色多多视频

 
色多多视频
色多多视频
Product Family
Product Family
Industries
Industries
Reinsurance
Reinsurance
Explore our offerings
Explore our offerings
Claims
Claims
Risk Consulting
Risk Consulting
Resources & Tools
Resources & Tools
Resources and Tools
Resources and Tools
About AXA XL
About AXA XL
About AXA XL
About AXA XL
Media Center
Media Center
Careers
Careers
Get In Touch
Get In Touch

By

Claims Manager, Brooklyn Underwriting, a division of AXA XL

Claims associated with cyber-attacks have become an increasingly significant part of my caseload. Also on the rise are complex disputes about who is liable for damages.

Cyber-criminals are rarely caught and held accountable, and more importantly, IT professionals’ “duty of care” responsibilities for their clients aren’t currently clearly defined. Consequently, IT service providers are increasingly finding themselves at risk after clients experience a cyber-attack.

Managing outsourced essential functions

Businesses of all types and sizes, from government agencies to non-profit organisations, rely on Managed Service Providers (MSPs) to outsource various essential functions including, providing technical support to staff. These functions also include use of the MSP data centre (or third party data centre) for functions such as installing and maintaining IT infrastructures, managing user access accounts and safeguarding client data. MSPs play a crucial role in improving operational efficiency and maintaining business continuity, making them tempting targets for hackers, especially those working with a large number, or wide variety, of organisations. Should cyber-criminals successfully breach an MSP’s defences, they could potentially access many, if not all, of the MSP’s client details, including their data, operating systems, intellectual property, etc.

In a recent incident, an Australian MSP was the victim of a ransomware attack initiated via a phishing email sent to one of their clients on a server provided by the MSP. Unfortunately, an employee of that client clicked on the link, leading to an infection with a “Qbot” trojan and, subsequently, the execution of a particularly nasty type of ransomware called “Black Basta”.

The attackers employed a form of “double extortion” meaning the attackers first encrypted files and exfiltrated sensitive data, which they then threatened to release publicly if the ransom demands weren’t met.

Once the ransomware was executed, the MSP’s entire server network - its files, folders, backups and Virtual Machine Disks - were all encrypted, preventing their clients from accessing their data or systems. A forensic IT investigation concluded, with moderate confidence, that the attackers also successfully exfiltrated client’s data during the period of unauthorised access.

The incident was crippling to the MSP and their clients - and it raises questions about IT professionals’ duty of care responsibilities.

Duty of care

The term “duty of care” refers to a well-established area of tort law covering the legal responsibilities of individuals, corporations, and non-profit organisations to take all reasonable measures necessary to prevent activities that could harm people and/or their property. An individual or entity that violates their duty of care obligations by acting negligently or recklessly can be held liable for any losses or harm resulting from that behaviour.

Architects and engineers, for example, are responsible for ensuring that their designs are free of defects, faults or errors that could lead to property damage, operational losses, bodily injuries or death, or expose their clients to third-party claims.

Although the concept is widely accepted, there are significant differences between jurisdictions regarding an organisation or individual’s duty of care obligations. Moreover, courts can’t impose unlimited liability and hold everyone liable for everyone else's problems. Justice Cardozo highlighted that it would expose defendants “to a liability in an indeterminate amount for an indeterminate time to an indeterminate class”. In other words, there must be some reasonable limit to an individual or organisation’s duty of care responsibilities. The challenge though is defining where that limit is set.

There are “limits” that apply to many established industries and professions that have existed for many (hundreds) of years and there are now set standards, codes of practice and case law in countries worldwide defining various defendants’ obligations for ensuring their products are safe, or that their services won’t cause harm or damages. And while disputes aren’t uncommon, these usually revolve around novel situations or new interpretations of the existing limits.

IT professionals

However, for IT professionals including MSPs, there are no widely accepted standards or obligations to protect their clients from cyber-attacks. Therefore, the question of whether an MSP bears any liability when one or more of its clients experiences a cyber-attack remains unsettled and ambiguous.

At this point, you might be thinking, “Wait a minute… Don’t MSP’s contracts and Service Level Agreements (SLAs) include disclaimers - including excluding liability for cyber breaches?”

While this is true, such disclaimers are not ironclad. Lawyers representing cyber-attack victims may argue that disclaimers don’t apply or aren’t valid, and given the absence of set standards or legal precedents defining an MSP’s responsibilities, these arguments could prevail.

This is not to say that such disclaimers shouldn’t be included in contracts and SLAs and explicitly discussed with the client. They absolutely should. Key phrases in contracts should be clearly defined. The service provider’s obligations, as well as any limitations to the services being provided, should be clearly outlined. Nonetheless, it should not be assumed that these disclaimers provide failsafe protection against liability claims.

