AIG seeing one cyber claim a week
Thu May 16 2019
Put yourself in this picture. You are a retailer with over 20 stores throughout the country. It is one month before Christmas and sales including online orders are at their seasonal high. It is finally time to make money for your business. When upgrading your IT storage, you suffer a sophisticated cyber-attack that encrypts all of your files, including those held in the cloud. The shops are still able to trade using manual tills but the attack has left them unable to replenish stock in stores and process online orders. This leads to major business interruption. The attacker demands a ransom for providing a ‘decryption code’.
AIG offers a market leading solution to assist businesses get back on its feet at this crucial time, which we discuss in more detail below.
Ever Increasing number of Cyber Attacks
Looking at the Europe Middle East and Asia market, AIG saw as many claims notifications in 2017 as in the previous four years combined, receiving the equivalent of one claim per working day. In our Dublin office, AIG is dealing with approximately 4 cyber incidents per month. Since GDPR (25 May 2018) there has been a 50% increase in breach notifications, and 65% increase in data protection complaints.
Professional services, financial services and retail are at the top of the list when it comes to cyber claims, but incidents are spreading more broadly among a range of sectors, indicating that no industry is immune to cyberattack.
AIG Cyber Edge – a market leading solution
Response times – the policyholder receives a call from AIG within 1 hour of the incident being reported via the emergency hotline which is available 24/7. We will arrange a triage call with our Forensic IT and legal experts. With this critical and immediate assistance, the majority of cases are contained within the first 48 or 72 hours. The expert forensic IT and legal costs are on AIG’s account for the first response period (either 48 or 72 hours). Often when there has been a data breach, the legal assistance helps get the Insured’s relevant Data Protection Commissioner (DPC) notification in within the DPC required 72 hour deadline, thus saving the Insured a lot of difficulty and allowing the business to get back up and running.
Event Management – expert legal and IT assistance, and in cases of newsworthy events we cover public relations costs.
Cyber extortion – where the hack has meant that our insured is unable to trade and the insured makes the decision to pay the ransom, AIG can engage specialised suppliers with a bitcoin wallet to carry out the payment. Assistance will be given in retrieving the data and ultimately getting the business back up and running. Some policies include the additional benefit of covering the cost of the ransom but whether this course of action is taken is at the policyholder’s discretion.
Business interruption – This can make up a large proportion of a claim and is perhaps the most undervalued area of cover. In the scenario at the start of this piece, even if you chose to pay the ransom, it is quite likely that trading would be majorly impacted given the timing of the attack at the peak Christmas season and the time it would take to restock stores and follow up on online orders.
Cyber Claims Examples
Ransomware remains the top cause of loss for cyber claims (the key impact being business interruption), reflecting an increased incidence of such attacks worldwide.
The best way to understand these type of claims is to give you some real life examples;
1. Third Party Claim – Data Breach
- Recruitment Agency (insured) was rolling out a new pay and bill system for insured’s workers.
- A manual was created and circulated to approximately 260 workers.
- Data subject was a contractor and his name, client name, home address, email address and hourly pay rate were left visible in the training documentation.
- Legal and IT forensic support was provided to the insured at AIG’s expense.
- A DPC notification was required within 72 hours deadline (our legal experts assisted, paid for by AIG)
- Data subject claimed against insured and asked for identity theft protection insurance.
- Engaged and settled claim in early course.
2. Phishing of email account and data breach
- Insured was a chain of hotels.
- Insured was following up on outstanding invoices with commercial customers.
- Customers indicated that they had already paid invoices.
- With the assistance of AIG’s forensic experts, it was discovered that the attacker had been monitoring the inbox for some time and had amended the bank account details on outgoing invoices.
- See our recent bulletin here.
- Notification to DPC and data subjects required (our legal and IT experts drafted the notification and letters to effected customers).
3. Cryptolocker Ransomware
- PC’s showed ransom payment alert messages demanding 1.5 Bitcoins (approx. €1,000 at the time, now €8,400)
- Encrypted files on desktops, networks and online backups
- Forensic IT established that there were no other backups
- Insured elected for the ransom to be paid to release files.
- AIG engaged specialised suppliers with a bitcoin wallet to carry out the payment.
- AIG forensic IT experts implemented decryption and provided guidance until decryption verified.
4. Outsource Service Provider – Data Breach
- Insured appointed another unrelated company (OSP) to operate a service used by people parking.
- The OSP identified a pattern of fraudulent transactions, credit was loaded to accounts (without actual payment)
- Forensic IT immediately flew to Ireland to review remediation measures including increased monitoring brute force analysis and future penetration testing.
- Able to identify the details of the bad actor.
- DPC notification and reported to Gardai – a possible criminal prosecution down the line.
5. Data Breach
- Company A and Company B had an agreement with a wholesale provider of goods (our Insured), where they could get goods on account and pay for them on a monthly basis. Jim, a contractor of Company A went to the wholesale yard and said to put the goods on the account of Company A.
- The wholesale employee misheard Jim and thought he said to put the goods on Company B’s account.
- Company B went to pay the monthly bill and identified the goods that should not have been for Company B’s account.
- The wholesaler employee looked up the CCTV footage to investigate.
- Company B’s owner took a photo of the CCTV footage with his mobile – this clearly identified Jim and Jim’s vehicle including car registration.
- Company B then posted the photos on facebook, saying “look who is helping themselves to goods on our account”.
- Jim was easily identifiable and received many calls from neighbours and friends about the posting.
- Jim claims he has been defamed.
- The Insured wholesaler had to make a DPC notification and faces defamation proceedings.
6. Ransomware– Business Interruption The policyholder is a retailer with over 100 stores
- Whilst they were undertaking some changes to their IT storage they suffered a cyber attack which encrypted all their files, including those held in the cloud. The attackers demanded a ransom for providing a ‘decryption code’.
- The shops were still able to trade using manual tills but the attack left them unable to replenish stock in stores and process online orders which led to a major business interruption.
The policyholder held a full cyber package and used the following heads of cover:
Cyber extortion – After a prolonged period of being unable to fully trade the decision was taken to pay the ransom. This particular policy gave provision for paying the ransom but whether this course of action was taken or not was at the policyholder’s discretion. Insurers had to use specialist suppliers to source bitcoins.
Event management – Fees and costs associated with managing the attack, mostly legal costs and PR.
Network interruption – Forensic IT specialists were appointed by insurers within 24 hours and were on site non-stop for long periods. Initially securing the system and trying to see if any data could be retrieved. After the ransom was paid the decryption code was provided but all files had to be manually decrypted using the code which was a painstaking and costly process in terms of labour. The insured also had to pay additional fees to their various existing software providers for additional support and equipment.
Cyber liability – On this occasion there was no evidence that any customer data was held or extracted so no action was required by the DPC but the insured required legal & IT advice to determine this.
Business interruption – This makes up a large proportion of the claim and is perhaps the most undervalued area of cover. Even having paid a ransom, trading was still majorly impacted and the policy limit was breached as a result.
In conclusion, it is crucial for organisations to budget for cyber cover. Not only does a policy provide peace of mind but the pre-work that is done in finalising the product for the customer can result in much improved data and online protection. Based on our claims experience over the past number of years in dealing with cyber, our recommendation is for you to ensure that your clients’ have adequate protection.
For more information, please reach out to:
Financial Lines Major Loss Claims Adjuster
Cyber and PI Underwriting Team Leader