With new “attack vectors” and cyber criminals’ online anonymity almost guaranteed, hackers seem at times to be enjoying a free rein over businesses that hold our data. So, after a recent presentation to insurers, Ian Hasson, Head of Forensic Accounting at Crawford Global Technical Services® and Dr. Mark Hawksworth, a specialist adjuster, spoke to Claims World about how the existence of a market for personal information is increasingly driving the work of claims professionals.
“What do onion rings (TOR) and silk roads have in common?” asks Mark. “Anonymity online is available to almost anyone who wants it via TOR, a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. TOR masks a users’ Internet Protocol (IP) address. Meanwhile, the Silk Road and its variant cousins provide a marketplace for the sale of illicit and often illegal goods including credit card data stolen by hackers.”
These sites and other “enablers” have created the perfect platform for criminal activity adds Mark, who points to the online currencies such as Bitcoin as the final piece of the puzzle. “This combination of factors have come together to provide a platform for online anonymity, creating a market to buy and sell goods like our credit card numbers without detection.”
The Raw Materials
With a burgeoning market for illicit data, Ian explains how the insurance industry is increasingly called in for support as data breaches grow more common. “Large scale data breaches are becoming an unfortunate fact of life for sectors such as retail. On Sept. 9, 2014, U.S. retailer Home Depot announced that it had fallen victim to hackers, who apparently used the same tactic as 2013’s infamous leak at discount retailer Target. This ‘attack vector’ represents the way in which hackers are gaining access to systems where millions of customers’ information resides.
“The emergence of cyber insurance to include internal risks and data misappropriation is beginning to catch up and some of today’s policies also include a response element underwritten by specialist insurers.
“If an incident occurs then the most advanced claims solutions will offer a coordinated network of cyber experts who will manage both business and legal implications from notification to conclusion.
“There are three typical risk areas that policies cover: Loss mitigation costs (first and third party); cyber extortion costs (ransom); and non-damage business interruption (loss of gross profit, increased costs of working). These are, however, complex issues and sometimes an insured may not be aware they have even suffered a breach until sometime afterward. Cyber policies are typically written on a “claims made” basis so any delay between the event and a notification of loss could lead to questions about what may have triggered a loss or whether the ‘wrongful act’ which caused it actually fell within the terms of the policy.”
Ian emphasizes the need for insureds to be proactive. “Pre-inception inquiries are a good way for businesses to protect themselves both in terms of understanding their vulnerabilities and also mapping out lines of responsibility in the event of a breach. We have been involved in claims where the changing pace of technology has overtaken the traditional cover purchased by companies resulting in claims being declined.
It’s clear that the market for cyber insurance has matured and businesses have an increasing choice of policies available to protect them. Ian and Mark’s key messages are that policy coverage, limits and indemnity periods should be well understood by the insured to ensure comprehensive protection. But perhaps most important is the ability to provide evidence that a loss has occurred, which in this world, without physical damage, can be a challenge. “The onus of proof for demonstrating that a claim for a wrongful act under the terms of the policy can be made is with the insured,” says Ian. Mark adds, “In cases involving a breach of the policyholders’ network, the appointment of a skilled forensic software engineer at an early stage is essential. If instructed in a timely fashion, they will be able to analyze the network giving an indication of how the breach occurred and how access can be prevented going forward. It is essential to understand that once the network has been breached other hacking tools can be left in-situ for exploitation at a later date. This is key as no insurer or policyholder wants a secondary breach having resolved the primary incident. If these items of malware are not removed the network is still vulnerable to repeat attacks.”
By Ian Hasson, Head of Forensic Accounting Services, Europe, Middle East and Africa; and Dr. Mark Hawksworth, Specialist Adjuster at Crawford Global Technical Services®