A cyber claims specialist from Crawford & Company has broadly welcomed a new insurer backed cyber security warranty product. The Arkose Labs credential stuffing warranty is triggered if the software fails to protect the customer from cyberattacks.
“Both tech companies and insurers must work together to come up with unique solutions to fight cybercrime, so these sorts of innovations should be applauded and encouraged,” said Nik Stanisic (pictured above), partner at HBA Legal, Crawford’s Australian law firm.
Crawford is one of the world’s largest claims management providers and has a Global Technical Services (GTS) group specialising in response and mitigation of cyber-related events.
The credential stuffing warranty protects firms when hackers use already leaked information like usernames and passwords to mount an attack. An Arkose Labs media release described these attacks as “the most prevalent and difficult type of online account-based attack to detect and mitigate, causing more consumer harm than ransomware.”
Stanisic said it’s important for businesses purchasing tech to guard against cyberattacks to understand what type of attacks the tech will work to prevent.
“This product [Arkose Lab’s credential stuffing warranty] appears to provide a level of protection against one specific style of cyberattack,” he said. “Nevertheless, a product with a warranty like this is always going to be better than the same or similar product without a warranty.”
However, Stanisic said that the “by far the highest proportion” of cyberattacks are from ransomware – malicious software - and email compromise.
“The other thing to note, of course, is that if hackers are successful in infiltrating the IT system of a company, a financial warranty isn’t going to suddenly claw back data that has been stolen,” he said.
Stanisic said businesses should protect themselves “from all angles” including with “comprehensive expert cyber incident response.”
In the context of ever evolving cyber threats, he said both businesses and insurers have been “notoriously reactive.” Crawford – echoing calls from the Australian government – is encouraging Australian businesses to have a sturdy cyber incident response plan in place.
“Time is of the essence when it comes to a potential cyber incident and therefore of paramount importance is having cyber incident response experts on speed dial,” said Sean Hayes, head of Crawford TPA in Australia.
Hayes said, in his firm’s experience, very few organisations have the required expertise in-house to effectively respond to a cyber-incident.
“We have moved to the point now that most businesses have cyber insurance,” he said. “But the next must-have purchase, if the worst happens, is expert-led incident response services.”
Hayes said that while the Optus and Medibank attacks had focused attention on data and privacy related cyber incidents, this is just one style of cyber security incident.
“Arguably of even higher concern is the type of cyber security incident that prevents or materially interrupts the delivery of vital services or completely stops manufacturing of essential goods,” he said.
Stanisic listed some of the considerations that he said a firm needs to take into account when it suffers a cyberattack:
“Responding to a cyber security incident requires understanding the evolving regulatory requirement, engagement with all key stakeholders, the strategic management of the loss and mitigation actions, support of decision making and communicating those decisions to insurers to aid policy consideration, expectation management, reserving, quantification and negotiation of settlement,” he said.
Early in January, AustCyber, an independent, not-for-profit organisation involved in cyber security research, published an article on the top cyber security threats facing Australia in 2023.
The article said phishing scams and ransomware attacks are among “the more prevalent cyber threats that Australians are facing in 2023.” The article also drew attention to the increasing use of artificial intelligence and machine learning in cyberattacks.
“It’s important to note that the best defence against cyberattacks is a multi-layered approach that includes both technical and non-technical measures,” said the article. “This includes regular security audits, incident response planning, employee education and awareness, and testing your security infrastructure.”
In November last year, the Australian Cyber Security Centre (ACSC), part of the government’s efforts to improve cyber security, released an Essential Eight Assessment Guidance Package. The package gives businesses baseline mitigation strategies to guard their IT systems against cyberattacks.