Insuring cyber risk has become increasingly complex in today's hyperconnected world. As cyber insurance premiums skyrocket and cyber attacks increase in frequency, how are insureds incentivised to take proactive cyber security measures to manage cyber risk effectively?
Watch the on-demand video of Pandamatics Underwriting's Co-founder and Managing Director, Struan Todd, share insights on cyber risk management and what it means to operate as a pure cyber insurance coverholder in Asia. Alongside speakers Moying Chap, Zhen Guang Lam, Deborah Thomasz, and moderator Summer Montague, our fully-booked fireside chat unearthed some unique perspectives with regards to managing risks related to digital tools and assets in today's hyperconnected society.
This event was held in collaboration with the Singapore Insurance Institute , The Chartered Insurance Institute Hong Kong, Malaysian Insurance Institute, and Blackpanda.
Watch the full video here:
Read the full transcript here:
Summer Montague:
Welcome. My name is Summer Montague I'm a partner at DAC Beachcroft and I'm also a Singapore Insurance Institute council member. So welcome on behalf of the institute. Today we're gonna be discussing, cyber incidents and cyber insurance. We're gonna be trying to demystify some of the insurance aspects of cyber incidents we've bought.
Excellent panel who are gonna talk us through, cyber incidents, how they work, the insurance aspect of that, the cover that's available. And then we're going to towards the end of the session look at some claims examples. So the session today is going to last about an hour. we're going to have a panel discussion to start with for about 45 minutes.
We've pre-prepared some discussion topics, but we're very happy for you to interrupt us at any point throughout the session to ask questions or to participate in the discussion. We're very happy to do that. We've also set aside about 15 minutes, towards the end of the session, for Q & A. So happy to entertain, questions at that point as well. So I'm gonna let each of the panelists introduce themselves before we kick off .
Struan, do you want to start?
Struan Todd:
Sure. Can everyone hear me? So I'm Struan Todd. I'm the Managing Director and Co-founder of Pandamatics Underwriting, which is a Lloyd's MGA specialising in cyber insurance only. We are co-domiciled in Singapore and Hong Kong. Our focus has really been to help SME market with their cyber risk in general by providing both insurance and non-insurance services. We work very closely with Blackpanda hence why I've sat next to Mo. So I'll let him introduce himself.
Moying Chap:
Thanks, Struan. I'm Moying Chap. I'm a VP Loss Adjusting for Blackpanda. Blackpanda is primarily an incident response firm. I joined them a year ago. And before that I was in a specialty lines loss adjusting, so handling, fin lines mostly, but also cyber cases in the region.
Deborah Thomasz:
Thank you. Hi everyone, afternoon. My name is Deborah Thomasz. I'm in Lockton, Singapore. I mainly manage the Profin book. I have over 10 years of experience in the financial lines space. In the recent, couple of years because of Covid as well, I think the acceleration of cyber topics has come up, so I'm happy to be here as well. Thank you.
Lam Zhen Guang:
I'm Zhen Guang I'm a senior associate at Clyde & Co, an International Law firm. I specialise in technology, media and telecommunication, data protection, cyber security, as well as, digital access. So in terms of cyber attacks or data breaches, this something I'm familiar with, whether we are talking about post-incident matter or pre-incident, trying to get the house in order to ensure compliance is at the highest standard. Thank you.
Summer Montague:
Great. Thank you all very much. Thank you very much for introducing yourselves and welcome again to everyone else. So we thought we would start today by providing an overview of cyber insurance and what it covers. There's been a lot of changes to the cyber insurance market in Asia over the last five years in particular. And so we thought we'd just start with a an introduction, an overview.
Deborah, do you want to start with that?
Deborah Thomasz:
Yeah, sure. I think the cyber policy is unique in the sense that it actually has two parts of the policy that would help you for first party losses as well as third party claims. And, it goes beyond just indemnifying you when you have third party losses because it covers you for, if, let's say you're a policy holder , when you incur your own expenses, that first party coverage of the policy would help to cover your cost in the event.
When there is an Insured event where you need to incur costs to hire incident response, forensics, accountants, or even to look at like data restoration costs. The other part of the policy would then be the third party coverage, where in the event where individuals or businesses bring claims against you for alleged wrongdoing. Then that part of the policy would pick up [00:04:00] coverage.
Summer Montague:
Excellent. Anyone else?
Struan Todd:
Yeah, I'll add to that. so my background prior to leading paramedics, Underwriting was a broker, specialising in cyber risk as well. So similar role to what Deborah did out of the London market, what the policies at that point in time were really focused on was preparing for GDPR and making sure that liabilities or third party costs associated with that were covered in some format.
