Do I need cyber insurance for my business?
When it comes to cyber insurance, many people in small and medium sized businesses assume that the risks involved with cyber security don't affect them, or that they are already protected. They say things like "We don't take credit card payments so we're not at risk". Or, "We have anti-virus protection and the website is secure". But when they learn about the different risks and areas they could be liable for, such as being responsible for client data, and data privacy laws, many are surprised.
Before you bury your head in the sand, consider one common cyber security incident:
What would you do if you had a security breach and had to tell your customers you've lost their data?
Polina Kesov, Director, ii-A Insurance
Data security breaches are a more common occurrence than you may expect, especially for SMEs. The Notifiable Data Breach Scheme managed by the Office of the Australian Information Commissioner actually imposes certain threshold requirements where businesses are obligated to notify clients about the breach, and notify the Privacy Commissioner. Not only would this affect the company reputation, but also take up valuable time and resources to fix.
The Notifiable Data Breach Scheme applies to agencies and organisations that the Privacy Act requires to take steps to secure certain categories of personal information. This includes Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of $3 million or more, and regardless of your annual turnover applies to credit reporting bodies, health service providers, and TFN recipients, among others.
So, it's more than worth taking a few minutes to learn about common cyber misconceptions, how your business could be affected, what the potential costs might be, and what the options are if you need insurance cover.
How could cyber threats affect my businesses?
There are some scary statistics when it comes to the cost of cyber risks:
- $10,299 - the average cost of cyber crime for small to medium-sized businesses (according to Norton SMB Cyber Security Survey 2017)
- $1.9 million - the average cost for medium sized businesses (100-500 employees) if hit by a cyber attack (according to Webroot, 2017) with the figure over $1million for larger organisations (Radware 2018-2019 Global Application and Network Security Report)
- 25 hours downtime or more - was the number of hours it costs for one in four businesses hit by cyber attacks (according to Small Business Best Practice Guide 2017)
- Downtime is the main impact of a cyber security threat (39%), followed by expense for re-doing work (25%), inconvenience (27%), financial loss (11%) and data loss (13%). Of those that had lost data, over half (52%) had not been able to recover it.
- 54% of cyber attacks are from email or phishing scams (according to Norton SMB Cyber Security Survey 2017)
- Up to $2,100,000 fine from the OAIC for not complying with mandatory data breach laws for a company and up to $420,000 for an individual. (Office of the Australian Information Commissioner (OAIC) Notifiable Data Breaches (NDB) scheme, February 2018)
- 59% of Australian organisations are affected each month by interruptions caused by cyber crime (according to Commonwealth's Stay Smart Online guide for small business)
- 2,500% increase in the sale of ransomware on dark net sites since 2016 (according to The Ransomware Economy, Carbon Black 2017)
When people see these stats, they see that the relatively low cost of cyber insurance is dwarfed by the volume and range of potential costs that it covers for.
4 main reasons why SMEs are easy targets for Cyber Attacks
Attacks on small and medium-sized enterprises are on the rise due to:
- Lack of resources 1 in 4 Australian small businesses have fallen victim to cyber crime (according to Norton SMB Cyber Security Survey 2017) as SME clients are focused on their core business offering - be it as a Real Estate Agent, Lawyer, Accountant, Doctor, Mechanic, Manufacturer or whatever industry they specialise in. SMEs often lack the time, resources or expertise to understand their cyber exposures.
- Lack of education on Cyber Large organisations provide training to their employees on the importance of cyber security and the key risks to be aware of. Simple human mistakes like lost smart-phones or accidentally sending an email to the wrong person, are the cause of 30% of cyber incidents (according to the Office of the Australian Information Commissioner Quarterly Report December 2018.)
- Weak network security or IT infrastructure SMEs typically handle their own IT systems and security themselves, or outsource to someone as they lack the expertise. This contracts with more robust IT teams and operations in larger organisations.
- Businesses hold valuable data there is a common misconception that SMEs won't be a target of cyber threats as they have no data or information that is of value or worth stealing. SME data is more valuable that people think. Even if the SME isn't the direct target, the SME might be a critical point into the integrated supply chain of their valued partners.
