A guest submission from Mark Hawksworth, a GTS® adjuster in the UK
Crawford Global Technical Services (GTS®) is Crawford’s definitive global offering to major incident claims handling, including catastrophic and complex claims, high value property and casualty claims as well as specific claims within a range of industries. Just some of its work can involve claims from fires, floods, hurricanes, earthquakes, tornadoes, lightning, explosions, chemical spills, airplane crashes, cargo damage…and the Internet. To better understand how some claims occur and are handled, following is a case study based on GTS’ work for an insurance company which received a cyber claim.
The insured company, a Web retailer, initially became suspicious when its Web page / sales portal could no longer be accessed. After multiple attempts to reach the page without success, the insured contacted its Web design agency responsible for maintenance of the computer – or server – that carried the site. They in turn contacted the Web site hosting company. The insured was advised that its hosted Web server was found to be part of a network of compromised machines involved in a distributed denial of service attack (DDoS) against another server.
A DDoS attack uses many distributed compromised computers controlled by a third-party (hacker) to attack a single target by sending a large volume of spurious requests to the target server, preventing legitimate data from getting through. The attacked server hosting the Web site is overloaded and visitors to the site cannot get to or use the site.
Once the attack was discovered, the hosting company suspended Internet services by terminating connections to the compromised machine. The hosting company advised the insured that it would only reinstate the Web server if certain verified security measures were implemented. The requested list of software modifications were sufficiently onerous to prevent the use of a manual software patch repair, resulting in the need to use software engineers to manually re-code the entire Web page using current HTML (HyperText Markup Language) to create a new version. The policyholder filed an insurance claim for the business interruption, due to the loss of the Web page and the costs of re-coding a new Web page, under a standard engineering all risk insurance policy (not a cyber insurance policy). A cyber policy would have provided financial support to combat the non-tangible (DDoS) issues and the associated business interruption claim. A standard engineering all risk policy only covers losses resultant from physical damage, which did not occur in this case.
Acting on behalf of the insurer, Crawford Global Technical Services® (GTS®) reviewed the claim and the policy wording, noting that a valid claim under the policy in question required physical "Damage" or "Loss of Information". The GTS review revealed that the Web page was deliberately compromised due to known vulnerabilities in old HTML code, which resulted in the connections to the server being terminated, stopping customers accessing the affected Web portal.
Based on GTS’s analysis it was only possible to consider the claim under the additional expenditure section of the policy as there was no physical damage as defined.
GTS argued that the proposed additional expenditure in re-writing the Web page was not to mitigate interruption, but to allow the server to be re-connected. Even if the Web page could have been hosted elsewhere in its old form it would still have remained vulnerable to hijacking as had previously occurred. The mutually agreed solution was replacement of the old code with new.
It was determined that the insurance policy should not pay for the Web page to be updated as originally proposed. Based on the situation and policy analysis, the claim to cover the cost of updating the HTML code was declined.
Mark Hawksworth BSc (Hons) PhD (MSc) ACII ACILA CEng MBCS MIET MCGI BDMA (Ins Tech). Mark is a specialist technology adjuster based in the UK with the Corporate & Major Incident Team. He may be contacted at firstname.lastname@example.org.