The internet has changed the world we live in. “Cyberspace” allows people and businesses to communicate, connect and develop in increasingly sophisticated ways.

While global internet communication has become faster and easier, this rapidly expanding technology is not without its risks. Any company operating in today’s high tech world, risks possible exposure from internal and external emails; websites providing information about the company, its products and services; as well as the increased risk of e-commerce.

Why does it matter?

The growing instances of cybercrime against Australian businesses has become a major concern.

The growth in cybercrime has seen amendments to the Privacy Act1998 (Cth) making organisations more accountable for poor data governance and security practices.  The amended Privacy Laws come into force on 12 March 2014, including the introduction of mandatory data breach reporting and more power to the Privacy Commissioner to impose civil penalties to offending organisations (up to $1,700,000) and individuals (up to $340,000) involved in a data breach event.

The financial impact does not stop simply with penalties under the Privacy Act.  Direct and indirect costs of data breaches are growing exponentially, with business interruption, lost market value, loss of reputation and remediation expenses just some of the consequences.

Insurance is becoming increasingly essential to deal with the risks of “Cyberspace”. Recent research has indicated that cybercrime costs Australian businesses $4.5 billion annually with the average cost of a data breach in Australia being $2.16 million.   Yet it remains one of the least insured policy areas.  With around one in five Australian organisations experiencing cyber-attacks in 2012[1], the crime has quickly escalated in prominence in the business community.


Who needs cyber insurance?

If you are an organisation that does any of the following then you should be considering cyber insurance

–      Store personal information for example of customers or employees.

–      Store proprietary organisation information.

–      Generate revenue over the Internet.

–      Share confidential data with third party service providers.

–      Have a website and publish content.


Examples of cyber incidents and claims

Willis Finex in its publication Cyber/Network Security publication[2] highlighted some of the most common types of Cyber claims and highlights the associated costs that companies could face as a result, for example:


Retail A hacker accessed   the retailer’s network and stole 15 million customers’ personal details. The retailer   incurred significant costs to deal with the breach including forensic costs,   notification costs, fines and credit monitoring costs. Liability claims   followed. Privacy/Network   Security Liability/Privacy event mitigation costs, fines.
Hotel A hotel group’s   point of sale network was hacked into and 6 million customer’s credit card   details were taken. The hotel   experienced high forensic costs to isolate the hack. Additional costs   included mandatory notification costs and fines. The hotel offered all of the   individuals 2 years credit monitoring service. They also received liability   claims for damages from the banks. Privacy/Network   Security Liability/Privacy event mitigation costs, fines.
Airline An airline received   a Distributed Denial of Service (DDoS) attack bringing down their online   sales platform for 48 hours. The airline   experienced a significant loss of revenue during the network downtime plus   increased costs of working. Non-physical   business interruption.
Media The media company   utilised content on their website without obtaining the appropriate licences. They were   successfully sued for over AUD 1.5M for copyright infringement. Multimedia   Liability.
Financial Services An employee of a   financial services company left a laptop in a public place containing the   personal financial details of its clients. Costs included the   hire of a PR firm, notification to all of the customers affected, setup of an   ID theft/credit alert service call centre and credit monitoring services. Privacy/Network   Security Liability/Privacy event mitigation costs.
Gaming A hacker threatened   to take down the private network of the gaming company unless they paid them   AUD 8M. Investigation costs   to identify the threat plus the extortion demand amount. Cyber Extortion[3].


Tips to manage your cyber risk

Passwords, email, social networking and out-of date software all provide opportunities for cybercriminals. To prevent attacks:


1. Identify, evaluate and prioritise the cyber risks applicable to your business and steps to protect this information.

2. Develop a proactive security plan: This may include password policies, firewalls and antivirus software.

3. Review your insurance policy: Ensure your insurance policy covers you in case of a breach; if it doesn’t, investigate other insurance options to ensure you are covered; and

4. Communicate and educate employees: Develop Internet security guidelines and educate employees about Internet safety, security and the latest threats.


Risk management and cyber insurance protection “hand in hand”

Despite implementing the most robust cyber security measures and providing extensive employee education, there is no foolproof system for securing the confidentiality, integrity and availability of data.

For this reason, more and more companies are assessing insurance options as part of their approach to risk management to ensure they have the most appropriate cover available.

This is particularly the case as most traditional insurance policies do not typically respond to data security and privacy events.

Having a robust cyber insurance policy can provide protection not only from the high costs associated with responding to a cyber-breach (including both first party losses and third party liabilities), but also from the litigation and indemnity costs after a cyber-incident occurs.



[1] Cyber Crime & Security Survey Report 2012, Australian Government.

0 No comments