Costs associated with cyber attacks for businesses
The costs a business may incur due to cyber security breaches come under three main categories:
- First Party Costs The businesses' own cost to respond to the breach, including but not limited to IT Forensic Costs, Credit Monitoring Costs, Cyber Extortion Costs, Data Restoration Costs, Legal Reorientation Expenses, Notification Costs and Public Relations Costs.
- Third Party Claims The businesses' liability to third parties arising from a failure to keep data secure, including data held on behalf of businesses by either an outsourced supplier or freelancer, or cloud service provider for which businesses are legally liable. Insurance Coverage is available for claims for compensation by third parties, investigations, defence costs and fines & penalties for breaching the Privacy Act.
- Business Interruption Reimbursement for businesses' lost profits resulting from a Business Interruption Event. In a lot of cases policies provide coverage these days not only limited to malicious attacks. Coverage can be made available for Business Interruption Loss arising from unauthorised access, any damage to the business data and/or programs, and any system outage, network interruption or degradation of the businesses' network.
Laws & regulations governing Cyber & Privacy Risks
There are many laws and obligations which businesses must adhere to in relation to cyber security:
- Privacy Act 1988
- The Information Privacy Act 2014 (ACT)
- Telecommunications Act 1997 and the Telecommunications (Interception and Access) Act 1979
- National Health Act 1953 (NH Act)
- Data-matching Program (Assistance and Tax) Act 1990
- Crime Act 1914 (Crime Act)
- Anti-Money Laundering and Counter- Terrorism Financing Act 2006(AML/CTF Act)
- Healthcare Identifiers Act 2010 (HI Act)
- Personally Controlled Electronic Health Records Act 2012 (PCEHR Act)
- Personal Property Security Act 2009 (PPS Act)
Security is simply managing risk
There are various ways businesses can manage cyber security risk:
- Reducing the risk businesses should seek to put in place procedural, technical and physical controls in order to reduce their exposures.
- Accepting the risk an internal process a business has taken to evaluate the risk versus reward
- Transferring the risk insurance should be seen as an additional layer to the security process, not an alternative
- Avoid the risk When the likelihood and impact from the risk to the business is too high businesses can remove the risk source, for example by deleting old data, deciding not to start or discontinue the activity.
What does Cyber Insurance cover?
Cyber Insurance covers a business for the cyber exposures it faces from both third party claims (for example actions brought by the Privacy Commissioner or clients suing for breach of privacy) and first party cover including Business Interruption and other expenses that might incur as a result of a cyber attack.
The first party expenses a business might incur include, but are not limited to, costs to repair or restore systems, credit monitoring services if data has been breached and public relations expenses.
What can I do now to avoid cyber and data privacy risks?
In addition to considering insurance coverage, there is still lots you can do to mitigate potential risks for your business.
Nine Steps to tighten your Cyber Security
- Network Security Protect your networks against external and internal attack. Manage the network perimeter. Filter out unauthorised access and malicious content. Monitor and test security controls.
- Malware Protection Produce a relevant policy and establish anti-malware defences that are applicable and relevant to all business areas. Scan for malware across the business.
- Monitoring Establish a monitoring strategy and produce supporting policies. Continuously monitor all systems and networks. Analyse comprehensively for unusual activity that could indicate an attack
- User Education and Awareness Produce user security policies covering acceptable and secure use of the business's systems. Establish a staff training programme. Maintain user awareness of cyber risks.
- Home and Mobile Working develop a mobile working policy and train staff to adhere to it. Apply the secure baseline build to all devices. Protect data both in transit and at locations.
- Secure Configuration Apply security patches and ensure that the secure configuration of all systems is maintained. Create a system inventory and define a baseline build for all devices.
- Removable Media Controls Produce a policy to control all access to removable media. Limit media types and use. Scan all media for malware before importing on the company system.
- Managing User Privileges Establish account management processes and limit the number of privileged accounts. Limit user privileges and monitor user activity. Control access to activity and audit logs.
- Incident Management Establish an incident response and disaster recovery capability. Produce and test incident management plans. Provide specialist training to the incident management team. Report criminal incidents to law enforcement.
Want to learn more or have a question?
Polina Kesov is a specialist in cyber insurance and Director at ii-A Insurance Solutions. To find out more about the risks involved in cyber security and what your insurance options are, get in touch for a free ten minute consultation with Polina.
Advisr does not provide advice and does not hold a financial service license (AFSL). All information above has been provided by Polina Kesov.