As advances in business technology have exploded exponentially across the last 10-20 years, so too has the sophistication of opportunistic criminals (“bad actors”) targeting businesses. Modern criminals have shifted from traditional modes of crime to the digital landscape as a more profitable and anonymous means of exploiting vulnerable businesses.
As highlighted in ongoing media reports, the recent years have also seen an uptake in various state based sponsored attacks targeting a range of Australian organisations, industry and critical national infrastructure.
The exposures to cyber-attacks are becoming more prevalent in the current work-from-home COVID-19 landscape, amplified by the majority of businesses moving to a distributed working environment with a remote workforce. In this article we share a recent incident experienced by a transport and logistics client and explore the critical importance of not only having an appropriate cyber policy in place, but having a solid risk management attitude, a robust cyber response plan and the support of an insurance broker to navigate the complex claims landscape.
In the late hours of trading (on a Friday of all times!) the Insured discovered that their networks had been compromised by a ransomware attack that began encrypting the files of the Insured and left demand notes for payment in Bitcoin. As highlighted in recent cyber claims statistics, typically 80% of intrusions are as a result of human error, which was evident in the case with the intrusion caused when a staff member opened a malicious email.
Typically in this type of incident, threat actors will compromise a system, extract private and confidential information, then encrypt it and extort a ransom for the return of the data and a decryption code. Amplifying the threat is that in both instances (both paying and not paying the ransom) the threat actors will also look to auction the data on dark web marketplaces, which will then make them an ongoing target for future ransom attacks.
Time is of the essence in this type of incident and seconds and minutes count in order to reduce the impact of the attack and patch any ongoing areas of vulnerability. As the client had a dedicated cyber policy in place, the response team kicked into action within minutes of being alerted to the encryption occurring.
The insurers dedicated cyber response team rapidly mobilised to provide the following response:
- A cyber risk coach was immediately appointed to coordinate the response efforts and on the phone to navigate the initial response with the client’s IT provider.
- An expert cyber lawyer was appointed to assist in navigating the implications and pitfalls of paying the crypto ransom, noting that whilst unaware, clients can often be in violation of various anti-money, anti-terrorism and banking violations.
- As it was determined the ransom would be paid, assistance was provided to help navigate the block chain payment to ensure its legitimacy.
- Coordination with the bad actors to release the encryption key and testing of the encryption key for deployment to the server.
- Ongoing advice on risk improvements to reduce the likelihood of future attacks and venerability’s.
Outside of the critical response team jumping immediately into action, a good quality cyber insurance policy (in place in this instance) should also include the following key areas of cover:
- Cyber extortion expenses – typically navigating and paying ransoms as a result of a Ransomware attack.
- Data restoration and systems damage.
- Cyber crime and social engineering cover.
- Business interruption, reimbursement for loss of revenue as a result of the attack.
- Third party liability coverage – third party claims arising from a failure to protect individual or third party data.
- Regulatory fines and penalties – as a result of having suffered the breach.
The lesson from this story is that if the client didn’t have a dedicated cyber policy in place arranged by their broker, they would have been going it alone; navigating the numerous complexities involved in the initial incident and negotiation with the bad actors without expert advice to fall back on. The policy in place also provided indemnity for the incurred out of pocket IT and related expenses, data restoration, forensic costs, crypto payment to the hackers and numerous associated support services which the insured drew upon.
It goes without saying that ongoing reviews of IT infrastructure (including regular backups), having a cyber response plan in place and staff awareness are critical to ensuring the risk exposure is reduced, or controlled as much as possible.
In recent years, SMEs are typically more frequently attacked by cyber intrusions, due to low budget allocation on cyber security compared to larger businesses that invest enough in the right security and risk management. These disruptions can be more costly and the impact more damaging with loss of key data and critical digital infrastructure.
PNOinsurance have a demonstrated expertise in providing fit for purpose cyber insurance options, navigating claims and working with key providers to provide advice and risk recommendations. I would be delighted to discuss with you your cyber exposures and how this can impact your business in the event of an attack.