What we tended to see as soon as GDPR came into play was that the actual benefit of cyber insurance policy was the first part y coverage. So protection of businesses, helping them get back up on their feet as quickly as possible, and a number of different, additional values, first businesses to make sure that they were operating swiftly and efficiently. So when we talk about the first party costs associated with, we talk about forensic experts coming in and finding out what's happened in the event of a breach , understanding how to get a business done and operating swiftly, dealing with ransomware negotiation, making sure that any financial loss or business interruption to that respective business is covered under the policy.
As we touched on the third party liabilities, obviously cyber insurance policy is meant to give access to lawyers and professionals in that space to give guidance, able to notify regulators about what's occurred, and then making sure that both the clients of the businesses and the businesses themselves are covered in some format to make sure they're not experiencing any financial loss due or cyber breach.
Summer Montague: Excellent. Thank you. And the, if I can just ask a quick question to follow up to that. Do you find that the clients, insurers who are buying this policy, is there any one, particular aspect of the cyber insurance policy that they're most keen about or that they're asking the questions?
Struan Todd:
I'll go first. I suppose it differs by industry segment and also revenue to our open style of operations. So, we see a lot of businesses who hold government contracts pushing far more for liability requirements. Making sure that there's third party coverage involved. When we look at your typical SME, they're far more concerned with their own first party losses. Know, they want to make sure that they're fine to trade straight away, that they're not losing any money by not being able to do their typical operations. So it does differ. Some businesses see value in the whole proposition. Some try and carve out elements that they think are going to be useful just to them. What we try and do is make sure we're adding value to all of those respective businesses.
Deborah Thomasz:
I think to add to that is also where the clients see their operated businesses in different jurisdictions. I think especially in more litigious environments, the third party coverage will be then favourably more dependent on, but I think in Asia we see that the clients are more focused on the first party coverages.
Summer Montague:
Yeah, that makes sense. And just one more question before I get let you guys off of it. Are you seeing the most policies sold in the Asia region? I appreciate this might differ from broker to broker and underwriter to underwriter, but just, you know, general.
Struan Todd:
Yeah, our answers are probably very different. As I said in my introduction, we focus heavily on the SME market segment. We have started to deal with the bigger businesses as well as we grow through our second year, but we focused heavily. Singapore and Hong Kong domicile businesses rather than the whole Asian region.
In Hong Kong we typically see a lot of the asset managers, hedge funds, those kinds of businesses want to buy cyber protection in some format. In Singapore we see a wide variety. You know, it could be education sector engineers, professionals in general construction, manufacturing...differs drastically.
The ones that we do see that we don't actually manage to provide that much insurance to, where there's a big growth opportunity, I think, for the market as a whole is that FinTech segment. There's a lot of new businesses opening up in that space looking for forms of protection, and a lot of insurers just aren't comfortable with the exposures as of yet.
Deborah Thomasz:
I think for myself, because I'm just overseeing the Singapore market, in my past life there, there has been increasing inquiries in like Japan and Korea. I think it's a upcoming a topic for them in the region, but as for Singapore, the industry is inquiring more about cyber is actually the FinTech. Because requirement-wise, they would need it for investors to want to actually put money into their businesses.
Summer Montague:
That's great. Thank you very much. Before we move on to the next, question, is there anyone in the audience who would like to ask a question at this stage?
Okay, great. Move on. So the next, topic that we wanted to discuss was, the impact of cyber attacks. What sort of cyber attacks are you seeing, and then how does that impact companies and businesses?
Moying Chap:
Well, I see that as a Loss Adjuster. So the insured loss that we see coming, but also since I joined Blackpanda also from our incident response, I think the main type we see is still the same, its either business email compromise, so the email systems that are being hacked, there's something suspicious, and the other one is the typical ransomware.
There are all type of a suspicious activity that is happening for the bigger accounts where they have all the outlets in place and this can trigger a cyber event for which they want the investigation to be started for business email compromise. I think the impact to the victim or the insured is limited to their email exchange or cloud, like, Office 365, especially during the investigation part. So the suspicious things that they see mostly is that an email has been sent to the vendor or client or accountant that was not originally from them. And this is how the incident starts. But then the investigation is mostly focused on how the parameters, what were the emails, were there, some, division of emails or something like that. The financial impact of business email compromise is mostly the [00:10:00] loss of funds. So they've been paying a fake invoice and the wrong bank account. Whereas ransomware, the impacts is the ransom, but also all the servers that were encrypted. So you have this concept of double extortion. Where the attacker will first encrypt the servers to put pressure on you. And then there's still data. They exfiltrate some data to say, if you don't pay, I'm going to release it to the dark web, to the public.
