to go through a second verification procedure, such as entering a verification code.

The production was blocked and unfortunately, the company did not have an offline backup stored on external storage that could be used to restore them. After the activation of the business incident plan and connection with the external incident response team, the company decided that a ransom will be paid. After the payment and receiving the decryption key, recovery was started. As the whole process was time-consuming, it took around 14 days for the system to get fully recovered.

The benefits of cyber insurance against a cyber-attack

Due to having a cyber insurance policy, the company was able to carry out the whole process of recovery of data and ransom payments with highly skilled IT professionals. The costs which were covered under this cyber-attack were, above mentioned ransom payment, business interruption losses, business incident response, forensic investigation costs, crisis PR, privacy liability, and compliance with the data protection regulatory bodies (GDPR) under the law regulated time.

Some important statistics (Indusface):

  • Organizations saw a record 225% increase in losses from ransomware attacks in 2020;
  • 53% of attacked businesses stated that their brand and reputation were damaged after a successful attack;
  • Around 26% of enterprises had to shut down operations permanently because of a ransomware attack.

If you are interested in the possible insurance offers and the level of vulnerability of your company to cyber threats, contact us and a team of our specialists will provide you with all necessary information about the further steps.

Related Insights

Bogdan Santovac

Bogdan Santovac

Liability & Financial Lines Specialist

T +420 778 521 276

War in Ukraine and Cyber Insurance

Since the start of the war in Ukraine, fears of cyber-attacks due to parallel hybrid war are increasing. In this article we explain how the insurance industry is reacting and how the war clause affects conditions.

Is there an increased cyber threat from the war in Ukraine?

Officials like the German BSI are currently assuming an “increased threat level”. However, there is currently no immediate threat to information security in connection with the situation. However, there are already suspicions of individual cyber-attacks in connection with the war. The German wind turbine manufacturer Enercon, for example, was no longer able to carry out remote maintenance on its own systems. The reason for this was a disruption in the satellite network.

How are cyber insurers reacting?

Immediately after the outbreak of the war, our cyber specialists contacted cyber insurers in order to know their reaction. The general feedback was that the situation was being assessed and, especially in the area of critical infrastructure, that decisions will be taken with even more restrictions.

Does the war exclusion clause apply?

Cyber insurances usually have so-called war exclusion clauses, according to which damage caused by war or war-like events are not insured. The classic exclusion of war means that there is generally no coverage in the case of a targeted action by an attacking state using physical force.

If the cyber-attack is originated by so-called state sponsored hacker groups, there is no direct-targeted action by an attacking state, and therefore no war in the sense of the definition. In addition, Russia is at war with Ukraine and not with other countries, a point to be considered when insurance wordings are interpreted. Even if a cyber-attack on a company is directed by a state, this is still no official war action. It is the insurer who must provide evidence that the cyber-attack is originating from a state if he thinks that the exclusion is applicable. It will be very difficult for the insurer, however, to prove such a fact, because hackers usually do not announce that they are acting for a government.

How about the ransom payment?

Ransomware cases are currently the No. 1 cyber threat. Access to data or services is blocked and a ransom is demanded for activation. The ransom payment is generally insurable. If the blackmailers are Russian hacker groups, policyholders must expect that the insurers will not make any payment without a positive sanctions and compliance check. Due to the extensive sanctions against Russia, ransom payments to Russian hacker groups are usually subject to sanctions and insurance payments are therefore contractually and legally prohibited.


We are currently not observing cyber-attacks in connection with the war in Ukraine that would occur in Austria and Central and Eastern Europe. Cyber insurers still take responsibility for protecting this number one corporate risk. In our opinion, the traditional war exclusion would not apply in the event of an untargeted attack. Ransom payments might be subject to the sanctions and therefore forbidden.

Related Insights

Stephan Eberlein

Group Practice Leader Financial Lines

T +43 664 962 40 60

Technology Insurance: What you need to know before hitting the market?

A couple of years ago, my friend from a law firm decided to learn some coding just for the fun. After some lessons, he discovered how similar contracts and software are in nature – writing a code is like drafting a contract. Both have an idea how it should work to become a functional piece of program or contract.

Like business relationships, technology can also let you down. The biggest software failures in recent history have affected some of the biggest companies and millions of customers around the world. Very often software companies developing and supporting their systems are to be held liable for damages.

