Cyber Event Claims Management Crawford & Company Crawford Cyber Solution Restoring and enhancing lives, businesses and communities
Crawford & Company World’s largest publicly listed independent provider of claims management solutions Organized across global service lines: $14 Billion 7.1 Million P&C adjusting solutions (Crawford Claims Solutions) Claims Payments Claims Handled Annually Worldwide Large or complex claims (Global Technical Services) 9,000 CRD A&B Global TPA solutions (Broadspire) Low Debt Ratio Total Employees Managed repair services Traded on NYSE (Contractor Connection)
3 Crawford Cyber Solution Two parallel and complementary service models Global Incident Response and Loss Adjusting SME Incident Response and Claims Management – Key components comprise 24/7 FNOL, access to This model mirrors the Global Incident Response our accredited Incident Managers and but builds in additional desktop Claims contracted Experts. This solution is primarily Management capabilities delivered at a local level. positioned for the Global Corporate market or In developing this solution we recognise the need for larger risks. for effective and efficient response, whilst still providing access to the services needed to respond to the more complex incident.
Crawford Cyber Solution Launched in 2015 Complete End-to end Turnkey Solution Innovative, first to market Truly global, scalable FirstNotification Claims Crawford Incident Specialist OneGlobal ofLoss Management Manager Provider Process Rapid growth, • • Single • Contracted • Timely • Dedicated, Single global over 30 carriers • Consistent coordinator network centralised intake centre • Selected • Extensive • Flexible • resource Dedicated Over 1,000 cyber claims • • Solution individuals Trained and range of telephone • Triage to driven experienced services number handled to-date • Global • specialists as • Best-in-class team Available • required • Experienced breadth Triage to 24/7/365 • • Fastresponse specialists as 200 languages • • Completed due required Guaranteed • Management diligence response of claim Backed with a £50m liability cover
Crawford Cyber Solution Loss Adjuster Incident manager Crisis Manager
Response during critical first 48 hours Clear discovery plan emerges Clear solution plans emerging
Crawford Cyber Solution Crawford Cyber Solution Wheel First Regulatory We aim to provide a timely, consistent and Notification Notifications of Loss flexible response which is solution driven, economic and expert-led. Cyber IT Extortion Forensic Crawford Internal Incident Legal Forensic Manager Indentitiy Public Protection Relations Public Forensic Notifications Accounting incl. Call (CFAS) Centre Blue indicates services performed directly by Crawford
Types of Cyber Incidents Types of cyber incidents: 1. Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks 2. Man-in-the-middle (MitM) attack 3. Phishing and spear phishing attacks 4. Drive-by attack 5. Password attack 6. Eavesdropping attack 7. Malware attack
Case study 1 The cyber attack Design, manufacture and erection of structural steelwork Worldwide client base 10 manufacturing plants Centralised computer system in UK 3D design system Robotic machinery 1 April 2018 – cyber attack, all files are encrypted Ransom demand for £250,000
Case study The Crawford team Loss notified First Regulatory Notification Notifications of Loss File coordinated by Crawford IT specialists Incident Manager Cyber IT Investigation Extortion Forensic Addressed immediate needs Reconstruction of Crawford IT systems and assembled the team Internal Incident Coordination of response Legal Prevention measures Forensic Manager Communication to stakeholders CFAS forensic accountant Indentitiy Public Loss mitigation Protection Relations Early involvement Worked closely with claims Public Key drivers of loss Notifications Forensic incl. Call Full financial loss estimate Accounting handler to reach resolution Centre CFAS Loss mitigation Insured loss calculation
Case study Key considerations – loss mitigation What became apparent very quickly was the risk of a large uninsured loss Management of expectations around coverage Maximise loss mitigation and The Insured’s business The Cyber BI policy minimise uninsured financial • Sales made through long term • Net profit basis impact for the policyholder • Three month indemnity period tendering process Expert advice to inform broader • Contract based sales • £5 million limit per loss • Penalty clauses for delays (+ sub-limit) decisions – legal/regulatory obligations, operational drivers, and reputational risk
Case study Key considerations – quantum aspect Loss of sales Policy considerations wording Financial data was lost in the cyber attack Net profit wording – potential Quantify overlap between BI and other Published financial statements Support policy sections Discussions with Insured Ransom demand Policy sub-limits
Case study Lessons learnt Benefit of using core forensic accounting skillset But fully integrated with Crawford Cyber Solution Unbiased evidence-based approach Crisis Management Detailed review Mitigation of key business risks Accountancy and industry knowledge Collaborative proactive approach Good knowledge of product and engagement on policy issues
Case study 2 The Cyber Attack Victim Engineering, procurement and construction for the energy sector Listed on London Stock Exchange Annual gross revenue circa USD 300 million Global client base: Middle East focused operations (onshore & offshore) Centralised computer system based in the UAE Head Office: advanced network with strong security protocols
Case study 2 The Cyber Attack Vector 18 June 2019 – cyber attack, all servers encrypted (McAfee) – Workstations (Malwarebytes) unaffected Ransomware attack (RYUK) – no demand posted, only contact details for attackers RYUK is specially engineered to target enterprise environments – creates a privileged user account to spread ransomware to individual hosts within the network. Spread by TrickBot via email (spam) or Emotet malware Information encrypted and backup files deleted – decryption software can be obtained from attacker with ransom payment – no guarantee it will be provided – decryption process is labour intensive and complicated
Case study 2 The Crawford team Loss notified: BC & FNOL First Regulatory Notification Notifications of Loss Incident Manager IT specialists: Mandiant Addressed immediate needs Cyber IT Investigation: attack vector & Extortion Forensic system impact – 3 weeks and assembled the team Coordination of response Crawford Reconstruction of IT systems Internal Incident – 4 weeks Legal Communication to stakeholders Forensic Manager Prevention measures – ongoing Loss mitigation Indentitiy Public Liaise with claims handler to CFAS forensic accountant Protection Relations Early involvement Public update on incident and address Notifications Forensic incl. Call Identification of key loss drivers Accounting potential issues Centre CFAS Assist with preparing loss estimate Loss mitigation measures
Case study 2 Key considerations It quickly became apparent that this was a large scale incident with infiltration of entire system – complete disruption to operations Management of expectations The Insured’s business around coverage The Cyber policy Maximise loss mitigation and • Gross profit / gross earnings / net • Contract based projects minimise uninsured financial losses • Penalty clauses for delays and non- income basis and extra expense Expert advice to inform broader • 180 Day indemnity period performance • USD 10 million limit per loss • Future projects secured through decisions – legal/regulatory • Comprehensive cover long term tendering processes obligations, operational drivers, and reputational risk
Case study 2 Key considerations – quantum aspect Business Interruption Policy considerations wording Consequences of cyber attack Network disabled but eventually Income loss to be calculated by one Difficulty in quantifying impact to of three methods – detailed in Policy mostly restored from backups business as all divisions and multiple projects affected except 2 no. servers The potential BI losses (delay Data loss – contractual and IM & CFAS supporting Insured penalties) will mostly be realised after the indemnity period expires operational information relating with identifying insured and uninsured losses to an ongoing contentious project Commercially sensitive lost Ransom demands being (tender bid information) investigated to recover essential lost data
Case study Lessons learnt – claim ongoing Benefits of vendor panel Crisis Management – swift response by specialists Collaborative proactive approach led by IR Loss mitigation measures – insured and uninsured Specialised consultants provide expert response to obtain best outcomes – IT forensic, legal and accountants / BI specialists Excellent support and guidance for Insured
Crawford Cyber Solution Contacts
Recommend
More recommend
