sme cyber claims are on the increase - chubb › uk › en › business › by-category › ... ·...
TRANSCRIPT
SME Cyber Claims are on the increaseUnderstand your business exposure
32
One of the best ways to understand the exposure your business faces from cyber risk is to look at the claims similar companies have made.
In this document we use examples of real claims, from a range of SME businesses that are all UK based, to show the damage that can ensue; what to look for from your insurer, and how any business can look at ways to better manage their vulnerability.
We focus on the most common types of claims we have seen to date; ransomware, rogue employees, employee error, unauthorised access and loss of data.
Working through each in turn we’ve highlighted the impact to a small business, as well as potential methods of prevention.
We’ve also provided a snapshot of the trends we’re seeing from new and emerging claims in this sector.
To protect itself effectively, a business needs to understand the scope of its own vulnerabilities and that every single company is different. What stays the same are the ways in which a loss can occur.
"The number of cyber notifications made by UKI policy holders during 2018 was over 200% up on the previous year.”
54
Ransomware – cyber attacks to extort money
Our insured, a construction company, were the victims of a targeted ransomware attack. The insured’s systems were breached following an employee clicking a malicious link on an email. The insured’s systems and servers were encrypted and a demand for £800k of bitcoin followed. The insured utilised Chubb’s incident response managers to instruct IT forensics to establish the method and scope of the attack.
The insured decided not to pay the ransom demand but instead reconstructed data from old backups and physical paper copies. The ransomware affected all of their systems from design to production as well as internal systems such as payroll and HR. In total the business operations were disrupted for more than six months.
Impact
Mitigation
• Ensure adequate levels of security and training are maintained – across an entire network
• Human error, often clicking malicious links to introduce malware, is the most common method of malicious system access – train staff accordingly
• Make regular backups, on servers segregated from the original servers, to aid data & system recovery and expedite a return to normal business
• Where there is a ransomware breach, Chubb has IT vendors ready and able to assist in ascertaining the scope of the attack and expert extortion negotiators including vendors with Bitcoin wallets should a payment be required
• Adequately calculate the cost and impact of business interruption prior to an incident.
What cover to look for Why
Data and System Recovery Because of the disturbance and deletion of data on the insured’s server, significant time and recovery costs were spent on internal and external resources to reconstruct data to the level that existed before the attack. Chubb has seen examples where data and system recovery has cost in excess of £3m.
Business Interruption Reduction in net profit due to the insured’s inability to trade as a result of having no systems, including costs for the design and build of systems. Every business is different but it's not uncommon for business interruption loss to be in excess of £1m.
Incident Response Expenses Incident response manager’s fees as well as fees for IT forensics to establish the scope and breadth of the attack. Typically incident response expenses can total circa £25,000
Cyber Extortion Cover for the ransoms paid, where we are legally able to do so, and the cost of extortion consultants and negotiators.
Disgruntled employees – especially those with access
Our insured, was the victim of rogue employee action when an employee with authorised system access stole in excess of 700 clients’ personal data records, including names, addresses and contact details. They were supplied to the new employer for the new employer’s benefit. As this incident occurred post GDPR, notice had to be provided to the Information Commissioner's Office and the affected data subjects.
Chubb’s incident response manager instructed legal vendors to assist the insured with the notice and subsequently assist and defend claims for damages from the affected data subjects. IT forensic vendors were instructed to provide certainty around the amount of data stolen. PR vendors were instructed to manage and assist in the maintenance of the insured’s reputation.
Impact
Mitigation
It’s incredibly difficult to prevent rogue employees seeking to cause harm. More often than not they have the requisite system access to enable theft of either personal or corporate sensitive data.
Based on current case law, it is likely a company would be liable to their clients if a rogue employee was to steal or share their data beyond the authorised use of such data, even where the company acted reasonably both before and after the event.
Accurately evaluate costs in advance of an incident such as:• Theft of even a minimal amount of data records can lead to significant exposure
through claims for damages, claimant’s costs and defence costs.• Regulator notification is now mandatory leading to potential regulator
action and fines. • Costs will arise from the various vendors involved in responding to the incident
and mandatory notifications.
What cover to look for Why
Privacy Liability Unauthorised access or use of personal records can lead to third party claims alleging breach of privacy. These often result in payment of damages, defence costs and potentially regulator action. Chubb typically sees privacy claims costs of circa £5,000 per claimant for damages, claimant costs and defence costs.