Case studies: how technology can cut us off

Imagine you are having a nice Sunday with your family and scrolling your phone to check e-mails just to discover one of the largest airports in Europe has cancelled over 100 flights due technical issues. This happened twice in London Heathrow Airport back in 2019 and 2020. Who are to blame? Technology companies who created, maintained and amended the systems.

Or something more recent – a major outage affected several high-profile websites, including Amazon, Reddit and Twitch. It was discovered that the outage was caused by service configuration that triggered disruption in specific locations. For these companies’ outages cost around $250.000 per hour and it is claimed back from the service providers.

The problems can start out of contractual relations too, and the technology company can find itself in the middle of a court case. Facial recognition start-up Clearview AI was sued in a potential class action lawsuit that claims the company crabbed up photos from employment sites, news sites, educational sites, and social networks out of “pure greed” to sell to law enforcement. It is currently difficult to estimate the final cost and claimed damages related to this case.

How to save the business in these situations?

You can’t do much to avoid technology failures totally, but there is a way to find some redemption in the complicated situations. When it comes to mitigating the risk and finding a proper insurance policy, technology insurance is one of the very first insurance products recommended for technology companies.
This is covering the liability arising from the technological activity. For instance,

  • damages related to the errors
  • failures to perform, breach of contract
  • security failure
  • media liability
  • intellectual property breach
  • legal expenses related to the actual or alleged claim.

The core of this insurance is professional indemnity, which is rather related to errors and negligence and not directly to bodily injury or property damage like general liability policies.

Shortly, this is the solution to transfer your company’s financial risk and meet the contractual requirements. Insurance should be the first risk mitigation measure to consider while starting technology company, concluding the first contract or considering service or product launch.

Simple steps to get the insurance policy done

Buying your first technology insurance policy is far much easier than creating the technology itself. We only need your input to introduce your company to the insurance market and obtain quotes. The rest is for you to decide if and when you need the coverage be effective.

Related Insights

Helen Evert

Practice Leader Liability & Financial Lines – Estonia

T +372 5824 3096

Cyber insurance comes of age

Cyber insurance, now out of its infancy, has become an essential part of risk management. Stephan Eberlein, cyber expert at GrECo Specialty, reports on how you can get tailored cyber insurance with the best conditions, even in the current market environment.

For years, GrECo has been concerned with communicating to its clients that cyber incidents can be major loss events with serious effects on the company’s success or reputation. Risk transfer via an insurance solution is an important measure for effective cyber risk management.

At the beginning, there was still a lack of risk awareness among domestic company managers, who were “still” convinced of the effectiveness of their firewalls & co. The available cyber insurances were also still in their infancy and their complexity was not easy to understand. However, there was a euphoria in the insurance industry, which provided plenty of capacity at very low premiums to generate market share.

Cyber threats: the No. 1 business risk

Since 2019 at the latest, the world has entered a new cyber era. Although the IT landscape has faced viruses, security breaches and other forms of cyber attacks for years, cyber criminals have become increasingly sophisticated. Meanwhile cyber threats now represent the top business risk (source: Allianz Risk Barometer 2020).

Due to the large number of reports of cyber attacks and their serious financial consequences, many business leaders around the world have taken out cyber insurance at favorable premium costs. In early 2020, Munich Re valued the European cyber insurance market at more than 1 billion USD.

The digitalization accelerated by the Corona crisis not only led to a further sharp increase in cyber insurance policies last year, but also to a rapid increase in claims. Insurers had to deal with ransomware attacks on a large scale. Acting as an accelerant to the negative claims figures are incidents such as SolarWinds, the latest global cyber incident that even compromised government systems. Experts estimate that the insurance industry will have to pay about 90 million USD for this incident.

Cyber insurers are now complaining that claims payments far exceed premiums. Insureds are now feeling the consequences in their policy renewals: capacities are being cut and premiums are being increased, sometimes sharply. In addition, the application process for large companies is becoming more and more burdensome. In other words, market hardening has not stopped at cyber insurance.

Key to best possible conditions

In the current market environment, a “risk-based” approach and transparency are the key to a tailored insurance solution at the best possible conditions, both for contract renewals and new contracts.

However, companies often do not have sufficient answers to questions such as: Which “crown jewels” need to be protected? What is the financial impact of an intervention on these assets? We therefore recommend assessing the cyber risk as part of a loss potential analysis in order to derive the insurance requirements.

