Published by : The Insider, Spring 2019 (Insurance Institute).
Michelle Boland, Cyber & PI Team Leader at AIG Ireland explains the rise in cyber risk and how we are at the frontline working with our broker partners and clients to stay ahead of this ever-evolving threat.
In spite of the growing importance of protecting against cybersecurity threats, PwC’s Digital Trust Insights survey has found that businesses of all sizes are ill prepared to protect themselves and their customers. According to the report, only about half of medium and large businesses say they are building resilience to cyberattacks and other disruptions. Fewer than half say they are comfortable their company has adequately tested its resistance to cyberattacks, with only 53% practicing proactive risk management of their digital transformation. On top of this, only 27% of executives say their boards are getting adequate metrics on cyber and privacy risk management, so it is clear that more must be done.
Similarly, AIG’s 2017 Cyber Claims Statistics (released last May) found that as many cyber related claims were made in 2017 as in the previous four years. Overall, an average of one claim per working day was submitted to AIG in 2017. Professional Services, Financial Services and Retail are at the top of the list when it comes to cyber claims, but incidents are spreading more broadly among a range of sectors, indicating that no industry is immune to a cyber-attack. As the world becomes more dependent on technology, the threat of cybercrime is only set to continue to rise. As the relentless growth of interconnected devices continues to expand, so too does the opportunity for cyber-attacks upon organisations and individuals.
We see that cyber security is currently an important topic in corporate boardrooms around Ireland, with many more at C-suite level understanding the risks associated with cyber-attacks. Expensive data breaches are now unfortunately a fact of corporate life. The cyber threat is an evolving one and is clearly imposing additional responsibilities on directors, but what remains unclear is what the resulting ramifications will be for company executives. The financial impact of a data breach can be huge.
Therefore, directors should be concerned about both their fiduciary obligation to the company and its shareholders, as well as their own personal assets which are at risk in the event of a claim for alleged wrongful management. In a situation where a cyber incident has a material effect on a company’s shareholder or reputational value, then litigation will almost certainly ensue, particularly if there is a lapse on the part of the board to insure the cyber exposure. Given the potential personal exposure for directors and management of companies, the purchase of a board directors & officers liability policy, in conjunction with a cyber liability policy, should be strongly considered.
It’s very difficult to say if most cyber breaches could be avoided as it’s an ever-evolving threat carried out by highly sophisticated criminals. All industries are vulnerable, and criminals are not just targeting specific risks and vulnerabilities. There are definitely risk mitigation plans that companies can have in place to lower the likelihood of them being subject to a cyber-attack. All companies have a business continuity plan (BCP) to deal with fire and flood events, but what would they do in the event of a serious cyber-attack? A good cyber BCP or disaster recovery plan should also be developed and is essential for all businesses.
AIG’s claims statistics reflect that no sector is immune to a cyber-attack. We are seeing a larger number of notifications each year coming from an increasingly broader range of industry sectors, such as energy and transportation, and not just those traditionally associated with cyber risk. Professional services have become more of a target, with most holding large databases of clients which pose an attractive proposition to cyber-criminals because of the quality of the data they hold. We are definitely seeing a shift in perception with companies and the cyber teams assessing their cyber risk moving to “when we are attacked” mind-set versus “if we are attacked” and emphasis being placed on assessing how quickly an attack can be stopped.
Businesses of all industries and sizes are exposed to potentially enormous reputational and physical losses as well as liabilities and costs as a result of cyber-attacks and data breaches. Since GDPR came into force, data protection is being put into the spotlight. A business regardless of size is obliged to notify both The Data Protection Commission as well as those stakeholders affected should a breach occur.
Every department and individual in an organisation must do their part in the fight against cyber-attacks, not just IT, and this is particularly the case for those in board of management or executive positions. For this to work effectively, there needs to be a buy-in from the board along with every tier in the management structure of an organisation. It’s important that management communicates to the business just how seriously they are taking this compromised cyber landscape. Since this is something that has a significant impact on day to-day operations, communicating the roles each employee must play, and providing the necessary training is crucial.
At AIG, we provide emphasis on our risk mitigating solutions to stay ahead of these various threats. These include providing our insured with access to best in class legal, PR and IT professionals who have experience in dealing with live emergency cyber breaches. With that in mind, the best way to prepare for a data breach or cyber-attack is to have a strong plan in place as well as adequate cover in case something goes wrong.
We would also recommend that companies carry out simulations of a data breach and investigations as they can show you how ready a company is and potential weak points which they can later refine. Carrying out a simulation is vital, so every employee knows the role they need to play and processes they need to follow in the event of a cyber-attack.
In the Dublin office, AIG is dealing with approximately four cyber incidents per month. Since GDPR (25 May 2018) there has been a 50% increase in breach notifications, and 65% increase in data protection complaints. When faced with a cyber claim, AIG regularly focuses on the below areas:
Response Times – the policyholder receives a call from AIG within one hour of the incident being reported via the emergency hotline which is available 24/7. AIG will arrange a triage call with its Forensic IT and legal experts. With this critical and immediate assistance, the majority of cases are contained within the first 48 or 72 hours. The expert forensic IT and legal costs are on AIG’s account for the first response period (either 48 or 72 hours). Often when there has been a data breach, the legal assistance helps get the insured’s relevant Data Protection Commissioner (DPC) notification in within the DPC required 72-hour deadline, thus saving the insured a lot of difficulty and allowing the business to get back up and running.
Services Used - event management, expert legal and IT assistance, and in cases of newsworthy events AIG also covers Public Relations costs.
Cyber Extortion – where the hack has meant that the insured is unable to trade and the insured makes the decision to pay the ransom (if this is being demanded), AIG can engage specialised suppliers with a bitcoin wallet to carry out the payment. Assistance will be given in retrieving the data, ultimately getting the business back up and running. Policies include the additional benefit of covering the cost of the ransom but whether this course of action is taken, is at the policyholder’s discretion (and may not be
applicable in all cases).
Business Interruption – This can make up a large proportion of a claim and is perhaps the most undervalued.
Ransomware remains the top cause of loss for cyber claims (the key impact being business interruption), reflecting an increased incidence of such attacks worldwide. The best way to understand these type of claims is to give real-life examples;
Phishing of email account and data breach
• Insured was a chain of hotels.
• Insured was following up on outstanding invoices with commercial customers.
• Customers indicated that they had already paid invoices.
• With the assistance of AIG’s IT forensic experts, it was discovered that the attacker had been monitoring the inbox for some time and had amended the bank account details on outgoing invoices.
• Notification to DPC and data subjects required (legal and IT experts drafted the notification and letters to effected customers).
Third Party Claim – Data Breach
• An insured was rolling out a new pay and bill system for insured’s workers.
• A manual was created and circulated to approximately 260 workers.
• Data subject was a contractor and their name, home address, email address and hourly pay rate were left visible in the training documentation.
• Legal support was provided to the insured at AIG’s expense.
• A DPC notification was required within 72 hours deadline (legal experts assisted, paid for by AIG)
• Data subject claimed against insured and asked for identity theft protection insurance.
• Engaged and settled claim in early course.