‘You can’t not have it’: Companies turn to cyber insurance as hackers rise
By Charlotte Grieve
Conveyancer Natalie Fisher still feels violated when she thinks about the criminals who watched her for weeks or months, taking note of her digital mannerisms while plotting an attack.
Fisher’s business email was hacked in March after someone in her team fell victim to a phishing scam and clicked on a document that installed malware.
The malware enabled the hackers to monitor Fisher’s systems to become familiar with the way she interacts with clients and normal processes that could be tweaked and exploited.
Natalie Fisher says cyber insurance has now become an essential part of running a business. Credit: Simon Schluter
Once the hackers had access to the systems, they diverted client emails and responded on Fisher’s behalf. “It was like a three-way conversion that I was no longer a part of anymore,” she says.
In what is now known as business email compromise, this style of cyberattack is on the rise. The hackers’ emails often use the target company’s exact branding and writing style so the victims are none the wiser.
One of Fisher’s unsuspecting clients bought a property and was expecting to make a transfer of around $50,000 to complete the purchase. The hacker intervened and instructed the client to send the money to a trust account.
As a first home buyer, the client trusted his conveyancer so transferred the money immediately. One week later, he called Fisher to enquire about the property when the penny dropped.
“I said forward me the emails so I can understand what you’re talking about,” she says. “When I saw the emails and he told me what he’d done, I felt so sick.”
Immediately, Fisher asked her IT team to scour through the systems to find the extent of the fraud. Another client had transferred $280,000 but, thankfully, it was early enough to ask the banks to block the transaction.
Six months earlier, Fisher had forked out more than $2000 to buy cyber insurance. After putting in a claim, her clients were fully refunded as were associated costs, such as temporary accommodation and fines.
Now, Fisher says there needs to be more education to encourage all conveyancers to buy cyber insurance.
“If I didn’t have this policy, it would have ruined me. Not just financially but, my reputation, everything,” Fisher says.
The coronavirus pandemic has led to an explosion in online scams, fraud and cyberattacks. The proliferation of remote working has coincided with the mass release of cheap malware on the dark web, which has created a perfect storm for an uptick in illegal online activity.
According to the latest data from the Australian Cyber Security Centre, one cybercrime is reported in Australia every eight minutes, a 13 per cent increase from last year. Total yearly losses have reached $33 billion but under-reporting means the actual figure is likely to be much higher.
As a result, businesses are increasingly seeking to insure themselves against cyberattacks. Normal professional indemnity insurance often excludes cybercrime, leaving businesses owners on the hook for hefty payments if they fall foul of hackers.
Insurance broker Marsh’s head of cyber Kelly Butler says there has been a major rise in the number of Australian businesses with cyber insurance over the past three years. She estimates that between 15 to 20 per cent of small businesses are now covered and up to 70 per cent of larger ASX-listed firms.
But as demand grows, Butler says the industry has had to adapt quickly. “All insurers are currently grappling with how they write cyber,” Butler says. “The biggest issue for them is the systemic nature of cyber.”
‘There are no borders’
Insurance companies are in the business of pricing risk. Premiums are calculated using historical data patterns to estimate the size and cost of claims. Insurers have well-established processes for vehicle and property damage, but with cyber, Butler says the rules are largely unwritten.
“I always relate this back to hurricane season in America. They know it’s coming, they know it’s contained to a certain area from a weather front perspective,” she says. “But when it comes to cyber, there are no boundaries. There are no borders.”
In Australia, Butler says premiums have gone up between 50 and 150 per cent over the past 12 months, after the proliferation in ransomware attacks caused losses to multiply.
‘If they can get onto it quickly, they can assist in minimising the extent of the loss.’
Many insurers have introduced limits on payouts and created eligibility criteria to ensure policyholders have basic defences in place, such as multi-factor authentication, data backups and staff training.
“It’s a real challenge for insurers, but reinsurers as well,” she says. “They’re soul searching at the moment. Insurers are looking back at their models, how they underwrite, is the coverage too broad? Have they priced it correctly?”
Insurance broker Todd Samson, who runs Cornerstone Insurance Group, says the largest player in the Australian market is Chubb, which covers large corporates, while the Insurance Australia Group services the small business market.
Samson explains cyber policies can be tailored to specific business operations, but generally include access to an incident response team, consisting of cyber defence experts, lawyers and consultants who are available around the clock. “If they can get onto it quickly, they can assist in minimising the extent of the loss,” he says.
Typical cyber policies cover losses associated with the attack, such as lost income and assets, but can extend to public relations work needed to limit the reputational fallout or associated lawsuits and fines from regulators.
Controversially, these policies often cover the costs of paying a ransom. “There are circumstances where paying the bitcoin to unlock the system is the only answer so they [insurers] will pay the ransom,” Samson says.
Ransomware attacks made global headlines this year when US oil pipeline Colonial Pipeline paid $US4.4 million to Russian criminals in May to get its systems back online. The following month, meat processor JBS paid a $US11 million ransom to end the attack on its operations that caused global supply chain blockages.
The federal government is planning to introduce new laws to force certain companies to disclose ransom payments, as the lack of transparency creates an unregulated space where criminals operate without recourse.
Nigel Phair, the director of the University of New South Wales’ Institute for Cyber Security, says insurers paying ransoms is a “vexed issue”.
“Who are you paying and for what reason? You’re paying to get the data back but not every business that pays would get all of their data back. And then double the premium for that person next year.”
Phair says cyber insurance policies can often have “onerous conditions” that dictate which incident response team a business must use when a company is under attack. “If I were a director, I would be worried about due diligence when an insurance company is stepping in and making calls.”
Butler says insurers collect intelligence on hackers around the world and are becoming familiar with their tactics and, importantly, who is behind the attack. There are laws to prevent ransoms being paid to state-based actors from countries under international sanctions, such as North Korea and Russia.
But with an increasingly grey line between state actors and organised crime gangs, this is difficult to police in a high stress environment, and ultimately, Butler says it’s the policyholders call. “Cyber policy is a reimbursement policy, so it’s the client’s decision whether they pay or not.”
The market is rapidly changing and Samson encourages all his clients to take a comprehensive approach to cybersecurity, relying on insurance payments only as a last resort.
“With IT, you look at it as prevention and cure,” he says. “The insurance can be the cure, but you don’t want to get to that point. It’s about preventing it from happening.”
And as the risk of cybercrime continues to multiply, policyholders are bracing for further premium hikes. But for Fisher, she wouldn’t do business without it. “Unfortunately, it’s a cost that being in this industry you just have to wear it,” says Fisher. “You can’t not have it.”
Most Viewed in Business
Source: Read Full Article