Cyber security audits are used to determine the maturity level of IT security, because insurers now consistently demand minimum protection standards. This means that it is worth checking in advance whether the technical and organizational security measures correspond to the state of the art.

Regular awareness trainings for employees and penetration tests also have a very positive effect on risk assessment by the coverage market. On one hand, these measures serve to raise awareness, and on the other hand, they allow companies to test an emergency situation and derive important conclusions for their cyber risk management from the results.

Support in risk and insurance issues

GrECo’s experts accompany you throughout the entire phase of preliminary work up to the completion of the customized solution. They identify potential for improvement in IT security, shed light on the market environment and coverage options. They manage the marketing process, in which detailed questions often have to be answered. We are currently in a seller’s market. This means that the more transparent and better the company’s individual risk situation can be presented, the greater the insurers’ appetite for risk and the more attractive the outcome of the negotiations. So-called “underwriter meetings” also have a positive influence on the results of negotiations. In these meetings, the insurers’ risk engineers have the opportunity to ask detailed questions directly to the company’s managers. This facilitates the application process and promotes trust.

Cyber insurance, the new fire insurance

It is now undisputed that cyber insurance can effectively reduce or compensate for the financial loss in a cyber incident. The current loss events have demonstrated this clearly. Thus, it is more true than ever that cyber insurance should be a standard part of every company’s insurance portfolio. It is now considered the fire insurance of the 21st century.

However, it is important not to see them as a substitute for information security. In addition, companies should be prepared for the fact that insurers subject their risks to an individual review. The better the preparation, the more transparent the risk situation and the more comprehensible the corporate decisions in this area are, the smoother contract renewals and new contracts for cyber insurance will run.

Related Insights

Stephan Eberlein

Group Practice Leader Financial Lines

T +43 664 962 40 60

Cybercrime is also targeting your business

Some industries, such as online retail or banking, handle large amounts of sensitive and possibly lucrative data. By the very fact that the services they offer are to a wide extent are virtual, the exposure is rather obvious. With others, like manufacturers, telecommunications and healthcare, it is their obvious dependency on IT which makes them an attractive target for attacks in the cyber sphere. And indeed, participants of industries where neither apparently applies are sometimes lead to believe that this topic is of subordinate relevance or relevant to others.

Unfortunately, this is far from true, as an even quick analysis and recent events show. It is a misperception that a company has to have a widely known brand, a particular product or media coverage to become a target. Falling prey to one of the ominous phishing mails or an inconsiderate click of an employee on a seemingly harmless attachment are equally relevant for each and every company. Recent events and our claims experience show us that both large and small businesses are targeted by cyber criminals.

The top three cyber strategies of businesses

In our daily discussions with clients we encounter broadly three classes of responses:

  • Denial / minimum response: The initial response is that this risk is relevant for other industries, but not so much the own. Publicly available examples are discarded as singular incidents or consequence of particularly unsuitable use of IT tools. Often, this approach is also driven by the fact that the acknowledgement of an exposure would require a reaction, which may result in costs. An insurance premium would be such an additional cost. The topic of cyber and IT security is seen as a responsibility of the IT-department. Since the details of any exposure would inevitably be technical in nature (and impossible to understand for anybody but an IT professional) this is where the matter resides best. In smaller companies, without dedicated departments, the responsibility is seen to lie with suppliers of software or hardware/infrastructure.
  • Awareness and prevention: Media coverage on the topic has become ubiquitous and hard to avoid, even to a level where not addressing the topic could lead to the management’s reaction in this respect being questioned with hindsight. It is understood that the exposure is not merely technical, but also comprises soft facts like social engineering and human error which has to be actively managed in a company. The focus here often lies on prevention.
  • Comprehensive approach: In addition to prevention also comprising mitigation and business continuity analysis based on having developed a number of actual scenarios. Similar to fire drills, real exercises are being conducted and key personnel (not limited to the IT department) trained in how to react when servers go dark and communi

This simplified classification is of course exemplary and in reality more like a continuum. It can also be observed that when the conversation is brought to Cyber and insurance it is either the complexity of what is covered under which line of insurance (property, cyber, professional indemnity, D&O and crime being the ones which could immediately be triggered, depending on the loss scenario) which may be challenging. A certain saturation given the ever increasing media alerts and the fear this could only be the insurance industry seeking the next product it can sell are other reservations.

