The third-party liability considerations of cyberattacks

Joe Fitzgerald, Partner at Wotton + Kearney, knows from experience that getting hacked is ‘pretty terrible’.

‘It’s not something people should have to work through themselves,’ says Fitzgerald, who leads the firm’s Cyber, Privacy and Data Security team.

One of the things Fitzgerald most loves about his job is having the opportunity to help people in the midst of a crisis.

‘I’ve been lucky to be involved in many great cases, but the ones that stick with me most are the ones where you can see you’re helping.’ 

Technology geek

Having always been a 'technology geek', Fitzgerald says he found himself gravitating towards disputes and insurance at the start of his career. 

The two came together in 2016 when he took a year away from practice and completed a Master of Laws in computer and communications law in London. 

He’s been working in cyber and technology liability ever since.

Fit for purpose

As a speaker at the latest ANZIIF New Zealand Cyber Market Insights Webinar, Fitzgerald discussed the constant change he has observed in the cybercrime landscape.

‘Insurers will need to review their offerings regularly to ensure they remain fit for purpose,’ he says. 

‘We see relatively frequent tweaks and revisions to the wordings we work with, and the underwriting approaches adopted.’

Fitzgerald says the reaction to ransomware over the last 24 months has been a ‘case in point’.

‘Insurers around the world have been required to decide how they can address a risk that saw an explosion in very expensive claims,’ he says. 

‘Going forward, I anticipate we’ll see a more forward-looking and robust approach to writing these risks.’ 

Growth in cyber claims

While he can’t point to definitive numbers, Fitzgerald says all the evidence (including what he’s seeing at Wotton + Kearney) suggests the number of cyber related claims are generally growing.

‘There does appear to have been some slowdown around the invasion of Ukraine,’ he says. 

However, pinning down the actual cost of a cyberattack is often very difficult.

‘Insurers will obviously only feel that in so far as the policy responds,’ Fitzgerald concedes. 

‘I would say cases are generally getting more complex. Remediation and recovery costs are certainly going up, as are the costs of conducting privacy and information reviews where data has been exfiltrated.’

Supply chain attacks

Over the last few years Fitzgerald has observed the greater frequency and ubiquity of supply chain attacks.

‘We’ve seen cybercrime hit hundreds, if not thousands, of entities at once,’ he says. 

‘They often leverage zero day exploits (no defence in place at the time of the compromise) and involve relatively poorly executed ransomware attacks.’

This ‘scattergun’ approach means entities of all shapes and sizes can be in the firing line.

Security steps are missing

Outside of these ‘systemic’ attacks, Fitzgerald is seeing more claims involving the infiltration of a third-party or IT provider which failed to implement a particular security step or control. 

‘It seems victims of cybercrime are increasingly willing to point the finger at third parties, even if they have an entrenched relationship with the affected supplier,’ he says.

The focus of Fitzgerald’s presentation at the webinar is third-party liability considerations and risk mitigation tactics insurers and insureds may wish to utilise. 

‘It seems cyber incidents are still viewed as technical IT issues in many sectors,’ he says.

‘The reality is there are a range of third-party factors to account for.

‘My hope would be that people leave the webinar with a few things to think about such as pre-incident preparation and risk management, and post incident third-party liabilities and how they might inform recoveries, including defensive steps that insureds should be taking.’

Search ANZIIF webinars