What Is Your Business’ Cyber Risk?
Cyber Risk is increasing for businesses. Businesses using the Internet for making transactions and conducting activities have never been more vulnerable. Mark Dreyfus – Attorney General of Austral summarize the cyber risk faced by businesses in the digital age in 2012 as:
“Australia’s way of life is now integrally linked with the Internet. The Internet provides a global means of communication and interaction that underpins much of our lives – for government, business and individuals.But while the Internet offers a huge range of opportunities, it also brings risks associated with criminal and malicious activity that seeks to exploit those who use it. In particular, the activities and transactions conducted by business online require diligence to ensure that Australians maximize the opportunities offered by the digital economy”
Mark Dreyfus -Attorney General of Australia
Cyber Crime & Security Survey Report 2012 CERT Australia
To understand your business’ cyber risk, ask yourself these questions:
- Does your company have a network connected to the internet or a website?
- Does your business make use of mobile devices like laptops or mobile media to transport/store data including email communications?
- Do you collect and store customer information through a CRM system?
- Do you carry on trading through an e-commerce store?
- Do you hold files with personal information of your employees?
With most business operations being conducted over the Internet, cyber risk exposures are increasing. What are your business’ first-party risk exposures and the third-party liability exposures? What kind of loss, expenses or fines could you possibly incur in the digital world?
First- Party Cyber Liability Exposure
1: Loss or damage to digital assets – such as data or software programs (code), resulting in expense/loss/cost incurred in restoring, updating, re-creating or replacing those digital assets to the same condition they were prior to the loss or damage.
Over 100 Australian websites were hacked in 2013 resulting in damage to digital assets (websites). Businesses that suffered such loss included schools, community groups and a dry cleaning business. SMBs are prone to higher cyber risk.
2: Business interruption from unplanned network downtime is a major cyber risk causing interruption of service or failure of the network, resulting in loss of income/ cost of operations and/or extra cost having to be incurred in minimising loss plus forensic investigation for the network failure can hurt businesses.
In 2013, Nasdaq stock exchange suffered a three hour network shutdown– the reason was strain on the system for transmitting huge data/ high volume securities trading resulting in disruption of operations. Fewer shares traded on the stock exchange that day resulting in a loss for traders.
3. Cyber extortion risk– attempt to extort money by threatening to damage or restrict or deny service of the network/ or access to online store, threat of release of data obtained from the network and/or attempt to communicate with the customers using social engineering tools to get hold of personal information resulting in loss of revenue/ cost of ransom paid.
Australian Retailer Endless Wardrobe received an email asking for ransom and thereafter suffered a denial of service attack when they failed to pay the $3500 asked as ransom. They were unable to operate for over a week which resulted in loss of revenue and customers.
4. Reputation damage risk – due to data protection breach becoming public and resulting in loss of customers and/or increased cost of operation
Large organisations like ANZ and Telstra have reported data breaches in the past. Customers may decide to leave a company after a data breach. New customers may weigh factors like their personal data security when using a company’s products or services.
Third-Party Cyber Liability Exposures
1. Security and privacy breaches pose a constant cyber risk – iinvestigation, defense cost and civil damages associated with security breach, transmission of malicious code, or breach of third-party /employee privacy rights or confidentiality, including failure by outsourced service provider
Firms like LinkedIn, Apple, Adobe, Google & Vodafone in the US have all faced class action lawsuits in the recent past related to data security or privacy.
2. Investigation, defence cost, awards and fines for privacy breach resulting from an investigation or enforcement action by a regulator as a result of security and privacy obligation can be a costly cyber risk.
Sony was fined by the UK Information Commissioner for the security breach of its PlayStation Network, which took place in 2011. The Information Commissioner’s Office (ICO) fined Sony £250,000 in early 2013.
3. Customer notification expenses risk – legal, postage and advertising expenses if there is a mandatory legal or regulatory requirement to notify individuals of a cyber security or privacy breach.
The 2013 ‘Cost of Data Breach Study: Global Analysis’ released by Ponemon Institute in May 2013, estimated the average notification cost only of a data breach in Australia as USD 219.
4. Cyber risk associated with Multi-media liability – investigation, defence cost and civil damages arising from defamation, breach of privacy, negligence in publication of any content in electronic or print media, as well as infringement of the intellectual property of a third party.
The Australian Competition & Consumer Forum (ACCC) website states that a owner of Facebook and Twitter pages will become the publisher of third party content once it becomes aware of the content and decides not to remove it. Companies can be liable for misleading and deceptive conduct via social media publications, including (depending on the circumstances) for statements not made directly by the company.
5. Loss of third party data – liability for damage to or corruption / loss of third-party data or information, payment of compensation to customers for denial of access, failure software, data errors and system security failure.
Islington Town Hall in the UK agreed to pay compensation (2013) totaling £43,000 to residents whose personal details, including mental health problems and sexual orientation, were accidentally published by the council on a website.