The risk, of course, is real and can be effectively managed by a combination of prevention and mitigation, where insurance falls under the latter.

Related Insights

Stephan Eberlein

Group Practice Leader Financial Lines

T +43 664 962 40 60

When Cyber infects the construction site

Cyber risk management and insurance in Construction

The construction industry becomes more connected through electronic solutions and remotely accessible systems. Until now, labour productivity in the construction sector has not seen the same increase like in general manufacturing but it is expected that this will change in the foreseeable future. Despite an improved procurement and supply-chain management it is particularly digital technology, new materials and advanced automation that promise the largest gains.

A specific trait of companies in the construction sector is the fact that each building is, to a varying extent, different to any other. As a consequence, builders and joint venture partners, vendors, subcontractors, suppliers and financial institutions are mixed together in changing constellations every time. They co-operate on a contractual framework specifically drafted for this definite project and tasked with creating something which has not been done in this exact configuration before. At the same time trying to perform as efficiently as possible to produce works fit for the purpose and free of defect, while securing the sometime slim operating margin the industry offers. This is contrary to any stationary industry, where locations and stakeholders are a lot easier to oversee processes more standardized and accessible for optimization and immunization to threats.

The main attack vectors in the construction industry in cyber are:

  • Social engineering: psychological manipulation of people into performing actions or divulging confidential information. People and companies change from project to project and also within projects fluctuation of personnel happens.
  • Access points: construction trailers, site offices and decentralized IT are often more vulnerable and easier to access physically than on-site premises or offices in buildings
  • Increasing digitisation of the value creation change, from project management software over electronic flow of designs and BIM to Internet of things (IOT) and automatized machinery
  • Ransomware: a piece of malicious software that blocks access to a system, encrypts it or threatens to publish the victim’s data unless a ransom is paid (extortion)
  • Dependency on subcontractors and suppliers: if a subcontractor or supplier is affected by a cyber attack it may negatively influence the timely completion of a project
  • Hacktivists identifying companies as targets because of their involvement in certain areas/projects (fossil fuels, nuclear power plants, some sort of industrial plant)
  • Human error / malicious (ex-)employees

Some of these assets are at risk by a cyber-incident:

  • Intellectual property, proprietary assets, information protected by non-disclosure agreements including contractual fines if information gets disclosed
  • Architectural drawings / specifications, building schematics and blueprints
  • Compromised core systems (finance and accounting, logistics, communications) and as a consequence theft of funds, loss of contracts and contractual penalties
  • Business interruption events, literally paralyzing a company partly or in whole
  • Loss or theft of confidential information
  • Third party liability arising from any of the above
  • Loss, theft or extortion of funds
  • Reputational risk

To illustrate cyber claims examples in the construction industry, we consider the following units of a construction company and claims we have observed:

Recent media coverage of incidents only support our illustration. In October 2018 for instance, Ingérop was victim of a cyber attack where perpetrators were able to get documents relating to nuclear plants, jails/correctional facilities and railway lines. The breach comprised 65 Gigabytes, including the exact locations of video surveillance intended for use in a French high-security prison as well as plans to an ultimate disposal site for nuclear waste and sensitive details on more than 1.200 employees of Ingérop.

Two of the largest construction companies in Austria were affected recently as well. In one instance in 2020, the company’s communication system was affected internationally, including encryption of files on network drives, ultimately rendering the company unable to act for several days, while the actual impairment of operations (and correspondingly, increased IT costs) went on for several months thereafter. The second well known incident in Austria was a Phishing email disguised in an email titled “Information on the Corona Virus”. In this case, the actors gained access to the data of the project owner, a municipality, and consequently tried to extort them.

Also in 2020, a ransomware attack on Bouygues led to internal applications, intranet and the email-system had to be taken offline, with even phone services failed intermittently. The hacker group Maze consequently demanded 10 million EUR in ransom based on the attack, which presumably originally affected only part of the system in Toronto and Montréal, and consequently affected systems worldwide.

Do you need insurance?

It is and entrepreneurial decision which risks to take and which ones to transfer. The cyber arena provides exposures which simply did not exist 5-10 years ago. And just like the business environment changes, so does the response of the companies adapt to those changes.