Summer Montague:
So they don't take it first, they wait till you respond?
Moying Chap:
It can be both. So basically when we start the investigation, what you see is that, oh, it's encrypted, there is a ransom note. And then when you start the investigation, you discover that some servers of some data, were leaked, and this is where you confirm that the data, there is some data. So depending on the type of incident, the impact to the victim can be very different. And the scope of the investigation also can be very different.
Lam Zhen Guang:
So just to add on, I think Moying talked about ransomware attacks, as well as business email compromise attacks. I think there are actually other types of attacks that are more prevalent, but just that maybe they didn't hit the news simply because they're not sexy enough, for example. So actually, I think the recent study show that BEC attacks are more prominent now than ransomware attack simply because, its the victim that's embarrassed to admit that they were foolish enough to click on the link, for example. Oher types of attacks I've seen personally would be, I mean, during my practice is introduction of malware. So it can be as simple as I've seen where the hacker drops a thumbdrive in the company's car park and somebody picks it up thinking, 'Hey, who dropped this? Is it from my company?' Proceeds on to his office and plugs it into his computer and viola, malware is introduced. Another example that we usually see, but it is more classical, which would be the distributed denial of service attack ,or Ddos for short. And I always like to give an example to describe this, is I remember, one of my ex- partner at another law firm, how he used to, give an example is he literally pushed a trolley of letters into the court to demonstrate to the judge, this is how it works because I'm overloading your office full of requests or letters. So in that sense, it actually overwhelms the system and therefore weakens the overall system. So those are some of the other more common attacks, which depending on the policy coverage might fall under as something that is regarded as a cyber attack.
So regarding implications or consequences, I think the typical ones are fines, regulatory exposure. But more importantly, I think more often than not, it's the reputation exposure that people are more particular about, because that will actually point the direction as to the certain cause of action. For example, if it's a ransomware attack, should I pay just to keep things quiet? Or if it's something that's benign as an introduction of malware, but it somehow weakens my system, what do I do next? So I think its these implications and consequences that actually directs the insured or in some cases the uninsured in thinking what to do next?
Summer Montague:
Well, that's really interesting from a legal perspective, you mentioned regulatory investigations. Can you just give a high level overview of maybe what a more benign investigation might look like to sort of a full-blown, a bigger more, intricate investigation?
Lam Zhen Guang:
So I think complex investigation would naturally involve more than one jurisdictions for sure, simply because if it involves more than one jurisdiction, more than one country, we're talking about more than one regulatory obligation, not in respect of let's say for example, the Singapore's PDPC, but let's say for example, the UK's ICO. I think these are the complexities that come along with multi-jurisdictional incidents. And then we, of course have the more the simpler ones, but no less daily. It will be, for example, BECs. So very recently we have encountered a BEC incident where simply the victim transferred money to a fraudulent bank account. So that in that sense is very narrow, very limited. It's just in re of the Singapore pd, d p c, if there's any personal information that was exposed as a result of the incident. So just adjust the position of a simple incident versus let's say a very complex, multi- jurisdiction one.
Summer Montague:
Great, thank you. So we've talked about the types of cyber attacks that, that could be seen briefly and some of the impacts to the insured. And the next topic we wanted to move on to was how you quantify those losses. And if I can hand over to you, Moying to talk about that.
Moying Chap:
So yes, it's, but it's really depending on the type of incident. There are some the first party aspect of the coverage, which are quite straightforward. Basically there are all those invoices from contractors, so IT contractors, the investigation costs. Can be quite hefty in a claim amount. And those basically, the work of a loss adjuster is quite simple in that sense. You only have to verify that the cost claim are related to the incident and they're not claiming for something else. I think the more complex type of cost is everything related to the business interruption when there is one. Knowing that for part you have to wait until the incident is resolved. The business is back to have a proper view about the actual scope of the loss. On the more technical type of cost, everything related to the restoration remediation is quite big especially when you have a multiple system that are being investigated and multiple systems that are compromised. So there really are two types of impact to the business and associated cost is that sometimes the investigation needs to review the whole network and all those end points and during that time and you can't use them. So you can have like mitigation costs that you need to pay, like, rental of servers or rebuild urgently, some of them. And you have the restoration costs, which are limited to the actual servers that have been compromised. So you, at the end of the investigation, you have to separate what has actually been compromised, what was blocked and has to be only because it was part of the investigation and what was part of making sure that you don't have a further attack after the first one. And of course you have to asssess that depending on the policies, because they respond differently. And sometimes the definition of what is a remediation? What is containment? Do we cover betterment or not might impact the time of quantification and what we need to be doing.
