The thirst for understanding the Cyber threat landscape is evident both from those within and outside the Cyber insurance industry – Cyber remains one of the hottest topics and at the forefront of many business’ risk assessments, from the largest global airlines to fledgling businesses that are just starting out.
We have all grown used to “EXT:” at the top of email subject lines, red-bang warnings and safety nets there to protect us from a potentially troublesome email link. But it’s not just at work that we’re conscious about the threat. Many of us now constantly check the senders’ email address before clicking on a personal email on our phones, and I find myself checking URLs to make sure they are legitimate. A few years ago, that behaviour would be the exception, now it’s the norm.
On the flip side, it’s a pleasure working in an area that is a hot topic, is front of mind for many of us. It unfortunately continues to dominate the front pages of our news sites, with ever-increasing frequency.
With that in mind, I was delighted to be asked to lead a workshop at the TIN London Market Claims Conference 2021 to discuss Cyber threats with fellow claims professionals from a wide variety of insurance backgrounds, including carriers, brokers, and vendors last week. It was a great break from video calls, to instead meet safely in real life.
To kick the session off, Beazley’s Sandra Cole and I discussed and walked through some best practice examples that are critical to action in the first 24 hours after discovery of an incident:
- First notice of loss: to privacy counsel and insurer, for expedient incident response and expedient policy notification;
- Insurer involvement in initial on-boarding calls, to provide comfort around consent to vendors and action plan, avoiding any lingering coverage issues; and
- Diagnosis of incident ASAP, particularly if a ransomware event, to determine viability of data back ups and whether personal information has been exfiltrated.
It’s surprising how many organisations still aren’t prepared for a Cyber incident and don’t have a plan in place. Especially when some simple quickly executed actions can make significant difference to the outcome of an event. Preparation of a robust incident response plan including the relevant stakeholders can often make all the difference.
We then presented a quick primer on how we recommend partnering with brokers and clients to quantify business-interruption loss arising from a Cyber incident. Again, the key is preparation. Agreeing at the outset to a forensic accountant which is suitable to both the client and the insurer can both save delays to payment and avoid a long, drawn-out dispute over quantification, which we often see with calculations from partisan experts.
Following that, we provided a menu of discussion points for attendees to roundtable – I dropped into a few of the conversations:
Ransomware continues to be the topic of the day. We had questions from our attendees ranging from: who these people are perpetrating the attack; what motives they might be advancing; and how can and should the Cyber insurance industry react? We’ve seen regulators and legislators in the US, Canada, Australia, and other countries asking the same questions, with many ideas to potentially mitigate the frequency of ransomware attacks.
One proposal has been a prohibition on insurance reimbursement for payments by companies to the threat actors. Would that curb the problem?
While some of these criminals no doubt recognise the insurance contribution to their (anonymous) coffers, there is nothing to prevent them from continuing to target companies with the wherewithal to pay themselves. This might be particularly tempting where companies face the double quandary of having their computer systems encrypted and inoperable as well having data exfiltrated, with the threat of posting customer and business confidential data online for the world to see.
As discussed at the conference, the threat of ransomware requires a more creative and robust solution to address the very root of the problem, rather than expecting victimized companies to absorb a damaging interruption to their business, with all the potential reputational issues which could follow, rather than at least having the option to pay the ransom.
As is evident, Cyber incidents are often messy. The main focus of our session was focused on how, under such circumstances, Cyber insurers can assist. Cyber coverage is a type of insurance which is particularly well situated to partnering with clients to help prepare for, and if necessary, deal with a growing and expensive problem.
In terms of preparation, the group discussed how insurers could assist clients with providing opportunities for Cyber incident simulations, involving key stakeholders and sharing claims experiences with clients and brokers to enhance their understanding of the threat environment.
If the worse does happen, and an insured client becomes the victim of a Cyber-attack, Cyber claims teams are well-positioned to partner with the client and its broker to assist. During the session, we discussed the importance of:
- Pre-agreeing incident response vendors so that there is no delay arising from insurer consent; and
- Ensuring the client quickly notifies insurers of an incident (within minutes / hours, not days / weeks) so that the claims team can lend its experience and expertise, as well as reassure the client with respect to policy coverage.
With these two aspects in place, the client and its vendors can focus on getting the company back on its feet and mitigating the reputational damage.
The Cyber insurance industry has a large role to play in assisting clients to manage risk in an ever-involving threat landscape, and it’s always helpful to sit around the table and hear others’ ideas and feedback in order to refine our own thinking. Many thanks to all the attendees for such a robust and interesting discussion and to the TIN London Market Claims Conference for inviting me to help.