07 4613 6200

Cyber Risk Management – An Insurance Broker’s Perspective

The following case study is based on an actual cyber-attack that resulted in a denial of access and a demand for ransom in early July 2018 which was finally settled in May 2019.

The Cyber Risk Case study:

The following case study is based on an actual cyber-attack that resulted in a denial of access and a demand for ransom in early July 2018 which was finally settled in May 2019.
Although the attack was limited to denial of access; other business risks including potential breaches of privacy were identified and are addressed in this Case Study.
The Cyber-attack has highlighted a number of exposures/risks that brokers should consider when providing risk management advice to clients that have multiple sites, complex financial data and/or personal records of employees and/or clients/customers.

 

The Insured

The Insured is a privately-owned Australian Services company with multiple locations across the Eastern States of Australia – including a number of office facilities that are sub-leased to a range of businesses including allied health professionals.

 

The Cyber Attack

The Insured was subject to a ransom demand late on a Saturday afternoon which was accompanied by denial of access to all IT services at multiple locations in Australia.
The hacker is believed to have used Mr Dec Ransomware which infected the Microsoft Active Directory server. This achieved by:

  1. Breach of Remote Desktop Protocol (RDP) security, and/or;
  2. An attachment to an email has been clicked by a User allowing the malware to activate
  3. It is likely that multiple entry points as well as multiple incidents may have pre-dated the notification on 7th July 2018
  4. Ten of the Insured’s sites were affected which operate from five servers. A total of eight hard drives were infected which constituted 16 terabytes of encrypted data

The Ransom was demanded in Bitcoins, with insured being denied access to corporate financial data, diaries, appointment schedules and personal records of the insured. IT support and data management was also being provided by the insured to sub-tenants at a number of locations.

Once the insured was contacted by the Hacker, they immediately informed the broker, on a Sunday evening. The insured was advised that they should not pay the ransom and contacted the 24-hr claims contact number provide by the Insurer.

The Claims Response team responded almost immediately and assumed the role of program manager in bringing to bear the various resources required in managing the impact of the attack.
The Insured continued ongoing contact with the hacker attempting to ‘negotiate’ a reduction of the ransom and access to the data.

Liaison was maintained, via email and Conference calls between the Insured, the Claims Manager, the Broker and the various specialist resources that were then engaged to manage the recovery program.

 

Hackers strategy:

The Hacker usually gains access to the target’s IT environment via emails, SMS messages, phone calls or desktop computers, in this instance it was via emails that were opened by staff members.
The Hacker will insert an encrypted key into the files such that when the user tries to use the system, access is denied.
The insured’s dilemma raises the following questions?

  1. Do they pay the ransom?
  2. How does the insured transfer the ransom from AUD into Bitcoins and how long will that take?
  3. Will any delays irritate the hacker into ceasing to negotiate any further?
  4. If they pay the ransom will they get full access to the data?
  5. If the insured uses proprietary software will the recovered date be in usable form?
  6. If they pay the ransom will they be subject to another similar attack at a later date?
  7. If the Ransom is not paid will the insured be able to recover the data?
  8. Will the ‘hacked’ data be compromised and the insurer be subject to the mandatory reporting requirements of the Federal Government’s Breach of Privacy Legislation?
  9. How does the Insured recover from the Cyber Attack and re-establish normal operations?

 

The Insurer’s Strategy in response to Cyber Attack:

The Insurer’s interests are best served by:

  1. Managing the claim as efficiently as possible to minimise costs;
  2. Getting the Insured back to normal operating as soon as possible;
  3. Responding to the Hackers demands on behalf of the insured;
  4. Appointing appropriate Claims management resources including:

    1. Recommending a strategy to negotiate with the Hacker;
    2. Potentially appointing a specialist Cyber Risk negotiator to handle ongoing ‘discussions’ with the hacker, and
    3. Appointing specialist IT forensic resources to recover access to the insured’s data files;

  5. Responding to the claim within the limits of the policy coverage, and
  6. Recommending and approving specialist resources to return the Insured to normal operating environment as soon as possible.