Summer Montague:
How is that separated in invoices, or how do you manage that?
Moying Chap:
Yeah, so today the insured usually pushes everything in the claim and they say, I would like that reimbursed. And the work of the Loss Adjuster is okay to say this could fall under that coverage. But sometimes the same invoice with a very big amount has to be split among different coverage because everything related to a server replacement could fall under restoration if it was compromised. But if it wasn't compromised, then maybe it's okay to identify that only because it's a mitigation for PI. So you, you have that kind of aspect. The one thing that I didn't touch upon is everything related [00:18:00] to data privacy. So all the costs related to the legal part, the PR part, the notification and the potential fine regulatory things this could be also different from the aspect of the total loss.
Summer Montague:
Thank you very much. Back to quantifying losses, what are the largest elements of cyber claims that you're seeing for the whole panel? Is that the IT forensic costs? Is it legal costs?
Moying Chap:
So, yeah, so in the cases I've seen ... the third party aspect. Honestly, I haven't seen huge claims. The only claims I saw that fall under the third party aspect of the policies were when the system, IT system of the insured were closely connected to the IT system of the clients. For example, in the supply chain thing. And basically the BI (business interruption) that was the victim was suffering was actually impacting the operations of the third party in that case. So we had a case where the, it was a logistic company, but they were handling frozen food. And because of the interruption of their business, basically they had to throw away their customers' products, you have that kind of claims on third party. But the biggest part for me that I see is all on the first party type of losses. When there is a BI is obviously its the BI part, but what I see from my experience, actually the investigation costs are quite big. Sometimes there's no end to it because you can continue digging. You want to see more and more. And when do you reach a level where the insured feels comfortable stopping the investigation, knowing that they expect the insurer to be paying for them. So this can be a very big. And the other thing I see for especially work intensive type of business is the BI type of losses, more the increased cost of working. So they have all the company doing overtime. We can extract shift and everything to make sure that they have to do everything manually without the IT systems. And then this can be a very big aspect of the cost as well.
Lam Zhen Guang:
So I think Moying touched upon many aspects in terms of what he sees in claims. Just want to raise one interesting case that came about where in terms of the investigation it was fairly short. And the reason was because the victim decided to actually accede and pay the ransom. So in that particular incident it was with a twist because the biggest claim came from the payment of the 10 Bitcoins. Of course, that was 2020, so the value now certainly had dropped, but in that instance it was a case where, hey, its not really about the legal assistance or the forensic part was in terms of the payment of the ransom that made up the majority of the claim. So that was an interesting one, quite unlike [00:21:00] most other incidents that Moying had mentioned.
Summer Montague:
Great. Thank you. Anyone else want to add?
Struan Todd:
Yeah, I'd love to actually. One of the reasons I do a fair bit of business with Clyde and Co in general is they helped me out with a claim when I was a broker. So I placed an a Australian account. When I was still in the London market, a big valuation company and they had a cyber attack that affected all of their systems and their main operations were really property valuations for lending purposes to banks. As soon as they'd had this cyber breach and it became public knowledge, every bank switched them off. So straight away they were no longer getting any work through any of their partners. Cash flow goes to almost zero. Business interruption loss is massive. Reputational damage is massive. Total limit loss within the first two days and this company was buying double digits. You know, so there are circumstances that can occur for businesses of all sizes that don't necessarily think they're at risk, but they're like, I've got a robust system. I've put everything in place. I do the right processes. But they can still have one incident that could be as benign as dropping a little drive to now being a complete shutdown of the business within a week or two. So they ended up going through different stages of getting additional funding, finally got switched on by banks. But by that point in time, the business as a whole is ultimately shot.
