September 2022

PREVIOUS HOME NEXT

Cyber attacks on the increase

by Resolve Editor Kate Tilley

Cyber attacks are neither rare nor random.

For threat actors and hackers, it’s a lucrative business.

That was the conclusion from a panel of experts at the AILA National Conference.

Moderator Andrew Thomas, Executive Adjuster at Charles Taylor, was joined by Kieran Doyle, partner at Wotton + Kearney; Quinton Kotze, Cyber & Technology Product Manager at Chubb; Chris Ehlers, partner at Matson, Driscoll & Damico; and Richard Hilliard, Chief Technology Officer at the National Disability Insurance Scheme (NDIS).

Mr Hilliard said the likelihood of a cyber attack occurring was “not if but when” and exacerbated by the Covid-19 pandemic which prompted the trend for people to work from home (WFH).


Vulnerability tested

Having managed cyber incidents at NDIS, Mr Hilliard said people were the biggest risk through being conned by business email compromise scams, being phished, and inadvertently revealing login credentials. A security exercise NDIS conducted to test the organisation’s vulnerability was “like shooting fish in a barrel”.

“You must be ever vigilant. Every organisation must follow the essential eight,” he said. The essential eight is a multi-pronged mitigation strategy developed by the Australian Cyber Security Centre.

Mr Hilliard said NDIS “learnt on the fly” after bringing in forensic investigators following the discovery of an attack that had been lurking in the network background for some time. Access was relatively easy because multi-factor authentication was not activated. Managing the incident was time consuming and the forensic response critical. “We did nothing else for a few weeks, it’s a big distraction. After an incident, the level of trust with the client base is damaged.”

Mr Hilliard said managing cyber risk required “a lot of investment”. “Premiums and excesses are going up; the renewal process is more complex. It’s not just ransomware and privacy, we need to look at autonomous vehicles (AVs) and the internet of things (IoT).” He warned AVs could potentially be vulnerable to terrorism attacks.

Chubb’s Mr Kotze said cyber insurance had evolved over time. It began with a simple level of protection against the impact of the disclosure of personal information but was now more corporate. The infrastructure sitting behind the policy to triage when incidents occurred was vital. “The knock-on effect of business interruption is the biggest risk. Some industries are more highly exposed. As we move into the IoT, you need to gauge exposures carefully.”

Mr Kotze said the risk was more complex than just paying ransoms, if an insured elected to do so. For example, it was a challenge for an insurer to quantify the loss for a business that loses multiple followers on Instagram.


Reputation risk management

Mr Doyle advised policyholders to be prepared. “Don’t read the policy for the first time when you have an attack. We help insureds understand the risk and what occurs when they have a breach; [many] don’t understand how ransomware works. We run through scenarios so they know what will happen.”

He said policies provided immediate access to a range of experts. First response was critical, as was loss mitigation and reputation risk management.

Mr Doyle said the Office of the Australian Information Commissioner was moving towards an enforcement approach. “There are no penalties yet, but that’s around the corner.” He called for greater regulation, saying introducing regulations for critical infrastructure in 2022 was too late.

“Third party claims haven’t hit yet, and that worries me. Cyber insurance policies are quite generous with a lot of bells and whistles. We need to separate out some coverages and have two or three different types of policies.”

Mr Doyle said if an insured chose to pay a ransom, “there’s a 95% certainty you will get what you’ve paid for, but it may not work perfectly. No one likes to pay the bad guys, but it depends on the circumstances. Sometimes there’s no choice – if it’s the life or death of the business, you need to pay”.

While there was “noise about banning payments, I’m not sure anyone would actually do it. You don’t even know who the threat actor is”.


Professional negotiators

Cyber attacks were a business proposition for threat actors, some even sought post-event testimonials. Wotton + Kearney used professional negotiators, communicating via chat services, to seek the best outcome if a ransom had to be paid.

Mr Hilliard agreed there was a move to enforcement for APRA-regulated entities, which were being pushed to improve their security postures, but, for some other organisations, the environment was “like the wild west”. “People are the highest risk, especially those WFH.”

Mr Kotze agreed WFH had increased claims, suggesting industry standards for security measures were needed. He acknowledged the cyber insurance market had seen significant premium increases, but said insurers started from a low base.

“Rates need to increase but there’ll be a levelling off in 2023. As the product matures, we need to find a level of sustainability and profitability. You can buy hacking software cheaply. Anyone with intent can do it.”

Mr Kotze said the big issue for insurers was systemic, aggregated risk and supply chain impacts.


Catastrophic impact

Mr Ehlers warned that hackers “look for the ultimate time to strike that will affect your business the most. They want a catastrophic impact. They get in early and learn the business”.

He warned insureds to review indemnity periods. “A shorter time lessens your opportunities to recover costs. Cyber attacks have the ability to shut down operations globally. It’s a huge risk. [Hackers] hit at times of critical impact. It’s not random, it’s very sophisticated.”

He contrasted cyber risk assessments with property losses. “The impacts are more easily identified with a fire. With cyber, it’s harder to assess the loss. Wordings are all different and the industry is learning. The biggest challenge is reputational risk – but is that insurable risk?” It was difficult to quantify the financial loss if customers disconnected with an organisation.

Mr Ehlers said claims frequency would continue to increase and the premium pool would expand. “The industry will get more specific with wordings and there will be greater standardisation across policies.”

Mr Doyle said a cyber policy was “just one piece of the puzzle”. “It’s not just risk transfer; you need to do a lot to prepare for an attack. Sometimes you have no choice but to pay a ransom. But sometimes the decryption key doesn’t work properly and you can still lose all your customers.”

He warned that, after targeting big corporates, like Toll in 2020, hackers were “now moving into SMEs. They still have the risk but don’t have CIOs and the same levels of protection”.

Mr Doyle identified “a worrying trend with software and IT providers being hit [because] their security profiles are not high enough”.

While there had been few third-party recoveries so far, Mr Doyle said “insureds are now pointing the finger at IT providers”.
 
Back to top
 
 

Resolve is the official publication of the Australian Insurance Law Association and
the New Zealand Insurance Law Association.