Cyber: A threat without borders

Most cyber attacks are multinational and show little regard for borders. As a result, cyber risk transfer is ideally suited to a multinational programme, explains Mark Camillo, head of cyber.

The WannaCry ransomware attack was unprecedented in its scale when it spread around the world in 2017. It is estimated that around 200,000 computers were infected across 150 countries, causing widespread disruption to businesses across a wide range of industry sectors, including healthcare, governments and major companies. It spoke to the global nature of the threat and was a reminder that cyber risk transcends borders.

AIG’s cyber claims notifications in 2018 reveal the main threats to be business email compromise (BEC), ransomware, data breach by hackers and data breach caused by employee negligence. Professional services was the sector hardest hit by cyber claims, followed by financial services, business services, retail/wholesale and manufacturing.

Nearly a quarter of our clients’ incidents were related to BEC. BEC is a relatively simple scam which often targets individuals responsible for sending payments, with the financial motivation of diverting funds. In many cases they can be traced back to a phishing email containing a link or attachment. Far from just impacting firms with an unsophisticated approach to cyber security, we have seen larger organisations falling victim to the scams.

BEC can be costly for our insureds in terms of both the ensuing forensic investigation and the steps taken to control the damage. When a malicious actor gains access to the mailbox it is necessary to carry out a thorough forensic investigation in order to determine what information hackers may have gained access to and whether this has triggered any GDPR or similar breach notification requirements.

Ransomware attacks, responsible for 18% of claims notifications in 2018, are associated with increased losses due to a rise in ransom demands and the associated expenses in getting systems back online. As an example, one of AIG’s retail clients was targeted in a highly sophisticated attack in 2018, which encrypted all its files, including those stored in the cloud. The ransom costs amounted to £120,000 in Bitcoin, while IT forensic costs amounted to £500,000 and business interruption losses exceeded £550,000.

At AIG, we anticipate an increase in cyber business interruption claims on a global level as ransomware and extortion attacks evolve. The rapid spread of malware or attacks on critical service providers by state-sponsored actors could bring widespread disruption and potentially also physical damage to a wide range of industries. There are many steps organisations can take to mitigate the risk, including having multiple backups; however, cyber insurance is becoming an important backstop to protect an organisation’s balance sheet and help it recover quickly when these incidents occur.

Due to the multinational nature of most cyber claims, clients are increasingly requesting that coverage is included in their international programmes. Such an approach is important due to the differing levels of regulatory maturity around the world. Due to local variations, a controlled master programme offers the benefit of both local and global insurance protection, providing consistent coverage and seamless claims service across all covered territories.

Designing a multinational cyber insurance programme involves mapping out the countries and territories in which a company has potential cyber exposures, including customers, suppliers, servers, etc. From there risk managers, brokers and underwriters can design an over-arching programme based on the regulatory infrastructure (e.g. data protection laws) as well as laws on whether non-admitted insurance is permitted and where claims payments should be received.

The benefit of having a consistent post-incident response to a claim notification, wherever it is received, is another benefit of a multinational cyber insurance programme. Access to a 24/7 hotline providing immediate support and advice from forensic investigators, legal and technical advisors about what is going on and how the situation can be controlled helps prevent losses from spiralling out of control. Time is always of the essence when it comes to cyber and the first 48-72 hours is the critical period where disruption, reputational fallout and overall losses can be mitigated with the right advice and action taken.

While cyber is still a relatively new product, we now have a standard policy available in over 70 countries, a number that is growing all the time. As the product matures and buyers become more sophisticated we anticipate a shift towards the increasing adoption of cyber multinational programmes. By taking a centralised approach to cyber, buyers know that when a cyber event occurs affecting customers in ten different countries with ten different regulatory regimes, the response will be swift, consistent and compliant.

This article first appeared in Commercial Risk.