As of today, insurance premiums are still low and wide coverages available. In the wake of the numerous cyber incidents registered in recent times the premiums are however bound to go up and covers to get more restrictive. Costs following a cyber-breach can easily reach millions of Euros, composed of – depending on the loss scenario:

  • First party losses such as business interruption and immediate costs of crisis management and first response, including technical experts and forensic experts
  • Third party losses stemming from legal liabilities such as the GDPR, including financial loss due to contractual penalties, and crisis communication requirements

As even the most advanced IT security cannot guarantee full safety (think of the recent Solarwinds hack which even affected the source code of widely used Microsoft products, though the full extent is yet to be assessed), it seems prudent to install a safety net which will step in should security measures fail and covers the worst case scenario of company closure.

The mere question of when a cyber-insurance policy is triggered is simple:

  • Data breach (violation of data protection laws (e.g. GDPR)
  • Network security breach: targeted or non-targeted cyber-attack (e.g. computer virus)
  • Operator Error: error or omission that results in a damage of data (e.g. programming error)
  • Technical failure: computer system malfunction (e.g. overheating)

The way ahead and how we can help

The evolvement of technology will continue to coin and form the value creation in construction. A conscious analysis will help to contribute to the resilience of the organisation and minimize negative effects cyber incidents may have. GrECo Risk Engineering offers specialized services supporting in the assessment of cyber exposures and choosing adequate insurance levels. With CyberSolid, GrECo exclusively offers an insurance solution with extensive cover and easy and simple application.

Related Insights

Richard Krammer

Group Practice Leader Construction & Real Estate

T +43 664 810 29 63

Stephan Eberlein

Group Practice Leader Financial Lines

T +43 664 962 40 60

“We are the friendly face who is there to ensure that the process runs smoothly.”

Brian Alexander, Group Practice Leader Financial Institutions, talks with Robert Lloyd, Director at ASL about trends in Crime & Cyber claims, the effects of Covid-19 on claims and the neutral and objective position of the loss adjuster.

Alexander: Can you tell us a little bit about how you got into adjusting?

Lloyd: I qualified as a chartered accountant in 2009 specialising in audit. Whilst this was great experience, I wanted more variation in my day to day work and the opportunity to travel internationally.

If I’m being completely honest, I came across ASL by chance. The role sounded extremely interesting – so I went for it. I met the Senior Directors at the time and they talked about trips to Latin America, cash being stolen from armoured cars and bank robberies. It was fascinating and I’m still captivated 11 years later!

Alexander: How does the adjusting process work?

Lloyd: We’re appointed by Insurers to investigate the facts of a claim and the amount of the loss. To do this, we provide the Insured with one or more written lists of information and documentation required.

If it’s a small loss, we may just correspond with the Insured through the Brokers. Alternatively, if it’s a large and/or complex loss, we will typically travel to the Insured, wherever they are in the world, and go through our questions with them face to face. Video meetings are increasingly playing a part too.

Once we have all the information, we prepare a report to the Insurers setting out our findings. Based on our report, the Insurers decide whether or not the claim is payable and, if so, how much.

It’s important to note that, whilst we are appointed by the Insurers, we provide a neutral and objective assessment of the claim.

Alexander: What are the benefits of the adjusting process to an insured (client)?

Lloyd: The loss adjuster facilitates the entire claims process. At the outset, we can help guide the Insured as to what they should and shouldn’t do – we can help them try to mitigate their loss and prevent a recurrence.

Then, by asking targeted questions, and requesting only relevant documentation, the adjuster is able to efficiently extract the information required by the Insurers to determine policy response. The adjuster also ensures that the Insured’s representations are properly and clearly communicated to the Insurers.

Additionally, the loss adjuster is someone that the Insured can speak with, along with their Broker, to discuss the status of the claim or simply to explain how the process works – we deal with crime and cyber claims every day and are therefore very comfortable with the process and the issues that arise. The adjuster should be a friendly face who is there to ensure that the process runs smoothly and that the correct outcome is achieved for all parties.

In those instances where coverage issues arise, and in order to manage expectations, the adjuster is also able to work with the Broker to explain these to the Insured.

Alexander: What are the current trends you see in Crime and Cyber claims?


