Put yourself in this picture. You are a retailer with over 20 stores throughout the country. It is one month before Christmas and sales including online orders are at their seasonal high. It is finally time to make money for your business. When upgrading your IT storage, you suffer a sophisticated cyber-attack that encrypts all of your files, including those held in the cloud. The shops are still able to trade using manual tills but the attack has left them unable to replenish stock in stores and process online orders. This leads to major business interruption. The attacker demands a ransom for providing a ‘decryption code’.
AIG offers a market leading solution to assist businesses get back on its feet at this crucial time, which we discuss in more detail below.
Looking at the Europe Middle East and Asia market, AIG saw as many claims notifications in 2017 as in the previous four years combined, receiving the equivalent of one claim per working day. In our Dublin office, AIG is dealing with approximately 4 cyber incidents per month. Since GDPR (25 May 2018) there has been a 50% increase in breach notifications, and 65% increase in data protection complaints.
Professional services, financial services and retail are at the top of the list when it comes to cyber claims, but incidents are spreading more broadly among a range of sectors, indicating that no industry is immune to cyberattack.
Response times – the policyholder receives a call from AIG within 1 hour of the incident being reported via the emergency hotline which is available 24/7. We will arrange a triage call with our Forensic IT and legal experts. With this critical and immediate assistance, the majority of cases are contained within the first 48 or 72 hours. The expert forensic IT and legal costs are on AIG’s account for the first response period (either 48 or 72 hours). Often when there has been a data breach, the legal assistance helps get the Insured’s relevant Data Protection Commissioner (DPC) notification in within the DPC required 72 hour deadline, thus saving the Insured a lot of difficulty and allowing the business to get back up and running.
Event Management – expert legal and IT assistance, and in cases of newsworthy events we cover public relations costs.
Cyber extortion – where the hack has meant that our insured is unable to trade and the insured makes the decision to pay the ransom, AIG can engage specialised suppliers with a bitcoin wallet to carry out the payment. Assistance will be given in retrieving the data and ultimately getting the business back up and running. Some policies include the additional benefit of covering the cost of the ransom but whether this course of action is taken is at the policyholder’s discretion.
Business interruption – This can make up a large proportion of a claim and is perhaps the most undervalued area of cover. In the scenario at the start of this piece, even if you chose to pay the ransom, it is quite likely that trading would be majorly impacted given the timing of the attack at the peak Christmas season and the time it would take to restock stores and follow up on online orders.
Ransomware remains the top cause of loss for cyber claims (the key impact being business interruption), reflecting an increased incidence of such attacks worldwide.
The best way to understand these type of claims is to give you some real life examples;
The policyholder held a full cyber package and used the following heads of cover:
Cyber extortion – After a prolonged period of being unable to fully trade the decision was taken to pay the ransom. This particular policy gave provision for paying the ransom but whether this course of action was taken or not was at the policyholder’s discretion. Insurers had to use specialist suppliers to source bitcoins.
Event management – Fees and costs associated with managing the attack, mostly legal costs and PR.
Network interruption – Forensic IT specialists were appointed by insurers within 24 hours and were on site non-stop for long periods. Initially securing the system and trying to see if any data could be retrieved. After the ransom was paid the decryption code was provided but all files had to be manually decrypted using the code which was a painstaking and costly process in terms of labour. The insured also had to pay additional fees to their various existing software providers for additional support and equipment.
Cyber liability – On this occasion there was no evidence that any customer data was held or extracted so no action was required by the DPC but the insured required legal & IT advice to determine this.
Business interruption – This makes up a large proportion of the claim and is perhaps the most undervalued area of cover. Even having paid a ransom, trading was still majorly impacted and the policy limit was breached as a result.
In conclusion, it is crucial for organisations to budget for cyber cover. Not only does a policy provide peace of mind but the pre-work that is done in finalising the product for the customer can result in much improved data and online protection. Based on our claims experience over the past number of years in dealing with cyber, our recommendation is for you to ensure that your clients’ have adequate protection.
For more information, please reach out to:
Financial Lines Major Loss Claims Adjuster
Cyber and PI Underwriting Team Leader