Professional services firms are particularly vulnerable to cyber disruption as they offer human-operated services that are highly dependent on IT
By Laetitia Fouquet, Global head of cyber at CTA with a worldwide team of specialist adjusters available for First Notification and Response as well as claim strategy and settlement advice for Insurers. The team includes Computer forensic specialists for investigation on cause and steps available for remediation and Terri Adams, Director in CTA Specialist Adjusting and a qualified accountant with over 30 years’ experience in forensic accountancy in the insurance claims sector. For Insurance Day, Viewpoint: Insurers should be concerned about the increasing number of cyber-attacks against professional firms.
Professional firms are often seen as targets by cyber criminals, as they hold vast amounts of sensitive data, yet many firms have gaps in their defences, which has a serious impact on losses claimed after an attack.
In recent years there has been increase in the sophistication, frequency and severity of cyber incidents across all lines of business.
These trends have had a serious impact on the losses claimed following an incident, including the cost of remediation, cost of legal notifications when a data breach had occurred, business interruption and reputational harm.
Professional firms such as lawyers, accountants, investment advisers, property management firms, architects and surveyors are often seen as targets by cyber criminals, particularly as these firms hold vast amounts of sensitive data. Not all these firms will have appropriate cyber cover or internal support. Usually, they have either limited internal IT support or will sub-contract to a managed service provider. It is no surprise that as a result professional services firms often have gaps in their cyber security defences.
Most attacks will start with social engineering and rely on employees releasing their credentials through phishing, so while cyber security tools are important, appropriate training to spot malicious attempts to harvest credentials or redirect payments is essential alongside good password hygiene.
Attackers have also uncommonly targeted professional services in double extortion, which is when not only have the victim’s systems been compromised, but the data has also been exfiltrated and posted on a website, with data ready to be sold or divulged if the victim does not pay for it to be removed. This not only exposes the victims to having to handle a significant data breach but may also affect their reputation in the way they handled the personal and financial data. Additionally, the firms will be subject not only to the data privacy regulator but also to their own professional standards regulator and handling their queries may also prove expensive.
Professional firms are particularly vulnerable to cyber disruption as they offer human-operated services that are highly dependent on IT. If computer systems are taken down after an incident many staff will be unable to work offline. In most cases, work or opportunities will be lost. At a minimum this leaves the firm with continuing staff and other premises costs but with no or limited fees from clients coming in to cover this expenditure. The network interruption (or business interruption) aspects in the cyber insurance cover can therefore be very significant.
Linked with the calibre of staff employed, there will be strenuous efforts to catch up or mitigate the impact once systems are open to use again.
A typical approach for network interruption can be to compare financial data from previous years across the same period as a guide to the expected level of revenue for the business during the interruption period.
"Most attacks will start with social engineering and rely on employees releasing their credentials through phishing, so while cyber security tools are important, appropriate training to spot malicious attempts to harvest credentials or redirect payments is essential"
This is perfectly appropriate for consumer businesses and manufacturing operations where the market largely drives the sales and limitations are often based on capacity or component constraints for the manufacturer. However, for a professional firm the previous year can be very different from the current period. They may have experienced significant changes in employee levels – perhaps in general reflecting the economy or sector-specific demands.
It is also important to recognise many projects may be long term in nature, with staged fee points and therefore any movements in work in progress need to be considered carefully in conjunction with reported fee income. Just deferring a fee invoice from the period when the incident occurred to a later period when the systems allowed it to be issued would not be a loss under a cyber policy.
Professional firms largely monitor themselves by reviewing chargeable hours recorded by their staff. After an incident staff are usually asked to allocate their time to “the incident”. This is akin to identifying the insurer as the end client with the expectation the hourly staff rates will be paid under the policy.
However, a significant portion of staff time is never allocated to clients. This may reflect normal employee constraints such as holidays, sickness, marketing activities, administration, training periods and even periods when there is no client work available for specific individuals. This means surplus productive time recorded needs to be written off.
A forensic accountant offers vital analytic tools to the business reports (particularly staff chargeable hours) to allow the merits of different methods of presentation of the network interruption loss to be considered. This also includes looking at opportunities to mitigate through catching up outside the immediate disruption period. Most cyber policies allow a period of either 90 or 120 days after the repair and reinstatement of the network – and this applies for mitigation opportunities as well as for continuing trading losses.
Initial discussions with an insured on its work streams, ongoing projects, team allocation of work, who charges overtime or not and general productivity ratio is vital to understand revenue drivers. This will be reviewed alongside the technical IT recovery timelines to understand what was accessible and when the teams were able to return to day-to-day work.
A forensic accountant will also access all the typical financial reports used by the business itself. Extra analysis might include looking at average or blended hourly rates across all levels of professional staff before, during and after the incident periods, which can change or be influenced by projects under way.
Any time-critical projects where the deadlines could not be moved will be reviewed and any pre-existing delays or timescale or staffing constraints will be assessed. It should be borne in mind contractual penalties for late delivery are generally not included in cyber cover, although the threat of these penalties may influence any commercial decisions taken and any approach taken to mitigation of potential fee losses.
It is also easy to assume for a professional firm there will be little or no savings while staff are inconvenienced and possibly unable to work, but a forensic accountant will have the tools to dive into the underlying data and costs ratios to establish if any savings in general overheads or expenses should be reflected in any final settlement.
Increasing numbers of cyber attacks and apparent vulnerabilities for professional firms should concern businesses and their advisers. The need to demonstrate and support any claims using clear analysis of reasonable fee expectations confirms the valuable role forensic accountants can offer in complex cyber losses.
To find out more about Speciality Lines at Charles Taylor, click here.