Deborah Thomasz:
So in my experience in 2020 when it was lockdown, we actually assisted a client who had a small subsidiary based out of Singapore. And interesting enough, their systems got compromised by the Maze ransomware. So I'm not sure whether you're familiar with it, but is a really malicious malware that attacks your entire system. So it kind of corrupted their whole computer network. Exfiltrating some of the information to the trade actors and they were actually demanding for ransom to be paid out before they can then release information, or if they don't pay the ransom, then they'll leak out the data into the dark web. So what happened was, the client, as usual, was very frantic, called us up, asked us what to do, and we then got in touch with the incident response coordinator. So in my personal experience, I feel that the incident response coordinator as a law firm is great because it then establishes the client privilege if let's say you go into litigation. What happens was the lawyer then engaged different working groups to get everything in order, the forensics, the PR firms, all the various individual companies that need to be involved in the entire working group of finding out what's wrong and what needs to be done next. Because this particular subsidiary was based in the very litigious environment, the notification to the regulators and the timeframe that we are working with was very strict. So, the first party losses was immense, so much so that I think it was in the millions. But the thing is we managed to get everything in order. We then took assistance from the lawyer to then draft up the letter to notify the clients.
Summer Montague:
Thank you very much. Any questions from the audience?
Audience: I'd like to ask one question. It's more on cyber attack and maybe the coverage side of it. So normally talking about cyber attacks intending on one particular client maybe, but let's say it's a state-sponsored attack from one particular country. It could be classified as a act of terrorism. So what are your thoughts on the coverage? The cyber policy would respond or it would fall back to the maybe separate policy. There will be legal implications again, I don't want to go into that, but have you encountered such situations and what are your thoughts on that?
Struan Todd:
So obviously quite a contentious issue for us as insurers or underwriters at this point in time. The stance towards it is we are given guidelines by regulators that we have to follow, and we aren't able to just automatically pay all claims if we think they are tied to stay sponsored attacks. What happens in practice is we will undertake everything that we typically do for all types of clients. We'll make sure we get them back into as close to possible to where they were before. But ultimately we will have to decide whether it is a state-sponsored attack, which we can find out. In a lot of circumstances, forensic experts do find their way, do see the same kind of attackers on a regular basis, do understand their behavior on a regular basis too. If it does come to that stage where we're fairly sure of that circumstance, we do have to avoid making those payments. In practice, a lot of the work is already done. A lot of the payments are already made before you get to that point, so it would be quite hard for us as insurers to avoid paying those claims. But the intention is, and the guidance from the regulators is certainly that that's the approach that we have to take. Now, I don't know whether team's got different views based on other insurer responses, but that's certainly the way that we look at it from ourselves.
Deborah Thomasz:
I think I echo what you say. So, to act in the interest of the client, of course it makes for the policy to be coming into play, right? We would definitely, if there is any defense cause involved and if let's say there is any cause needed to bring the client back on their feet. As a broker, we'll try to assist that management.
Summer Montague:
Excellent. Thank you very much. We wanna move on to another topic now, and you might have heard the term silent cyber. And we're gonna ask our panelists, what are the potential silent cyber issues that can arise? What does that mean? And, what can be done about that.
Struan Todd:
So I'll go here, but I presume you'll probably have some commentary on it as well. It was a far bigger issue a few years ago, but it is still something that comes up in a number of discussions, is that a number of businesses think they're protected for cyber attacks under other insurance policies. So they might buy a property policy and think that if there is a cyber attack that causes property damage, they're gonna be insured for that under that [00:27:00] property policy. Now the intention of those underwriters when they were putting that policy together was certainly not to be providing cyber coverage. So what we're seeing now is all of the regulators are still pushing exclusionary language to make sure that we are very clear on ourselves in various different lines. Some outdated policies are also having guidance towards it where you can't be making generic claims under the policy. There's some lawyers who are trying to give advice in that segment to ensure that we don't have any gray areas where clients think that they're getting protection, but they're not. And then there's problems for brokers involved with that as well. We do see it from time to time where we are talking about the benefits of our cyber policy, and we do see a number of businesses saying, I do have coverage under this kind of policy. What we're depending on the broker market for is to explain what triggers actually are involved, how that cyber actually interacts with what they're expecting.
For example, we have PI and D&O policies which might have extensions for cyber, but it might still necessitate a third party claim for that to respond to the cyber event. So we expect that kind of guidance to the clients first. Realistically, the market as a whole has taken steps towards addressing it as best possible, but we'll continue to do so because there will be new cases and new types of insurance as we progress.
