Types of cyber insurance claims seen by insurers/brokers

With 350,000 new malicious programmes being discovered every day (What is Malware and How Does Malware Work | Axians UK), there’s been a big spike in cyber crime and as a result we’re seeing an increase in cyber insurance claims.

In no particular order, we’ve pulled together a list of the most common cyber-attacks people claim for.


1. Ransomware attacks

Ransomware is the most common cyber insurance claim (https://www.getastra.com/blog/security-audit/cyber-insurance-claims-statistics/). Ransomware is a type of malware that a threat actor uses to encrypts your files, so you are unable to access your device and the data stored on it. Once they have access to your system, they (threat actors) can sit dormant for months before they decide to encrypt your files. During this time, they are watching what you’re doing on your device and collecting data, waiting for the right time to strike before demanding a ransom in exchange for decryption or threaten to leak the stolen data.

Ransomware can gain access to your business in several ways, including:

  1. Phishing – If an employee clicks on a malicious link within a seemingly genuine email, allowing ransomware to infiltrate.
  2. Remote Desktop Protocol (RDP)
    • No VPN or MFA used - Threat actors gain access to the network using a brute force attack as only a simple password was preventing access, and no VPN used to ‘hide’ the client’s network.
    • Unpatched VPN/RDP/software – When software is not regularly updated with the latest security patches and leaves a vulnerability in the network. Threat actors take advantage of this and gain access, installing ransomware and/or stealing data.

In September 2023, two of the world’s largest casino-hotel companies, MGM Resorts and Caesars Entertainment, fell victim to ransomware attacks by way of social engineering (https://www.forbes.com/sites/suzannerowankelleher/2023/09/14/2-casino-ransomware-attacks-caesars-mgm/?sh=3b17b826402d). Caesars Entertainment paid the $30 million ransom demand (https://cybernews.com/security/caesars-palace-mgm-ransomware-attack-confirmed).

2. CEO/Friday fraud (funds transfer fraud)

CEO fraud (or Friday fraud) is a type of attack in which a cyber criminal impersonates an employee with the power to ask employees to make payments. This could be a CEO, CFO, Head of HR, etc. The email will usually contain an invoice from a supplier which contains new account details.

An employee in accounts receives a seemingly genuine email from the boss or a known customer at the last minute requesting urgent payment of an invoice.

3. Cloud hacking

With the rising popularity of cloud storage tools and applications, cloud hacking has become a very common threat in the industry. Cloud hacking attacks can take many forms, such as brute-force attacks, phishing, and credential stuffing.

There are many ways cloud hacking can happen. For example, a disgruntled former employee, or other threat actor, accesses a business’s critical data held in cloud storage and takes control. They may hold this data for ransom or threaten to leak it if their demands are not met.

4. Vishing and quishing

Vishing scams are when scammers will impersonate a legitimate source in an attempt to extort money.

An example of a vishing scam is a call from the “bank” stating that your account has been compromised and that immediate action is required. Usually, this action includes transferring bank details and security information to the threat actor.

A new scam known as ‘quishing’ is gaining momentum. The scam can happen both online and in the real world, where QR codes are manipulated to divert traffic to a malicious site for theft of funds or valuable data.

5. Dependent Business Interruption loss

A third party service provider goes down unexpectedly as a result of a ‘cyber event’, meaning that the insured is unable to work as they lose access to their computer networks.

6. Lost data

A USB containing unencrypted sensitive data is lost. The loss of such data requires notification to the ICO and affected individuals.

Loss of paper files can also be a ‘data breach’. Some robust cyber insurance coverage may include loss of hard/paper copies of data.

7. DoS Attack (denial-of-service)

A denial-of-service attack is when a threat actor attempts to disrupt a computer or other device’s normal functioning and make the device inaccessible to users.

During this malicious attack, the threat actor overwhelms a website with traffic, resulting in the website, and/or sales, going down. They typically do this during a busy sales period, preventing the insured from being able to trade. Sometimes a ransom is attached to cease action.

8. Rogue employee

A rogue employee is a member of staff who harms their company by engaging in illicit activity, e.g., a worker collects sensitive and confidential data over time with a view to selling. As part of General Data Protection Regulation (GDPR), all organisations must report data breaches to the Information Commissioner’s Office (ICO) and individuals impacted by the data breach. This opens a door for individuals to seek financial compensation as a result.

Rogue employees tend to fall into one of three categories:

  1. Ambitious – Cuts corners regarding cyber security best practices in order to get things done as quickly as possible.
  2. Disgruntled – Intends to subvert cyber security practices as a form of backlash against their employers.  
  3. Negligent – Breaks cyber security best practices because they simply do not care about the consequences.

Case study: In 2013, a disgruntled IT auditor employed by Morrisons collected the payroll data of Morrisons’ entire workforce and uploaded it to a file sharing website (https://www.taylorwessing.com/en/global-data-hub/2021/june---data-breaches/the-insider-threat---rogue-employees-and-data-breaches ).

Consequences of a cyber-attack

Following a cyber event, there are a few additional costs which may be incurred that you might not immediately consider, such as:

  1. Notification costs – Significant costs incurred to notify the ICO and each customer/ individual involved in the data breach.
  2. Call centre costs – A centre may be needed to field the significantly increased volume of phone calls and enquiries as a result of the breach.
  3. Crisis management - Damaging reviews online and press coverage may result in a media relations issue requiring help of a PR and crisis management team. There’s also the potential for business interruption claims for loss of revenue.

Cyber insurance with Ethos Broking

If you have any questions about protecting your business against a cyber-attack, please contact your local Ethos Broking office and the team will be happy to help.