Cyber Message

Lawfulness of ransomeware payments

While the Swiss Federal Council and other governments are looking for effective ways to deal with the problem of ransomware, the legal framework already offers relevant regulations. Even without a specific ban, there are significant legal risks for organizations that pay ransoms. Such payments could violate Article 260ter (1) (b) of the Swiss Criminal Code, for example, if they are made to criminal organizations.

It is therefore essential that decisions to pay ransoms are made carefully and in a well-founded manner In Switzerland, the law has so far been applied in practice in a way that favors the victims. Companies that have taken matters into their own hands by paying ransoms have not yet faced additional penalties from the authorities.

Artificial intelligence

The threats that AI-generated attacks pose are still a very current topic of conversation. The EU AI Act entering into force on August 1, 2024, underscores the need for greater regulatory protection. The EU developed the AI Act to safeguard ethical values and fundamental rights, and its purpose is to provide a secure environment for users and businesses alike.

The human factor

Cyber criminals often target employees to get around companies’ security measures and penetrate their IT systems, which can cause significant damage. Employee behavior has a direct impact on cybersecurity, not to mention on mitigating the impact of an attack. Protection and damage limitation are key aspects of cyber resilience.

The latest research has shown that employees’ attitudes towards cyber risks are crucially important. If employees understand that they are working with sensitive data on a daily basis, this raises their awareness and improves security. It is vital to highlight the influence that each individual has on cyber resilience. Concrete examples, sector-specific references and regular training programs promote long-lasting awareness and foster a security-focused mindset.

Professional liability risks for tech firms

Tech companies rely heavily on complex IT systems, while the technical risks are constantly increasing at the same time. Depending on the type of company and the services it offers, this can lead to severe consequences. Breaches of duty, omissions, system outages and software bugs can result in significant problems and liability claims. Professional indemnity insurance (PI) is therefore a meaningful option to protect companies against professional risks.

Tech firms that are more exposed to external attacks face a greater risk of cyber incidents. While PI tech insurance covers the risks associated with errors or omissions when providing services or with technical products, cyber insurance covers external threats such as hacker attacks, data leaks or business interruptions. By taking out both types of insurance, tech firms can rest assured that they are comprehensively covered.

Market Update

The cyber insurance market has been dynamic and highly competitive since the end of 2023. It is increasingly being invigorated by new insurers. The trend is still moving toward more flexible underwriting guidelines, higher insured sums and, often, also reduced premiums for the same scope of cover. At the same time, strict minimum requirements for the policyholders’ IT maturity, such as the “12 Key Controls”, remain a constant. These requirements are crucially important when it comes to taking out cyber insurance. The development of the market shows that Swiss insurers are becoming more open to risk, while at the same time seeking to strike a balance between caution and innovation.

General development in the claims environment

Ransomware attacks are still the biggest risk and cause the most substantial financial losses. Companies often underestimate the many different elements of the damages they might suffer. The costs of crisis management, system recovery and the impact of a business interruption can quickly rise sharply. Ransom demands are still a serious problem. In the event of extortion, it is advisable to enter into negotiations to gather information and play for time. Kessler’s statistics show that this reduces median ransom demands by 59%.

Business interruptions due to cyber incidents

Calculating revenue loss after cyber incidents is challenging, as it is influenced by seasonal and economic fluctuations. The revenue figures have to be compared with the budgeted amounts and the figures of the previous year. Solutions such as business impact analyses are both time-consuming and expensive. Documenting additional costs is problematic too. Kessler recommends keeping records of overtime and additional measures to improve verifiability and crisis management. In addition to the hours staff work, the activities they carry out during this time should be recorded as well, so that they can be tracked at a later date.

The CrowdStrike incident

The CrowdStrike incident in July 2024 illustrated just how critical a faulty third-party update can be. A bug in the Falcon content update triggered global outages for Windows users. An event like this can jeopardize the integrity of the entire supply chain, which is why suppliers shouldn’t only be assessed once, but rather continuously as part of an ongoing process. Clear security standards and regular audits are essential in contracts with third-party providers. Such measures help to protect the integrity of data and minimize the impact of such incidents.

Cyber Self-Assessment (CSA) Tool

Since early 2024, Kessler has offered its clients the Cyber Self-Assessment (CSA) tool provided by its network partner Marsh. The web-based questionnaire makes it easier to record information relating to risks, and the questions are tailored to the size of the company and its activities. The ability to reuse data for subsequent years, and broad acceptance among insurers, greatly simplify the call for tenders and renewal process.

But that’s not all that the CSA offers. It generates reports on insurers’ assessment of a company’s IT maturity, indicates how controls are to be classified in comparison to international frameworks and shows how the company is positioned in a peer benchmark. In addition, the Blue[i] analysis tool models potential loss scenarios, including probabilities of occurrence and expected extent of loss. These insights support the risk transfer evaluation and refine the tendering strategy. They indicate what measures can be taken to make targeted improvements to an organization’s cybersecurity.

Cyber blue line

The introduction of cyber blue line in 2023 has been a resounding success. Cyber blue line significantly simplifies the cyber submission process. If the 12 minimum requirements are met, more than 98 % of our clients decide to switch to cyber blue line. Under the framework agreement, our clients also benefit from services such as phishing simulations and staff training.

Threema

To ensure secure communication even in a crisis, we rely on our collaboration with Threema. In 2024, the market research company Forrester recognized Threema as a leading provider of secure communications. Companies often fail to verify how they would communicate in a crisis. Our clients are grateful to have their attention drawn to this fact and make use of the secure communication channel via Threema offers.

Cyber Message 2024