Incident Response Expenses The incident response manager’s fees and fees for the various vendors assisting with the cyber incident involved in the claim included: • PR costs to minimise the damage to the
client’s reputation. • Legal cost for notification to ICO and
data subjects• IT Forensics to investigate data access
76
Employee error – accidents do happen
Our insured, a regional UK housing association, inadvertently suffered a data breach as a result of an employee error. When posting a new advert for a vacant property, the employee mistakenly included an image of a separate client’s medical records within the online property brochure. The data subject in question was a minor. The insured subsequently received a complaint from the data subject’s parent seeking damages for the error. The insured notified Chubb and following an initial fact-finding exercise, we appointed expert lawyers in data protection to assist the insured with the exaggerated and spurious demands being levelled at them by the claimants.
Impact
Mitigation
• Legal or peer review system to check for accuracy prior to any work product going “live” can help minimise instances of employee error.
• View exposure more holistically than merely damages payments, as the associated defence costs and incident response expenses can add significant cost to any data breach.
• Instructing specialist privacy lawyers helps to ensure that claims are defended and if necessary settled correctly.
• Using specialist law firms prevents the risk of any insured prejudicing their position by way of attempting to negotiate directly with any data subject/claimant
• Human error remains one of the leading causes of cyber incidents. It is important to ensure an insurance policy covers these actions.
What cover to look for Why
Privacy Liability Insured’s defence costs, third party damages payments and third party solicitor fees and associated legal costs including, in this case, an Infant Approval Hearing (IAH).
Incident Response Expenses Initial incident response manager’s fees.
Unauthorised access – phishing in action
Our insured, a logistics firm, was the victim of a malware phishing attack. An employee in the insured’s HR team had a pop-up on their computer after clicking a malicious link within an email. The pop-up stated the computer was infected and to call the number on the pop-up. Fraudsters then gained remote access to the employee’s computer by further deceiving the employee during the call. Given the nature of the employee’s role in the HR department, significant personal details of past and present employees were potentially accessed. Chubb agreed to support the insured’s choice of legal advisors for ICO notification, and IT forensic vendors to ascertain what was likely to have been accessed by the perpetrators. In addition to legal and IT Forensic vendors, Chubb acted quickly to instruct credit & identity theft monitoring and PR specialists.
Impact
Mitigation
Even with the best security technology and systems, an insured’s most vulnerable asset is often its staff. Staff can be duped into surrendering passwords or providing access. There was no malice on the part of the employee in the above example. If third party data is accessed and regulator action or third party claims commence then the insured would have the benefit of a policy which provides cover for first party expenses to minimise the impact of the incident, as well as cover for defence costs and damages arising from both third party claims and first party expenses.
• Chubb has expert vendors ready to assist in the assessment of what was accessed and provide advice on what needs to happen to remedy the incident.
• Chubb has specialist vendors able to assist pre-incident. These vendors provide phishing training and testing which raises employee awareness, thereby mitigating the likelihood of incidents occurring.
Find out more here: www.chubb.com/cyber-services
What cover to look for Why
Privacy Liability Potential privacy liability claims for damages, claimant costs and defence costs as there was mismanagement of personal and corporate details contained within the mailbox.
Network Security Liability Potential claims for failure to protect against and deter malware, hacking or unauthorised use or access. There is potential for damages payments, claimant costs and defence costs. Defence costs alone often exceed £10,000 for these type of claims.
Incident Response Expenses Chosen vendors to respond to the cyber incident including:• IT forensics to review what data
was accessed.• Legal costs to assist in in drafting
ICO notification.• Credit & identity theft monitoring.• PR costs to minimise reputation
damage.
Given the current social climate surrounding data breach incidents, insureds may be subject to exaggerated or spurious demands from claimants that far exceed the legal precedent set to date.
98
Loss of physical data records – it’s not just online data that counts
Our insured, a solicitors firm, contacted the incident response hotline when it came to light an employee of the firm had broken company protocol by taking client records from the office and storing them in their car. The car was subsequently stolen and the client records lost. The appointed incident response manager quickly worked with the insured and the employee whose vehicle had been stolen to find out what personal data was in the records. Upon completion of this exercise it was decided that notification to the ICO was required as was notification to the affected data subjects. At this point specialist panel solicitors were appointed to assist the insured with regulatory compliance, including drafting a suitable notification to the ICO and data subjects. Credit monitoring was offered to data subjects whose financial information may have been compromised.
Impact
Mitigation
• Internal training and an active compliance department can help increase a corporate ethos towards better data protection, as well as reduce instances of employees breaching company protocol.
• Data protection should not only be viewed in an electronic sense. We often see loss of physical data records through negligence or accident, trigger equal consequence to electronic data loss.
• Each company should approach data protection in a holistic manner. Data risk includes both electronic and physical data.
• Pro-active incident response in the immediate aftermath of a potential breach can help mitigate the chances of any formal privacy claim later being brought against the insured, thus protecting against exposure to defence costs, damages and claimant costs.
• Chubb can assist by instructing a specialist privacy law firm to help mitigate the risk of any erroneous or inaccurate reporting. Both can increase the exposure a company can face after a breach.