Deborah Thomasz:
I think to add to that point is back on the property insurance policy. How it is being worded is there is insured perils as well as like property, what is the definition of property? So initially many years ago when brokers tried to park it under the property insurance where cyber is supposed to be covered, right? Property is defined as tangible assets. But for data, how do you actually assess, whether is it tangible or intangible? Definitely intangible. If let's say you have an insured peril, let's say for example, fire your building catches fire, your computers get burned down. Does it mean that the data being leaked at is covered as insured property? No, but they tried to angle it that way, so I think as the insurance markets evolve, the insurance are getting smarter, and also because they're back being backed up by the regulators, right? So they then slap on a absolute cyber exclusion saying that, I'm not gonna pick up anything related to that. You need to then purchase a standalone cyber policy that should be more fitted to cover your needs.
Summer Montague:
Excellent. Thank you. Anyone else want to comment? Great. Right, we'll move on to another topic. We wanted to talk about breach response service or incident response manager. And perhaps the panel could talk a little bit about what that is, what that means, how it operates, whether all cyber policies have access to one of these and maybe some of the parties involved in that process.
Moying Chap:
For Blackpanda on incident response. I think it's a basic thing that people are looking for in cyber policies, access to professionals to do the incident response part. I suppose the market looks the same. I think it's really depending on who they have on the panel and how they want to organize the work when there is an incident. So there are several aspects to it. The notification, the hotline whether there is a privilege or a law firm involved, whether there is a breach coach and then the different type of of panels. But yeah, I think it's pretty stable in every type of policy.
Struan Todd:
So we do ours slightly differently, which I'm surprised you didn't touch on here.
The majority of the insurer market uses a breach coach. So they do have a law firm or a loss adjuster who typically plays the guidance role to the business when they're having a cyber attack. There's big value in them. I think they're very good at what they do and in times of emergency, they are fantastic in helping those businesses.
I had some poor experiences when I was a broker about how long it took for anything to actually happen or benefit to the client. Also I was left in the dark, an awful lot where you were waiting for guidance from that breach coach about what was occurring. Who was being involved, who was actually talking to your client. What had actually happened. And at that stage, your client is also coming to you saying, what's happening with my claim? So when we set up Pandamatics we took a very different approach to that, and obviously that's because of our relationship with Blackpanda, was let's put the customer first here. You know, the first thing that they really care about is finding out what's gone wrong and operating as swiftly as possible. They don't want to know exactly what insurance is doing, who else is helping them in the background, what they need to deal with regulators. They just want to get operational as swiftly as they can. So we put forensics in first. They do their initial triage, dive into what's happened, try and solve the problem, and then we still defer to all of the experts in their respective fields to be able to help us out on those occasions. If there's data exfiltration. Absolutely lawyers are involved. You know, we want them to guide the client, let them know what the notification process is, ensure that if there is something substantial that could lead to a fine, they're getting the right guidance. If we need a loss adjusting, we do have those capabilities in house with him and Blackpanda. But if there's a number of different things that come involved in that process, we obviously need to make sure that the correct calculations are made that PR consultants are the same thing, you know, we need their guidance and advice, tell newspapers, tell clients, tell customers exactly what's occurred and what to avoid in the future.
So, we certainly see that first party coverage as imperative. We just look at it in a slightly different way to make sure that the businesses are put first rather than the insurance mechanisms that support them.
Summer Montague:
Anyone else want to add to that?
Is that a service that they expect with their cyber insurance or that they ask for and in addition to that, do they always want to engage? Are they happy to use the panelists or the incident response manager? Are they happy to use the vendors that are part of whatever's offered in the policy?
Deborah Thomasz:
I think it varies. So there are some clients that are happy to just use the panel of vendors that are already tagged onto the policy. I have had experiences where clients actually dictate what vendors they want on the program.
And some insurers are open to the discussion, some are not, because I think they go through a really tedious process of picking up the particular vendors that are part of their policy. They go through like qualification analysis of where the capabilities are and the hourly rates they're actually giving to the insurers on the policy.
What is interesting is the insureds see value in their cyber policy. So there's questions that I get asked is like, how do I know that? Who should I get engaged with? Let's say I do have an incident cyber incident. So unbeknown to them that there is actually a hotline that you can call. So it's really real. It's not like a piece of paper that I buy because I need to take off my contracts. So when I'm having renewal discussions with clients, I actually bring them through the claims process, I let know, like, okay, let's say you have this particular data breach. What you do, you call me, of course, and then I will engage your incident response coordinator, and then you take it from there.
So, interesting enough, last August I bound one of my ... is a logistic firm. First August was the policy inception. Six August an incident happened. Like, wow, it cannot be any better right? The good thing about it is it happened to one of the tiny subsidiaries, and it was kind of contained because only the I think it was a HR internal drive that was compromised and the ransom demand that was asked was like 12,000. It was probably was a kid at his mother's basement, like trying to play punk to earn some money.
Struan Todd:
I'll add to that as well, if you don't mind. Sorry, I'm talking a lot here. I think what we typically see is SME businesses don't really ask too many questions. They want to see that there's a product and a solution. So they care about the incident response line. They care about knowing there's some names there that they can call or get support from in the event of a claim. When you look at mid-market or higher, which is obviously a number of your clients. They can be quite sophisticated buyers when it comes to cyber risk. So they may well have an incident response company on retainer to be able to help them which they may ask us as insurers to consider having on our panel. Now, realistically, there are a number of considerations for us to take into account before we make a decision on those. And that could be hourly rate, it could be scope of service. And it could also just be our willingness to trust that they are going to do only the job that we're asking them to do. Because often there will be a case where forensics will say, this needs to be done, and then tell their clients, oh, but you should also do this while you're at it. And you could also do this to mitigate having a future claim. And you should also do this and don't worry about it. The insurer will pick it up. And realistically that's where we have problems with it. So, our stance at this point in time is if we're at the stage of negotiating on these larger clients to bring in a different panel partner. Fine. Very open to that discussion as long as we are on an open keel there, but I don't wanna do it when we're having a claim, because that happens a lot where suddenly the day that happens, they've got someone who is on retainer and they're like, they're now handling it. And it's like, well, I didn't agree to any of their costs. I don't know what they're doing. They haven't spoken to me at any stage. Also, we have Blackpanda here who's actually dealt with this type before on xyz and we know that they understand this risk. So, I suppose the last point to add to that is there are also a lot of businesses in the respective fields who think they know what they're doing in that circumstance. So they could be very good lawyers, they could be very good cyber security companies, but when it comes to actually dealing with an incident that is time sensitive, that is difficult, that is problematic. They don't know what they're doing and often they can advise things like just clear systems and we'll start again, and suddenly all evidence is gone. You know, we can't look at anything there for notification to regulators. We can't ensure that we're happy with making payments for various different things without that information.
Summer Montague:
Great. Thank you very much. We're gonna touch on our last topic before we move on to the Q&A section. And I'd like to invite the panelists to share some interesting claims examples that you've been involved with. Or incidents, et cetera.
Struan Todd:
I've used up all my good ones.
Moying Chap:
Maybe sharing a case in Singapore, a manufacturing company. So basically this, they came to work and nothing was working, but they didn't all where it was coming from. So no email. And the no ERP, so all the supply chain and the accounting, but also the manufacturing were kind of jeopardised.
It was discovered that it was a LockBit ransomware. And the ransom was at the time, 400,000 USD. During investigation, what was discovered is that data was exfiltrated so it was a typical double extortion type of attack. But what was discovered is that the way it was propagated into the system was a really manual and actually the threat actor was targeting some servers which had a lot of virtual machines to have the biggest impact on the operations. So though it was not just spreading and see whatever server is going to be done, there were basically all the lateral movement in the system were really searching and targeting the biggest impact to the operations. So at that point we knew that it was quite a clever hacker. And there was a bigger ransom. So there was two things going on in parallel. It was all the investigation part and remediation actions. And the start of the negotiation with the, for the ransom with the threat actor. Finally on the negotiation part, it was decreased from 400,000 to 100,000 USD but in the meantime, all the system were restored.
So then there was the question about whether they were going to leak the data that they had stolen. But finally part of the investigation was to characterise what data was stolen. So we saw that there was several gigabytes of data that were leaked, but the thing is that the nature of data was not that confidential.
There was not any PII or no exposure on data privacy. And finally, in the exchange with the threat actor, it was discovered that it wasn't clear whether they were going to release it or not. And finally the ransom was not paid and the data was never published. The impact to the victim mostly was [00:40:00] I would say the biggest part was the investigation cost. So the total claim was around 1 million. But the pure investigation part was mostly, almost 25% of the whole amount. And the second aspect that was quite big was all the restoration fee. So there were so many servers and the server were quite technical, so they had to basically repurchase some of the servers. There was a lot of mitigation for BI, so urgent purchase of hardware. But then on the data privacy part, it was quite small. So there was some a law firm involved. There was a PR firm involved and but the costs were quite minimal.
Summer Montague:
Thank you. Anyone else?
Lam Zhen Guang:
I guess I'll take a step back. Instead of interesting case that I've seen, it's more of the trends we have seen over the past year. I guess coming from a lawyer's perspective, let me put on my lawyers hat, I guess it's a case of what do we see from an enforcement perspective? What is the regulator doing in terms of the cases that they have been handled with?
