With a well-known Australian health fund and telco making headlines throughout 2022 after cyber-attacks that exposed the personal information of thousands customers, our cyber experts here at Crawford take a look at a different type of attack.
What about the impacts to the broader community from a non-data breach cyber event? As an organisation, have you considered that scenario and do you have cyber experts on speed-dial if the worst happened?
Accepting that the damage caused to society from data breaches is hugely significant, potentially the greater threat or risk could be an attack on a company’s operations that then affects manufacturing or the delivery of the provision of vital services.
The vast majority of businesses, regardless of location or size, rely upon either one or a network of computers. The rise in automation of production and manufacturing processes, cloud computing, virtual working and paperless environments create this additional aspect to cyber risk for any business where operational capacity can be brought to a standstill. This can be crippling from both a revenue and reputational perspective without creating a data breach exposure.
Ransomware and distributed denial of service (DDoS) attacks across all business sectors have seen internet or web platforms seize up completely, making business as usual next to impossible. The global Crawford cyber team has also seen a rise in instances where hackers have inadvertently “knocked out” segments of the IT infrastructure that host web portals or industrial control systems, as they make their way across the network to access personal and commercially sensitive data.
Food and motor manufacturers could conceivably see automated production lines hacked, with potentially catastrophic consequences if, for example, a key ingredient or quality control check was tampered with or the process rendered products unfit for human consumption or sale.
These types of threats require detailed modelling and scenario planning, where the focus is on protecting against operational risk and attributable financial/reputational implications. For insurers, the immediate need at ‘first notification’ will be in supporting, validating and assisting the insured during a crisis to manage their situation, and making sure the customer deploys mitigating protocols that minimise disruption to the provision of services or the manufacture of products.
It is becoming increasingly well understood that cyber as a proximate cause of loss and IT infrastructure as a head of loss, have wider implications than just data breach incidents. Insurers and risk managers understand this, so those providing the array of services that support a strong cyber incident response (like us here at Crawford) must provide access to services and expertise that goes beyond the traditional lawyer led model for data breach crisis management. What is needed is an effective vehicle to mitigate those exposures posed by a non-data breach event.
Typically, when incidents occur, the company that’s fallen victim is in the driver’s seat around its response. So the question has to be asked, who in the process is protecting the insurer’s interest and ensuring costs are controlled?
The mitigation of risk, impact and exposure following an incident is of utmost importance to all parties, particularly as we enter a period of inflation. The insured’s primary focus will be on recovering the business, aligned to the specialist advice and services received. However, insurers, understandably, want to have a level of certainty around their exposure while supporting the insured’s needs, aligned to the cover held.
The Crawford difference: “claims led, lawyer supported”
In Australia, law firms have largely captured the cyber response market and heavily market the premise that a lawyer-led model offers a layer of necessary “protection” (legal professional privilege) that companies wouldn’t want to be without in the event of a cyber-attack.
Of course, legal professional privilege can only be offered up by legal practitioners. But this lawyer-led model comes at a cost because, when all is said and done, history shows that the lawyer-led model is inevitably more expensive and is not necessarily focused on the core risk to the business or insurers. A lawyer-led model will see solicitors carrying out tasks that are not directly legal related, yet they bill their hourly rate which is tied to the expertise/ value of a lawyer.
Being an incident response provider for cyber claims includes engagement with all key stakeholders, the strategic management of the loss and mitigation actions, support of decision making and communicating those decisions to insurers to aid Policy consideration, expectation management, reserving, quantification and negotiation of settlement – all of which should be undertaken in a timely and effective manner, but not all of which require the skills of a lawyer.
In late 2020, Crawford purchased insurance law firm HBA Legal and with this acquisition now has the same ability to offer legal professional privilege over cyber matters just like other Australian or global law firms. This is a unique difference when compared to our claims management provider competitors.
While HBA sits as part of the Crawford cyber risk product, its solicitors support Crawford to drive the necessary claims outcomes in the most cost-effective way. The law firm does not drive the cyber claim or the response, rather it weighs in with legal advice when legal expertise is necessary.
It is relevant to note that Crawford will happily work with any law firm of the client’s choosing.
Nominating an incident response provider for cyber claims
The market has always advocated the best practice approach of having a nominated loss adjuster written into property and casualty programs to not only protect insurers’ interests but to support the insured with managing the claim through to satisfactory resolution.
The same best practice approach could and should be adopted for cyber claims for the benefit of all parties, particularly as we are often operating in a crisis-led environment where speedy decision making is key.
Crawford is ideally placed to support this, aligned to our expertise in gaining an understanding of the specific circumstances and helping steer a best path with agreed actions based on upon the information available at the time. This has further application and benefit where written root cause or technical reports that form typical proof of loss documentation are either not available or are withheld by external lawyers as privileged information.
The early appointment of a loss adjuster (in Crawford Australia’s case, a loss adjuster with lawyers behind it as mentioned earlier), not only supports the capture of key details, but also helps ensure that mitigation actions are focused on the key areas of risk or financial loss, avoiding any unnecessary or misspent costs.
Just like we would expect on a significant property or casualty nomination, the adjuster, broker and insurer should work together pre-loss to build relationships, capture information and document procedure. This again is of huge benefit in the event of a cyber-attack and helps ensure effective response, continuity of approach and customer value.
To conclude, some top tips for companies …
Companies ought to be treating cyber-attacks as though they are inevitable. As such, cyber insurance has become a must-have purchase for businesses. Then, if the worst happens, the next must-have purchase is expert-led incident response services and thanks to our experience in the field, we offer up these tips:
Don’t underestimate preparation
Historically the mindset surrounding cyber-attacks is on overwhelming sense of; “I hope this does not impact me or my business”. Unfortunately, cyber attacks are going to become a new norm for companies to prepare for, and face. Accordingly, the thinking needs to pivot so businesses are actively looking at what steps they can implement today to mitigate the extent of the impact.
Preparation is key; we frequently find that the most successful responses to cyber attacks come from businesses that have pre-existing systems and strategies in place to mitigate the impact of the cyber-attack.
The overwhelming feedback when it comes to cyber-attacks is that there are indicators of compromise such as Outlook accounts misbehaving, unexplained systems/applications being down, server issues, firewall notifications, permission changes, files all of a sudden being inaccessible. When these indicators rear their head, companies are often unable to validate if it is indeed a cyber attack, or simply an error within the IT environment.
It is always advisable to err on the side of caution when these kind of early warning signs present, and decide on next steps as though you are dealing with a worst case scenario.
Responding: time is of the essence
No matter how secure an IT environment might be, there is always the potential for compromise.
When an incident occurs, you don’t want to lose any time containing the situation. A risk and mitigation team should swing into action immediately. When you work with Crawford you are assured that our global team has the skills and resources to head-up your response, drawing upon an extensive list of providers established over many years of experience. We come up with tailored solutions, quickly, to support any type of cyber incident.
Find out more about Crawford Australia’s cyber solutions here.