In this unclear/ untested legal territory, it is even more important that IT service providers protect themselves and their clients from being victims of a cyber-attack, and deploy measures to help limit and effectively manage any consequences. Consequences that might include e.g. significant financial burden, ability to continue to service other clients, reputational damage, etc…

Top 10 tips

Our specialist team at Brooklyn Underwriting has developed a list of top tips for IT service providers to better manage their cyber risk and reduce the likelihood of the worst happening:

  1. Don’t just rely on the limitation of liability clause. These clauses are potentially void under unfair contract terms legislation and are not a safety net against negligence claims.
  2. Have standalone Cyber insurance: IT professionals are not immune from cyber breaches, and General or Professional Liability covers could exclude cyber-risk or have gaps, e.g., incident response costs and first party costs would not be covered.
  3. Take all reasonable and prudent measures to ensure your own systems are secure and can’t be accessed via your client’s networks such as:
    • segregating your network from those of your clients, and between clients in the case of MSPs.
    • always upgrade your software and have the latest anti-virus to detect malware, preferably using an endpoint detection and response (EDR) tool;
    • implement a patch management program for both critical and non-critical patches, appropriately securing backups and performing test restorations of those backups at least on an annual basis;
    • use multi-factor authentication for any and all remote access to the corporate network;
    • require regular password changes, and hold training sessions for your team and clients on how to avoid phishing scams, etc.
  4. Ensure that your responsibilities for cyber security are defined clearly and in detail, including the terminology used in contracts and agreed between parties.
  5. If you are responsible for any aspects of your clients’ cyber security, ensure you can continually uphold your responsibilities with due skill and care. Document the state of each client’s security measures and protocols and identify and communicate any agreed remediation measures.
  6. Respond promptly to letters alleging breach of duty.
  7. Prioritise mitigating third-party claims and helping clients recover from cyber breaches, thereby reducing the chance of claims against them (however, be mindful of not admitting liability).
  8. Alert clients to new threats and keep records of all conversations and emails.
  9. Decline work that isn’t within your skillset or remove it from the contract. Say ‘no’ to clients that don’t fit your business model.
  10. Lastly, always keep up to date with any regulatory changes and trends to protect against foreseeable risks and stay ahead of the curve.

This case highlights the need for cyber risk considerations to form an integral part of an IT professional’s risk management.

To discuss these matters further, please contact the author.

About the author: Maya Lazarus is the Claims Manager for Brooklyn Underwriting, part of AXA XL. She has over 15 years insurance experience, specifically in financial lines. She is a qualified lawyer with a master’s in international law. Maya is based in Sydney and can be contacted at maya.lazarus@axaxl.com

To contact the author of this story, please complete the below form

First Name is required
Last Name is required
Country is required
Invalid email Email is required
 
Invalid Captcha
Subscribe

More Articles

Quick Links

Subscribe to Fast Fast Forward
Generative AI: An insurer’s perspective on the promises and perils
Fast Fast Forward
The rapid evolution of generative AI has sent shockwaves through the global economy, transforming industries at an unprecedented pace. Once confined to research labs, AI-powered applications are now used in virtually all business sectors to enhance efficiency, automate processes, and uncover new insights.
QandA_Tellekamp_1280x385
Fast Fast Forward
Jon Tellekamp, AXA XL鈥檚 Chief Underwriting Officer for Construction in the Americas, discusses the trends shaping the future of construction insurance and breaks down how contractors are adapting to tough challenges like rising interest rates, inflation, tighter margins and supply chain hiccups.
How design professionals can respond to cyber incidents_1280x385
Fast Fast Forward
Cyber risk shows no sign of slowing down, so your firm should maintain robust policies and procedures to respond to an incident, as well as have the right proactive tools and a detailed response plan to help you effectively manage this growing risk and create a more resilient firm.

Global Asset Protection Services, LLC, and its affiliates (鈥溕喽嗍悠礡isk Consulting鈥) provides risk assessment reports and other loss prevention services, as requested. In this respect, our property loss prevention publications, services, and surveys do not address life safety or third party liability issues. This document shall not be construed as indicating the existence or availability under any policy of coverage for any particular type of loss or damage. The provision of any service does not imply that every possible hazard has been identified at a facility or that no other hazards exist. 色多多视频Risk Consulting does not assume, and shall have no liability for the control, correction, continuation or modification of any existing conditions or operations. We specifically disclaim any warranty or representation that compliance with any advice or recommendation in any document or other communication will make a facility or operation safe or healthful, or put it in compliance with any standard, code, law, rule or regulation. Save where expressly agreed in writing, 色多多视频Risk Consulting and its related and affiliated companies disclaim all liability for loss or damage suffered by any party arising out of or in connection with our services, including indirect or consequential loss or damage, howsoever arising. Any party who chooses to rely in any way on the contents of this document does so at their own risk.

US- and Canada-Issued 色多多视频 Policies

In the US, the 色多多视频insurance companies are: Catlin 色多多视频 Company, Inc., Greenwich 色多多视频 Company, Indian Harbor 色多多视频 Company, XL 色多多视频 America, Inc., XL Specialty 色多多视频 Company and T.H.E. 色多多视频 Company. In Canada, coverages are underwritten by XL Specialty 色多多视频 Company - Canadian Branch and AXA 色多多视频 Company - Canadian branch. Coverages may also be underwritten by Lloyd’s Syndicate #2003. Coverages underwritten by Lloyd’s Syndicate #2003 are placed on behalf of the member of Syndicate #2003 by Catlin Canada Inc. Lloyd’s ratings are independent of AXA XL.
US domiciled insurance policies can be written by the following 色多多视频surplus lines insurers: XL Catlin 色多多视频 Company UK Limited, Syndicates managed by Catlin Underwriting Agencies Limited and Indian Harbor 色多多视频 Company. Enquires from US residents should be directed to a local insurance agent or broker permitted to write business in the relevant state.

THIS AXA WEBSITE USES COOKIES

色多多视频 as a controller, uses cookies to provide its services, improve user experience, measure audience engagement, and interact with users鈥 social network accounts among others. Some of these cookies are optional and we won't set optional cookies unless you enable them by clicking the "ACCEPT ALL" button. You can disable these cookies at any time via the "How to manage your cookie settings" section in our cookie policy.

Find Out More About the Cookie Policy Privacy Notice
Accept All
Refuse All
Cookie Settings