What cover to look for Why
Privacy Liability It’s important to have a policy which responds to cover defence costs incurred if a privacy claim is brought against the insured.Ensure the policy covers third party solicitor fees as well as damages. Even when there are no damages or claims are made with little or no merit, defence costs can top £10,000.
Incident Response Expenses The cost of initial incident response manager’s fees: • Legal advice to the insured to assist
with compliance with any relevant privacy regulations
• Expenses for notifying impacted data subjects (incurred with Chubb's prior consent)
• Credit monitoring costs when taken up by any impacted data subjects.
Emerging claims trends
As well as the established and relatively frequent loss scenarios mentioned previously, we're now seeing emerging trends in recent cyber claims.
Vicarious liability
A company was recently found vicariously liable for a rogue employee’s malicious act of releasing around 100,000 personal data records. Despite the insured being found to have had reasonable controls and responses to the incident, they have been found liable for damages to their employees who had data released. The case shows a dangerous shift towards strict liability for data breaches.
Litigation funding and claims farming
Data breaches are considered an attractive proposition for litigation funders and claims management companies looking to generate income from data breaches. Funders provide finance for those who may ordinarily not be able to afford expensive litigation and claims companies are seeking to pool together groups of individuals following data breaches for the purpose of group litigation. Litigation funders are targeting data breaches, whilst no win no fee claimant lawyers are alive to data breaches being a lucrative income generator. Both are anticipated to drive up the number of third party privacy claims in the future.
Strategic response plans and the risk to directors and officers
It’s important for companies to have a strategic response plan for a variety of cyber incidents. This includes a policy which provides cover for the losses and expenses often incurred from incidents such as privacy claims or first party business interruption loss. The plan should also include how to access post-event response services. Chubb have seen a number of claims lodged against directors & officers for failure to properly protect their businesses against a cyber incident. It is important directors and officers demonstrate risk transfer of the cost of a cyber incident and protect themselves against claims of negligence or wrongdoing.
1110
“Our policy has been specifically developed to meet our insured’s needs. The most comprehensive of our cyber policies has a combination of first and third party coverages whilst providing the flexibility to meet the demands and needs of our policyholders.”
Cyber ERM policies offer a wide range of cyber risk assessment, post-event crisis management and risk transfer solutions to address the growing cyber and data privacy risks facing companies today.
Before an incident our insureds benefit from:
Access to our specialist risk engineering team pre-bind to help companies accurately assess their risk exposure.
Free and reduced cost access to specialist loss service providers including phishing awareness assessors, online risk assessment and a password management solution.
To find out more about our mitigation services visit www.chubb.com/cyber-services
During an incident our claims service provides:
Three ways to notify a loss in addition to traditional methods. Incidents can be reported via our Cyber Alert App, online or in one call. All options are available 24/7 365 days of the year.
The assignment of a dedicated incident response manager in the country of the event. We offer strategically chosen vendors with multinational capability from first notification to resolution. They work together to ensure that the incident is responded to and remedied as quickly as possible. We also work with a client’s chosen vendors if preferred.
Chubb’s cyber claims team liaise throughout the life cycle of the claim ensuring policy response is clearly and concisely communicated with key stakeholders to provide certainty around the expenses and damages covered under the policy.
Due to Chubb’s global network, we have the additional support of European and international colleagues to assist with multi-jurisdictional claims.
Once an incident is reported we offer:
Legal assistance, forensics and public relations expertise from a carefully selected panel of vendors, or we can work with insureds' chosen vendors if required.
Contact your local team or underwriter to find out more or visit chubb.com to find out about our policies, risk engineering specialists and loss provider services.
All content in this material is for general information purposes only. It does not constitute personal advice or arecommendation to any individual or business of any product or service. Please refer to the policy documentationissued for full terms and conditions of coverage.
Chubb European Group SE (CEG) is an undertaking governed by the provisions of the French insurance code with registration number 450 327 374 RCS Nanterre. Registered office: La Tour Carpe Diem, 31 Place des Corolles, Esplanade Nord, 92400 Courbevoie, France. CEG has fully paid share capital of €896,176,662.
UK business address: 100 Leadenhall Street, London EC3A 3BP. Supervised by the French Prudential Supervisionand Resolution Authority (4, Place de Budapest, CS 92459, 75436 PARIS CEDEX 09) and authorised and subject tolimited regulation by the Financial Conduct Authority. Details about the extent of our regulation by the FinancialConduct Authority are available from us on request. You can find details about the firm by searching ‘ChubbEuropean Group SE’ online at https://register.fca.org.uk/
Contact us:
The Chubb Building100 Leadenhall StreetLondon EC3A 3BPUnited Kingdom
T +44 (0)20 7173 7000chubb.com
UK7439-MD 02/19