 

The Insured’s Strategy pre- and post Cyber Attack:

Assuming the Insured has a Cyber Risk & Privacy Policy, the insured should:

  1. Immediately contact the after-hours claims number provided by the insurer. Continue discussions with the Hacker to ‘negotiate’ the ransom, without paying the ransom; (Some jurisdictions, such as the UK have Government legislation that specifically forbids the insurer from paying the ransom);
  2. Liaise with the Insurer’s Cyber response team who will manage and advise the Insured on the actions they (the Insured) needs to take to:

    1. Manage the impact of the Cyber-attack on the on-going operations of the insured’s business;
    2. Recommend and engage appropriate forensic IT resources to try to recover the insured’s data;
    3. Appoint a specialised legal firm to advise the insured on mandatory reporting requirements, and whether they need to inform the Federal Government of a breach of privacy;
    4. Appoint a Public Relations firm to handle and minimise any potential damage to the insured’s reputation;
    5. Gain approval from the Insurer/Claims Manager before engaging any of the above resources;
    6. Document any financial damage to the insured’s business that may be claimed under the Business Interruption section of the Policy;
    7. Assess the potential damage to other parties who may become 3rd party claimants on the policy;
    8. Engage other IT services to restore the integrity of the Insured’s IT systems so that any further exposure to Cyber attacks will be limited. This resource may not be covered under the policy.

  3. The Insurer will require at least the last three years financial records in order to consider Business Interruption claims.
  4. Provide details of Contracts with 3rd Parties who may suffer financial loss as a result of the Cyber-attack and who may lodge 3rd Party claims on the insured.
  5. Provide evidence of additional staff resources that may be required to manage the restoration of data files and company records.

 

If the Insured DOES NOT have a Cyber Risk Policy:

  1. The insured will have to identify and engage:

    1. Specialist IT Forensic resources to try to access the data;
    2. A Negotiator who has experience of negotiating with Hackers;
    3. A mechanism to swiftly arrange the ransom in bitcoins;
    4. Legal firm to advise on potential breaches of privacy and requirements for mandatory reporting of breaches;
    5. PR resources to manage any damaging media disclosure or actions by employees or 3rd parties who may decide to take action against the Insured
    6. Specialist IT resources to sanitise recovered data and ensure it is compatible with the insured’s software systems;
    7. Ongoing IT support services that will be required to protect the insured’s data against future Cyber-attacks.

  2. Given the experience of the subject Cyber Attack is it probable that the insured would not have recovered from the denial of access to date, and the 3rd party claims that would inevitably resulted from the attack, had the Insurer’s specialist resources not been immediately available.

 

Risk Management strategies should include:

  1. Offering clients Cyber Risk and Privacy Insurance;
  2. The need to educate clients on Breaches of Privacy legislation and the need to protect information about employees and/or clients/customers that could be deemed as ‘private information’.
  3. Advising clients on their information technology practices to include

    1. Firewalls on all networks;
    2. Anti- Malware on all computers, laptops and smart phones;
    3. Changing passwords on all Devices – at least every 45 days (some insurers make this a condition of Cyber Insurance Policies);
    4. All It devices are password protected and the passwords are changed at least once per month;
    5. The need to regularly back-up files and retain copies off-site, and
    6. Establish staff procedures for accessing emails within the office environment and via portable devices that may interface with the Insured’s IT environment.

  4. Where IT functions are outsourced: a. Ensuring that the IT support organisation has appropriate:

    1. IT PI and PL Insurance;
    2. Cyber Risk Insurance;
    3. Appropriate Malware and Firewalls in place;
    4. All data files are regularly backed up and copies are kept off-site remote from the IT provider and insured’s IT environment.
    5. General IT capabilities that are commensurate with the size and complexity of the Insured’s Data Systems and Software environment.

  5. Advising the client to seek appropriate Risk management advice to educate all employees and contractors on appropriate practices when accessing emails. Text messages and phone calls.
  6. Advising clients on the need for establishing data handling practices and procedures in an environment where computer hacking is becoming increasingly common.

 

Summary of the Typical Resources brought into play to manage the Cyber-attack

The following resources were made available in this case:

  1. The Assessor managed the response to the cyber-attack on behalf of the Insurer. This support included recommendations for:

    1. IT Remediation
    2. Ransom payment
    3. Legal assistance with Privacy breaches etc
    4. Public Relations assistance to manage any reputational damage
    5. Risk Register
    6. Communications strategy and Media

  2. Forensic IT support – engagement of a approved IT firm with specialised knowledge and experience of Cyber-attacks. IT Forensic support analysed the recovered data – loading it onto a discrete Server based in Sydney.
  3. A Legal Firm was appointed on the recommendation of the Assessor to provide Breach Counsel advice and related services
  4. The appointment of a local Australian PR advisory firm was necessary to manage a specific situation at one of the sites and will limit future claims against the insured. The Insurer will normally have a Panel of PR companies, which can be engaged with the agreement of the insurer to handle any potential media activity;
  5. The potential size of the claim necessitated the direct involvement of the Lloyds Underwriting facility (AMTRUST) who participated via numerous conference calls involving Sydney, Melbourne, Singapore and London as the management of the program progressed.
  6. A local IT Company was engaged to assist the insured in establishing IT procedures and protocols and to manage the various IT resources needed to return operations to normal.
  7. A specialist company was engaged by the insurer to negotiate the release of the data, including examination of data files to ensure the data recovered was complete and able to be used by the Insured.
  8. Appropriate IT resources to improve the Insured’s IT environment and to reduce exposure to future Cyber-attacks. Such expenses are not normally covered by the Cyber Policy. These resources included:

    1. Specialist Database Software Provider with respect to implementation of data merging- post-recovery of back up information);
    2. Specialist IT resources to assist in User Acceptance Testing of the restored data);
    3. Specialist IT resources to help recover the format and structure of financial databases including payroll and accounting ledgers;

 

Lessons Learned:

  1. Our Insured must have competent IT support services – either In house or via external Contract that provides appropriate Security, Back-up and recovery services;
  2. Insureds must have an IT procedures Policy that makes staff security conscious especially when using email and accessing Company date via remote devices such as LapTops and mobile phones;
  3. Insured’s stored/Recovered data must be held in Australia – otherwise the Insured could be deemed to breach Australian Federal Government Privacy Regulations;
  4. Recovered data may still have encrypted keys hidden within the recovered files. Hence, recovered data has to be sanitised line by line of code and may require substantial 24-hr IT resources to ensure no hidden keys are retained in the recovered data.
  5. If the insured provides administrative support to other parties i.e sub-tenants; there is a duty to protect the date of those 3rd parties. Failure to protect such data may result in a claim of financial loss on the insured (PI Claim). For example if Allied Health or Medical Professionals are tenants:

    1. Patient Medical Records may be inaccessible. Health Professionals may be required to seek full medical histories from individual patients to re-establish the patients’ medical history. This can result in a significant reduction of medical billings and loss of income to 3rd parties;
    2. Other tenants of the subject locations and who used the Insured’s administrative systems may be adversely impacted by the denial of access and would subsequently suffer financial loss and be potential 3rd Party Claimants.

  6. The Insured’s Financial data files (GL, AR and AP) associated with each hacked location may be inaccessible, and subsequently require the engagement of additional resources in order to re-establish financial records.
  7. Overseas IT Forensic support resources were engaged immediately the Cyber Attack was reported to the Assessor; because the event occurred outside normal working hours in Australia. However, our experience in this instance was that it would have been less costly and more effective/efficient had a local Forensic IT company been engaged (even thought that might have resulted in a delay of some hours in attending to the Denial of access situation;
  8. Where the Insured uses proprietary software it adds an additional level of complexity to be addressed when the hacker releases access to the data. Specific Knowledge of the file structure of the proprietary software is necessary and requires close liaison with the Forensic IT company. This is another argument in favour of engaging a local Forensic IT firm.

 

The Broking perspective

Brokers have a duty of care to their client that includes identification of business risks and how those risks can be minimised and managed. Therefore, brokers should:

  1. Discuss the potential for Cyber-attacks – given that it is virtually impossible to render any organisation immune to Cyber Attack; steps can be taken to minimise the risk and manage the consequences of a Cyber Attack should it occur;
  2. Offer Cyber and Privacy Insurance as appropriate to the insured’s business activities and operations;
  3. Discuss with clients how Cyber Risks can be minimised by appropriate data security practices and procedures including but not limited to:

    1. Education of employees in accessing emails that are suspect;
    2. Ensuring all devices are password protected and passwords are changed regularly;
    3. Implementing Firewalls on all IT systems;
    4. Installing anti-Malware on all IT devices;
    5. Engagement of suitably qualified IT support resources to ensure the integrity of IT systems;
    6. Insist on any IT support organisation have appropriate Professional Indemnity (and Public liability) Insurance;
    7. Recommend that IT support companies also have their own Cyber Risk and Privacy Insurance;
    8. Do not rely on Cloud services to automatically back and restore Company data – should those services be subject to a Cyber Attack.
    9. All Data (including that stored on The Cloud) is regularly backed up to discrete storage media and stored off site by the insured

 

Restoration of Data may need to involve other IT or Software providers. Engagement of these other resources must be approved by the Insurer.

Recovery from a Cyber-attack can be a lengthy and expensive process. Although the Insured fully recovered the data that was encrypted by the hacker and was almost back to normal operations some two months after the Cyber-attack; there are likely to be significant ongoing expenses in improving their enterprise-wide IT environment, security practices and staff IT security awareness.

The Claim was eventually settled in May 2019 – the total of the claim was over $600,000 – with a significant amount of 3rd party expenses NOT covered by the Policy.