Cyber extortion and cyber insurance – Financial Services

• United Kingdom

• Insurance and reinsurance
• Litigation and dispute management
• Financial services

06-07-2021

The Covid-19 pandemic has arguably provided ideal conditions for cyber criminals to extort financial services businesses, which have been faced with the operational challenges posed by employees homeworking en masse for the first time. Indeed, according to a study by cyber security firm VMware, cyber attacks against the financial sector increased by 238% globally from February to April 2020 as the pandemic spread¹. The significant economic cost of these attacks to financial services businesses has again highlighted the growing financial and security threat posed by cybercrime, but also the potential for cyber insurance to protect companies against associated losses.

Typically, the perpetrators of cyber extortion take control of a target’s systems and subsequently demand the payment of a substantial fee to restore access. Commonly this involves the exploitation of insufficiently protected legacy systems or other systems without security measures like two-factor verification, essentially meaning the hackers can gain access through a password without a second step such as a text message. Other common forms of cyber attack include phishing, where fraudulent communications are disguised to appear to come from reputable sources in order to steal data or install malware, and a Structured Query Language injection where an attacker inserts malicious code into a server in order to reveal information, such as passwords².

In recent years, cyber extortion has evolved to not only lock up data, but also to threaten the release of price-sensitive information, personal data or incriminating material, posing additional reputational, legal and compliance risks to businesses. According to research conducted by Palo Alto Networks, the average ransom payment demanded has also increased significantly in recent years, from $115,123 in 2019 to $312,493 in 2020³.

The common demand by cyber extortionists to be paid in cryptocurrencies may pose a further risk to extorted businesses and their insurers, especially given the volatility in cryptocurrency values. Although security services such as the FBI have enjoyed success in seizing bitcoin paid as ransom payments, by making use of such cryptocurrencies, the victims of cyber extortion attacks are still exposed to the significant fluctuations in their value during the period of the attack⁴. Although insurers will likely bear that loss under the terms of a cyber insurance policy, even with recovery of part of the ransom paid, insureds may still be adversely affected because of the risks inherent in dealing with unreliable cryptocurrency infrastructure.

The threat to financial services businesses posed by cybercrime continues to increase exponentially. A 2021 report from Allianz Global Corporate & Specialty identified ‘cyber incidents’ as the single greatest risk facing financial services businesses, beyond pandemics, business interruption, regulatory change or macroeconomic developments⁵.

Moreover, financial services businesses are also faced with a developing regulatory landscape with the Financial Conduct Authority introducing new rules and guidance on operational resilience for banks and insurers with effect from 31 March 2022⁶, such that the regulatory and compliance costs of protecting against cybercrime are set to increase.

How can cyber insurance help protect financial services businesses?

Cyber insurance is designed to provide protection to businesses against threats in the digital age, indemnifying companies against operational, reputational, legal and compliance costs incurred as a result of cybercrime or mishandling of data.

Cyberattacks can impact all businesses, although large financial services businesses are perhaps especially tempting targets for cyber criminals seeking to extort money, being complex, typically multi-national and naturally well-capitalised businesses. Most businesses operating in the financial sector will be acutely aware of cyber security risks and of the benefits of risk sharing with insurers even though comparatively few businesses generally procure cyber insurance. A 2017 OECD paper estimated the take up of stand-alone cyber at around 30% in most countries .

Paying ransoms is rarely advisable, but ransom payments can be covered by insurance. Even those organisations which pay ransoms still need to incur the costs of forensically isolating and remediating the vulnerability, completely cleaning the systems of malware before restoring the data, and any costs of notifying regulators and individuals in the event personal data is impacted. Cyber insurance can significantly help defray those costs.

Coverage under cyber insurance policies is typically triggered by data loss or unauthorised access to an insured’s systems, or systems hosted by third parties. Unlike traditional business interruption policies, it is not necessary to establish physical damage to property in order to trigger the payment of an indemnity. The types of loss insurable under a cyber policy include:

• revenue lost as a result of a cyberattack. Even after systems are restored the victims of cyber extortion may continue to suffer business interruption losses due to the wider ramifications of an attack, for instance ongoing reputational damage can continue to affect profitability;
• the value of any ransom payment paid (and associated costs incurred negotiating with hackers). Payment of ransom may be legally permissible in certain circumstances (and it is important to check whether any payments would be to sanctioned entities or would result in payments to designated terrorist organisations), but it is contrary to government advice, and controversial as it may encourage further criminal activity and may not lead to return of information allowing restoration of systems;
• the restoration of hacked systems;
• any compensation paid to third parties for loss or exposure of their data;
• reputational damage; and
• to the extent insurable, the costs of dealing with regulatory and compliance costs.

---

 

[1] https://www.vmware.com/company/news/releases/vmw-newsfeed.Modern-Bank-Heists-Threat-Report-from-VMware-Carbon-Black-Finds-Dramatic-Increase-in-Cyberattacks-Against-Financial-Institutions-Amid-COVID-19.0ccd81eb-8142-40a2-9ce9-d77307f15961.html

[2] https://www.cisco.com/c/en_uk/products/security/common-cyberattacks.html#~types-of-an-attack

[3] https://unit42.paloaltonetworks.com/ransomware-threat-report-highlights/

[4] https://markets.businessinsider.com/currencies/news/bitcoin-price-today-tumbles-claws-back-most-colonial-pipeline-ransom-2021-6-1030504418

[5] https://www.agcs.allianz.com/content/dam/onemarketing/agcs/agcs/reports/agcs-financial-services-risk-trends.pdf

[6] https://www.fca.org.uk/publications/policy-statements/ps21-3-building-operational-resilience

[7] https://www.oecd.org/daf/fin/insurance/Enhancing-the-Role-of-Insurance-in-Cyber-Risk-Management.pdf, Pp. 67-8

 

For any questions concerning cyber insurance or cyber security generally, please contact: