Cyber Exposure: An Emerging Risk

Cyber Protection Insurance is an emerging form of cover that aims to protect businesses from the financial impact of a computer network hack or data breach. Recent statistics show that Australia is the 5th most targeted country for cyber attacks globally and that a vast majority of these attacks occur from security vulnerabilities due to human error. It's becoming increasingly likely that cyber protection insurance is necessary to ensure you, your staff, clients' and business are adequately protected. Not sure where to start? Read on to our frequently asked questions and issues:

The growing need for Cyber Insurance for all businesses has led to an increase of options in the market. With many providers offering cyber options, premiums for this type of insurance are surprisingly competitive. Another option is to look at the cost of not having cyber protection. Say a small to medium enterprise conservatively holds 1,000 client and stakeholder records. In the event of a data breach, notifying affected clients by post would incur a minimum of $1,000 for postage. This is on top of legal and advice costs and an expert to investigate where the breach occurred so that it doesn't happen again. IT consultant costs can be between $100-$400/hr. A serious cyber attack may require experts priced up to $3,000/day, whilst legal advice can attract fees $300-$800/hr. Beyond this, you are also at risk of bearing civil fines and penalties.

2. We don't sell anything online
The scope of Cyber protection insurance extends beyond transactional websites. Any business whose operations rely on computer systems to function, who store data of clients, vendors, stakeholders and employees and use email to facilitate business activities should consider it. If your business banks on functional computer systems, you have a cyber risk exposure. From a retailers perspective, cyber protection insurance can cover you for point of sale intrusions and payment card skimmers.

Whilst your IT Manager (whether internal or contracted) will likely take all measures available to protect against cyber threats - this is an important complementary aspect of your business risk management strategy - this does not mean you are 100% safe against malware, a hack or data breach. Your robust cyber security strategy could very well protect against the majority of threats, but is best when combined with a cyber protection insurance package as well. Use of a good cyber protection process and software will ensure your premiums stay as low as possible when underwriters are assessing your risk. In the event of a cyber event where you have an external provider of IT services, your business is still legally responsible for the compromised data, risking you high costs and reputational damage.

Network and computer security exists on a scale from minor cover to broad. Even in the case of the more comprehensive cyber security, this unfortunately cannot account for instances where human error affected a business's cyber systems to function, such as in the case of losing a laptop or a mobile phone containing client data. Consumer access to superior cyber protection software begets vastly more sophisticated virus, malware and hacking capabilities and therefore, "perfect security" cannot exist. Examples of recent large scales cyber breaches where high-level cyber security was in place are:

Network and computer security exists on a scale from minor cover to broad. Even in the case of the more comprehensive cyber security, this unfortunately cannot account for instances where human error affected a business's cyber systems to function, such as in the case of losing a laptop or a mobile phone containing client data. Consumer access to superior cyber protection software begets vastly more sophisticated virus, malware and hacking capabilities and therefore, "perfect security" cannot exist. Examples of recent large scales cyber breaches where high-level cyber security was in place are:

In 2012, 6.5 million encrypted LinkedIn passwords were the subject of a data breach as a result of unauthorised access and disclosure of the information. In excess of 100 million email and password combinations of LinkedIn users were leaked online in 2016, four years after the initial breach.

In 2013, a cyber-attack on software company Adobe affected almost 40 million users worldwide, 1.7 million of them in Australia. The personal information of these users was compromised and a resultant investigation by the Australian Privacy Commissioner found Adobe in breach of the Privacy Act, having not taken reasonable steps to protect their users private information. The company submitted that these breaches occurred even in the face of having "extensive and detailed security measures in place to protect its systems".

The May 2017 WannaCry ransomware attack affected worldwide businesses of all sizes. Computers with Microsoft Windows operating systems across 150 countries were infected and suffered ransom demands in the internet currency Bitcoin. 200,000 individuals who had not installed Microsoft's security update were affected.

Cyber insurance is unlikely to be covered under a general business pack policy. Your general policy will likely cover you for legal liability for third party costs in the event something is physically damaged. Data breach/loss would not be classified as physical property and subsequently, cannot be "physically damaged".

Your information stored on a cloud network or virtual machine can mean you don't incur any business interruption costs and that your business is still able to function. However, a breach of data hosted in a cloud system for your business is still legally your responsibility to keep private and confidential. The Australian Government recently passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016 that will come into effect over the next 12 months. Small businesses with an annual turnover up to $3 million who meet specific criteria, or those with a turnover above $3 million, will be required to notify affected individuals and applicable regulators of data and security breaches. Once your data storage has been compromised, that information is available for the hacker to use as they wish. Your cyber insurance policy may also cover your legal expenses and costs should a Government regulator proceed with an investigation. If you're interested in getting some more information on cyber protection insurance, contact the office or your broker directly on 08 9126 9068.