Unprecedented growth in digitisation and connectivity has led to increased cyber risk – Help safeguard your business with Cyber Insurance.
Cybercrime is now one of the biggest risks faced by all Australian businesses, regardless of size. Increasingly sophisticated cyber criminals are able to exploit the vulnerabilities of digital systems to gain unauthorised access to data, download malware or attack a computer or website causing it to overload and stop operating.
For your business this can mean the loss of data and systems, a threat to your intellectual property, putting your customers’ personal information at risk and cause major damage to the reputation of your company.
Responding, rectifying and reporting a cyber incident can be challenging and expensive for a victim’s business. Cyber Insurance provides an important support .
Cyber risk & safeguarding your business with Cyber Insurance
Cyber risk primarily refers to the risk posed to a business by a data breach or network compromise. These can occur as a result of either human error, malicious actions by disgruntled employees, by organised crime gangs, acts of war or disruption by nation states.
Cyber insurance is an important component in managing this rapidly growing threat to business viability as it can help provide risk mitigation and risk transfer.
Coverage is typically available for:
• costs related to the loss of or damage to data;
• content-related claims related to data;
• investigation and remediation costs;
• public relations costs;
• liability for denial of service from or access to electronically provided data;
• costs association with cyber extortion reimbursement;
• fines and penalties imposed by regulators; and
• compensation to third parties for failure to protect their data.
Of the coverage types listed above, the first six are ‘first-party’ as they cover losses incurred directly by the insured, while fines and penalties; and compensation are both ‘third-party’ as they cover losses incurred by third parties (in the case of fines, the third party is the relevant regulator) that may subsequently be recouped against the insured. The nature and limits of cover will vary by insurer.
In Australia, general insurers provide stand-alone cyber insurance policies to businesses to cover a range of losses related to cyber incidents. Cover for cyber exposure may also be available as an additional element of business insurance packages, such as management liability and professional indemnity.
Effective Risk Management is good business
Insurance underwriters place a strong focus on a customer’s risk management and security culture when reviewing, assessing, and pricing the risk. Effective risk management, including a strong internal security culture, can be the most effective defence against threats. Capabilities that indicate a strong risk management and security culture may, for instance, include internal data handling and internet usage policies for all employees across the business, training of all employees on identifying and responding to a potential phishing attack, adequate prevention, detection, and response security capabilities and plans.
Case Study: Cyber attack on a pharmacy
This hypothetical case study demonstrates how cyber insurance works to help businesses and the types of costs that can be incurred in a cyberattack. In this incident, an independent pharmacist is subject to a ransomware attack that encrypts the data affecting their point of sales registers, rendering them unable to trade. Beyond the inability to trade, the pharmacist’s systems contain sensitive health information regarding its customers that may now be compromised as the threat actor encrypts the data and attempts to exfiltrate that data to hold as ransom. The loss events incurred by the pharmacist now include lost sales, potential investigations and prosecutions that may follow the event, as well as any third-party claims by impacted customers.
As a first point of call, the forensic experts would need to be brought in to determine the cause and the scope of the breach, with the costs covered by the insurance provider. There would also be the costs around notifying the government regulator and impacted customers, which needs to occur within a small window of time and can involve a lot of manual work. This work can be quite expensive as it can require many individuals reviewing every piece of record that had been compromised to determine the information that had been compromised. Those costs are covered under a cyber policy.
During the period that the systems are down, the pharmacist may need to bring on contractors, or have staff work overtime to handle the business disruption.
Depending on the size of the business involved and number of customers, the insured may also need to incur costs to operate a call centre to manage inquiries from impacted individuals. For the pharmacist, they would need to engage a third party to operate a call centre for a period, which would involve establishing a script and standard questions and answers to deal with the expected influx of calls from concerned customers. Even where a company has its own call centre, they may need to bring in additional staff or cover overtime costs to handle the significant increase in calls dealing with the security breach. In addition, the pharmacist may need to bring in a public relations consultant to mitigate the reputational damage to the business as a result of the breach.
As part of its response to the breach of customer data, the pharmacist may need to provide monitoring services to impacted individuals, allowing the monitoring services to collect the compromised data and examine any fraudulent activity based on the information that had been compromised.
The pharmacist will also need to determine whether to pay the ransom demanded to obtain the key to restore the data and devices and return the customer data. This can include legal costs to determine the legality of paying such a ransom.
As we move into the recovery phase of the cyber claim, the pharmacist will need to have the electronic data restored and have IT experts engaged to remove any malware. At this stage, the pharmacist may also now need to establish a process to ascertain eligibility, quantify and pay any compensation due to customers or other third parties arising from the breach of customer personal information, as well as respond to and pay any regulatory fines brought against the pharmacist arising from the breach.
How can we help you?
As Qualified Practicing Insurance Brokers, we’re here to help with all your Cyber Insurance needs. If you’d like to discuss how we can help protect what’s important to you, contact us today.