So I guess I'll start off with surprisingly, the number of cases since 2020 have dropped in terms of the enforcement decisions. So there were say in 2020, over 50 cases. In 2021, there was 25 cases, and last year there were 24 cases. In terms of the financial penalties, though, there has increased. So from 2020 it was from around 16,000 SGD on average, then 20,000 SGD in 2021. And then last year was on average 27,000 SGD. So this is of course in Singapore dollars.
I guess what is interesting though is the industries that have been affected most in terms of the enforcement decision. And that is something that people would like to know. Hey which industry has been hit the most? Is it for example, banks or non-profit organisations? So I think unsurprisingly, the first would be business services. So whether we're talking about account insurers, a law firm, in fact, law firms can security posture surprisingly be not the most secure. Second will be retail, of course. Retail, I guess simply because the number of touch points where they give a customer a business partner, and naturally there'll be more avenues for hacker to actually exploit. And the third one, will be if I'm not on banking and financial services. Simply because of what's at stake. If I'm a hacker, I look at the amount of the pot of gold that they have over there. I'll naturally try my luck because whether we're talking about what I can get out of it, if terms of sensitive information or whether the tendency or the possibility of the person paying the ransom is higher simply cause they have more capital. So that's what we've noticed in terms of like the three most industries that have been hit in terms of enforcement decision. So going forward, what we believe is that based on, I mean, informal discussions internally as well as with peers in this practice area, is that in [00:43:00] terms of internet facing platforms naturally, You tend to see more incidents happening from there.
The other thing is also in terms of AI related stuff, simply because of, I mean the explosion of ChatGPT. So in terms of more applications, we're talk about platform or mobile application, you'll see more of such incidents relating to AI apps or AI platforms. And what I mean by that is simply because people are more curious when they see something that's AI, they just click on it or they see something that is AI-related, they would be more interested and therefore dive deeper into it. And so in that sense, it opens more opportunities, I guess, for hackers, threat actors, state-sponsored actors even, to actually exploit this. So I guess from an insurance perspective, what I would say is not only in terms of the increasing fines, notwithstanding the drop in cases since 2020, but also in terms of the of clients, nature of insureds who actually come to you when they want to seek a claim. That will naturally be something interesting going forward.
Summer Montague:
Very interesting. Thank you very much. Just related to that, you mentioned the the sort of increased fines and regulation. Are you seeing that in other parts of Asia or is that a Singapore-specific phenomenon?
Lam Zhen Guang:
So, In Australia. I think there is a classic example within the APAC region where due to the highest, the scale of high profile incidents. I mean the government, if I'm not wrong, they're planning to revamp their privacy laws to ensure higher fines. So that's one good example where you would naturally expect an increase in fines to be dished out to organisations that are hit.
Going forward in around the region, I mean the typical more matured countries in terms of privacy laws like South Korea, Japan these are white-listed countries, from a GDPR perspective. So we think the, in terms of fines, the regulator is more assured in giving out higher fines simply cause honeymoon period is long over.
For example, if I'm not wrong, Korea, their privacy law has been around since 2011. So, I mean, clearly if they're gonna dish out any amount of fines, its not going to be what they were dishing out 10 years ago, for example. I would say keep a lookout for the developing countries. At the start, usually in practice what we see is that they use Singapore as a benchmark because of the developments of the laws here, the state of current affairs in terms of maturity. Indonesia, I mean, if you have been following the news, their laws, this year may be coming up. Vietnam might take a while too cause it's still messy there in terms of development. But I would say, just keep a look out in terms of the developing countries, Thailand, I mean their PDPA was recently formalised if I'm not mistaken. So you may think that at the start actually the amount of fines might be lower, but going forward, similar to Singapore, you will see a spike in terms of the amount.
Summer Montague:
Excellent. Thank you. And does anyone wanna share anything else? One question related to claims is how long does a cyber incident take to resolve? Is it quick? Is it years?
Deborah Thomasz:
It depends on the complexity of the case. So like if it's a simple data leak, it can take nine months to a year to actually close off from the time you notify to the actual payout or the resolution of the entire situation. But if, let's say it's a huge ransomware attack, it can take from nine months all the way to like two over years. And because the discovery period of when it happened, and then information that gets found in during the investigation, like what Moying has mentioned, right? It may actually change the complexity of the claim.
Summer Montague:
Thanks. Any final comments before we turn to the Q&A section?