Financial Forensics Blog

Subrogating a Cybersecurity Attack
November 1, 2021

By Danielle M. Gardiner, CPA, CFF, and Joseph Lazzarotti
Contributor: Shiraz Saeed

Original Publish Date: November/December 2021, Claims Magazine 

When it comes to cybersecurity risks, the insurance industry really can’t escape the feeling. “There isn’t a class of business that can hide from this,” explains Shiraz Saeed, vice president and cyber risk product leader at Arch Insurance Group.

Cybersecurity incidents, such as data breaches or ransomware attacks, are becoming so frequent that it can feel unbearable for insurers “Managing cyber risk is complicated. Trying to figure out the likelihood of an organization getting hacked is very challenging, there are tools that can help organizations with the predictability of a network security failure, but it is still not a perfect science. Instead of thinking about the probability of this possibly happening to your organization, you should assume it will and invest in people, tools, policies, procedures and controls to help mitigate the risk. Having an organization with a mature and robust cybersecurity risk management model reduces the chances of your organization falling victim to a cyber incident,” Saeed remarks.

The question is, how can we limit the exposure? In the wake of a data incident, there are several expenses and liabilities that will have to be paid for — many of which are contemplated in a cyber insurance policy. This would potentially include legal expenses, cybersecurity forensics, public relations, negotiation and payments of ransom demands, data recovery or business income loss. This will apply to most organizations that have a business-to-business client model. If the organization is direct to consumer or has a business-to-business model where the organization has access to their clients’ private information or computer systems, we will see the addition of potentially having to notify and provide identity monitoring for impacted individuals and there can be lawsuits from individuals or other businesses or regulatory agencies depending on privacy laws that could have been impacted.

The big picture is this: When a cyber loss occurs, carriers are first and foremost concerned with making their insureds whole again. But as the dust settles and the full picture of the loss comes into view, you quickly find out that a breach is about more than notices and credit monitoring. Adjusters have to look at where fault lies and who should ultimately be liable. Subrogation is an effective means of holding responsible parties accountable and in turn, helping to lessen the financial load on the insurer. It’s not always as straightforward as it sounds.

CYBER SUBROGATION: WHO’S ULTIMATELY LIABLE?

To end up in subrogation, it’s naturally going to be a multi-party (read: complex) matter. At the end of the day, there is a third party (or multiple third parties) involved whose actions or inactions allowed the breach or cyber incident to occur to the insured company.

Consider the following scenario:

ABC Corp. is a national apparel retailer. Sales are carried out through a network of local kiosk owners in shopping centers throughout the country who rely on ABC for sales support, back-office administrative support and payment processing. ABC hires a nearby IT company to provide managed services along with PCI compliance and general data security compliance. The IT company fails to maintain ABC’s systems and, on November 15th, ABC suffers a ransomware attack orchestrated by the Conti group.

The attack cripples ABC systems and the threat actors claim to have exfiltrated 50G of data, including customer payment data. As a result of the attack, kiosk owners are significantly affected. The owners (i) cannot process payments as cash transactions are limited, forcing many to close, and (ii) are not getting new merchandise shipments for the holiday shopping season because orders cannot be placed or shipped.

After three weeks, the systems are restored, but ABC determines the threat actors exfiltrated payment card and mailing list data of customers. ABC promptly notifies 2 million customers on December 10, many of whom express anger at the local kiosk owners.

This scenario offers many pathways to understanding how a claims adjuster could approach subrogation by first determining the path of insurability and second, determining who’s responsible and who’s liable for the ultimate loss.

In our scenario, the insured is the retailer and a claims adjuster would want to establish the ownership interest between the kiosk owners and ABC Company. When there’s a franchisee and a
franchisor, there’s typically an agreement that speaks to the ownership, processing and security of customer information. Typically, the franchisor wants to own all of the customer information. Franchisors also tend to dictate the POS system, which in the case of the retailer probably also includes inventory management and logistics. This is the case with our insured, ABC.

So, even if ABC Co. doesn’t own the kiosks, their systems are connected to ABC’s systems and they are processing the personal information of customers. Who’s really responsible then? The franchisor or the franchisee? That’s where subrogation could possibly come into play. But then there’s the IT company that manages ABC’s POS system. Who brought in the IT company? Was it the franchisor? Were they required or chosen? This is yet another wrinkle that will come into play.

