The specialist insurer Hiscox dealt with over 1000 cyber-related insurance claims from businesses over the past 12 months, the insurance company says in a report. Its message; no business is immune from what it terms the growing cyber threat.
Gareth Wharton, Cyber CEO at the firm, said that the single biggest cause of a claim was ransomware; where a business’ computer system
is effectively put out of action by a hacker until a ransom is paid. He said: “Analysis from across the market suggests that this tactic is on the decline as people and businesses become more aware of the threat after the Wannacry and Petya attacks of 2017, although we are still seeing ransomware related insurance claims in 2018. Another central cause of cyber related claims seen over the last year was through payment diversion fraud; where a criminal manages to fraudulently persuade an organisation to pay them rather than a supplier.
“We believe this may be because incidents of this type require relatively low levels of technical sophistication, where attackers often just use their phones for simple social engineering attacks, or create spoofed email addresses to lure in potential victims. The rise of cryptojacking What these tactics suggest is that while cyber criminals might still be very interested in stealing and using confidential and personal data for financial gain, there are now more direct ways to profit from cyber crime. Cryptojacking – where criminals use the processing power of a business’ computer systems to surreptitiously mine for cryptocurrency – is the latest of these trends.”
He described staff as the ‘softer underbelly’ compared with IT perimeter security. According to the report, over two thirds (67pc) of all claims involve an element of employee error. Examples include employees clicking on malicious (phishing) emails, visiting harmful websites or simply being negligent in losing devices. That said, more than a fifth of the claims (22pc) in the UK involved the loss or misuse of PII (personally identifiable information).
“Employee error has emerged as a key risk and we see examples of attacks related to phishing within the report. The threat goes beyond this to include drive-by website infections and the danger of staff sending confidential data insecurely or losing unsecured mobile devices. Businesses must ensure their staff are equipped to deal with the risk and employee training is key.”
Hence cyber insurance; namely claims handlers to support victims through the incident, forensics specialists to remediate the threat, and legal and PR teams to help prevent reputational damage.
Case studies
The report suggested ‘a cyber defence strategy that encompasses people, process and technology’. It offered several case studies of unidentified businesses that were insured and claimed. For instance, a ransomware attack encrypted a restaurant’s server, affecting its point of sale registers and meaning it was effectively unable to trade. Having exhausted all other options, the restaurant paid the ransom. Hiscox covered that cost, plus the associated IT costs of applying the decryption key and ensuring that the business was back up and running. The insurer engaged a ‘breach coach’ to confirm whether any PII had been compromised. The insurance covered the business interruption suffered by the restaurant as a result of being unable to trade.
In April Hiscox launched its CyberClear Academy; an online interactive suite of cyber training content, of nine learning modules.