  • An ever-increasing number of social engineering frauds where an Insured is tricked, usually over email, into paying away money by fraudsters pretending to be a colleague, client or supplier. This affects both Banks and commercial entities with cover potentially available under crime and cyber policies.
  • More ransomware attacks. This is where criminals insert malware into an Insured’s computer system and encrypt data. It typically takes a week or more to get the systems back online resulting in a loss of income, which can be claimed under the business interruption section of a cyber policy.
  • Frauds involving transactions made via mobile telephone / cellphone – exacerbated by the growth of mobile banking in developing countries.
  • We continue to see numerous loan frauds across the world – and particularly in Eastern Europe. These often involve dishonest employees within Banks colluding to issue loans in return for kickbacks.
  • We’re seeing fewer claims involving the forcible theft of cash from Banks’ premises, ATMs and in transit. Perhaps that’s because running into a branch with an automatic weapon gives a much higher risk of being caught than trying a social engineering fraud or hacking into a Bank’s system. The amount that can be stolen by forcible theft is typically is much lower too!

Alexander: Has Covid-19 seen an increase in claims from what you see?


  • We’ve seen a marked increase in ransomware attacks and social engineering frauds because remote working has presented the ideal conditions for these types of fraud.
  • There’s been a temporary drop off in more conventional fraud being notified – such as individuals stealing money from their employers. However, this is likely because Insureds have only recently returned to their offices, or are yet to do so, and so have not yet uncovered these schemes. The pandemic has created the ideal environment for fraud and we’re expecting to see significantly increased volumes of crime claims later this year and into 2021.
  • There have also been more loan frauds notified by the large Trade Finance Banks. This is because the pandemic has caused a number of their corporate clients to default – and the Banks’ subsequent enquires have led them to believe that some of those loans may have been obtained under false pretences. The Banks therefore notify the matter to their crime policies.

About ASL
ASL are market leading loss adjusters and forensic accountants. We specialise in dealing with crime claims made by Banks and commercial entities. We also handle cyber claims.

ASL’s professional staff includes chartered accountants and lawyers. This gives us the necessary expertise when it comes to quantifying complex losses and providing coverage analysis for the crime and cyber Insurers.

We have offices in London and Dubai and, since 1988, have handled assignments in over 100 countries.

Related Insights

Brian Alexander

Group Practice Leader Financial Institutions

T +43 664 962 39 17

Cyber security – the fire protection of the 21st century

Companies in the 21st century face the great challenge to advance digitization. This means to increase efficiency, reduce costs and deploy new, innovative IT-products and –services that also enhance cyber security.

Various studies and statistics show a clear tendency: crime is increasingly shifting to the Internet. Just in Austria, the authorities recorded a 27.5% increase in Internet-based crimes between 2018 and 2019. According to the IT-trend-study 2020 by Capgemini, almost 63% of companies in German-speaking countries now intend to increase their IT-spending, compared to around 44% in the previous year.

With this tension, between the necessity for digital transformation and the existence-threatening cyber-attacks, cyber-security comes into play. Pursuing a sustainable security strategy is almost indispensable for companies. From the entrepreneurial point of view, cyber security is now at least as important as fire protection, for which usually each company has an understanding. For companies fire-protection is primarily a personal safety issue with official regulations that must be observed. Cyber security, on the other hand, is (only) a data protection issue from the point of view of the authorities, and this is probably the biggest difference in the perception of companies when it comes to the willingness to invest in security.

Identify weak points

The fire-hazard is evaluated by site inspections and tests of the fire-protection-equipment by experts in order to uncover weak points and identify potential for improvement. The same approach is used to manage cyber-threats.
The cyber-risk potential of the entire company is recorded and evaluated within the scope of a risk assessment, whereby organizational aspects (e.g. security policy, employee training) and technical aspects (e.g. design of the server landscape, firewalls) will be considered. This is usually done based on relevant standards such as an ISO 27001 or the COBIT basic-protection.

A further or additional welcome step is for example a penetration test. Here the digital “fire-protection-gates” of a company are tested under strict security-regulations or a “fictitious digital-fire” is set to see how the IT-security reacts in case of an emergency.

Companies also are hold regular fire drills to train employees for emergencies. In the event of a cyber-attack, unqualified employees are the greatest weakness, while trained employees are the greatest strength when it comes to averting or mitigating cyber damage. Regular cyber awareness training ensures that cyber-dangers are recognized timely and that the right measures are taken in case of an emergency.

Related Insights

Stephan Eberlein

Group Practice Leader Financial Lines

T +43 664 962 40 60