The story of ABC Co. is a typical ransom scenario. The adjuster would want to consider the total loss incurred between legal, forensics, notifications, PCI investigation and penalties, identity monitoring, public relations, data recovery, replacing/updating systems and equipment, business income, paying the demand, being sued, and doing the regulatory work. This is the case under a lot of insuring agreements. If it costs the insurer $10 million, it becomes the goal of the adjuster to subrogate and get that money back.

Every loss triggered under the insuring agreement in this scenario is linked back Oleksii/Adobe Stock to the security failure and/or the loss of the private information. In this case, it’s intertwined. The adjuster may determine that this wouldn’t have happened but for the IT vendor.

BUSINESS INTERRUPTION LOSSES ADD TO THE EQUATION

The business interruption loss in the scenario described above will consider the net profit or loss that would have been earned plus continuing normal operating expenses that must necessarily continue during the period of restoration. The business interruption loss measurement will begin eight hours after the ransomware attack interrupts ABC’s business operations through the period of restoration which ends when ABC Co’s system is restored. In this case, it is determined that the period of restoration will be three weeks.

The forensic accountant will be measuring the income loss resulting from the inability of the ABC’s kiosk owners to conduct business. In addition, ABC is turning to their policy for the future loss of income resulting from their inability to place orders for the holiday season. In this case, there are several considerations that the forensic accountant will have to contemplate and discuss with the carrier as it relates to the application of the policy.

  • Should the carrier determine that the period of restoration ends on the date and time that the systems are restored, does this preclude the forensic accountant from considering the future loss of income that may occur due to reduced inventory levels at the kiosks resulting in their inability to fulfill demand anticipated to occur during the holiday shopping season?
  • Can the forensic accountant consider the immediate increase in sales experienced at various kiosks once the system is restored and the kiosks begin operations? Will the carrier consider the increased sales as “make-up” or “delayed revenue,” and if so, what is the reasonable length of time to include these increases as an offset to lost sales?
  • Does the policy’s dependent business loss clause respond to the businesses selling the merchandise to ABC’s kiosks for the orders that were not placed? In this case, if coverage is determined for the dependent business loss, it will be subject to a sub-limit.

The policy in this case will also respond to the consequential reputational loss, which will be during the notification period which is the 30-day period beginning on December 10 when the 2 million customers are notified. The forensic accountant will be measuring the income loss that ABC is prevented from earning as a direct result of the damage to ABC’s reputation caused by the actual security breach. The analysis of the income loss for this period will be complicated by the potential loss of income experienced due to reduced inventory levels because of the
inability to place orders.

ABC Co. will do whatever is reasonably necessary to secure such rights and is obligated to not prejudice them. The documentation and information provided by ABC Co. served as the basis of the forensic accountant’s business interruption calculation. This documentation and information along with the forensic accountant’s analysis will serve as the basis of the recoveries sought after during subrogation, specific to the business interruption and any extra expenses. The forensic accountant can anticipate that their analysis will fall under the scrutiny of the IT company’s insurance carrier, and it may be necessary for the forensic accountant to provide further explanation and basis for their business interruption calculation.

THE PATH TO SUCCESSFUL SUBROGATION

How can the insurer in this case successfully find their way through a cyber subrogation? In this fictitious example of ABC apparel company, once the payments are made by the carrier, it is likely the insurer is going to move forward with their rights of recovery in subrogation against ABC’s IT company.

Here, we offer three considerations:

1. Contracts: Does the contractual language with the third party favor you or prohibit you from going after the money?
2. Evidence: Do you have evidence that the third party was at fault?
3. Ability to pay: Does the third party have the ability to pay? Do they have room in their E&O policy to cover the loss?

Cybersecurity risks are real. The uncomfortable feeling insurers have is real. And when a loss occurs it really boils down to two things for insurers: Whether to pay and whether you can get your money back. As the scenario in this article proves, it’s not always a straightforward process but with some basic considerations at hand, adjusters can make smarter decisions about how to proceed.

Reprinted with permission from the November/December 2021 issue of Claims Magazine. © 2021 ALM. Further duplication without permission is prohibited. All rights reserved.

Get our latest posts delivered to your inbox:

We'll be at LEA 2023 Jan. 25-27, 2023 | Ft. Lauderdale