(07) 3139 3900

Business Insurance Specialists Pty Ltd

Business Insurance Specialists Pty Ltd is a business insurance broker providing insurance and risk advice to individuals, families, small business and corporate.

Cyber Insurance explanation – What is Insured?

The primary cover provided by a cyber policy is the cost of responding to a cyber incident. The most common costs relate to securing and then reinstating your IT System including restoring or replacing data and programs that have been lost, damaged or destroyed.

A Cyber event must be notified immediately you become aware of it as this is a standard policy condition, and due to the Claims Made nature of cover.

A common problem that comes up is when a business appoints their own IT consultant who runs around but does not solve the problem. After four weeks have gone by, we are made aware and notify the insurer who often has the challenge of unravelling what the IT consultant has done.

The types of events which can be covered under a Cyber policy include

  1. Crimeware which is any malware of any type intentionally designed to cause harm to your IT infrastructure but does not include cyber espionage or point of sale intrusion.
     
  2. Cyber espionage which is unauthorised access to an item of your IT infrastructure linked to a state affiliated or criminal source exhibiting the motive of espionage.
     
  3. Cyber extortion which is a crime involving an attack or threat of attack against your IT infrastructure, or data in your IT infrastructure, coupled with a demand for money or other valuable consideration (including digital currency) to avert or stop the attack.
     
  4. Denial of service which is uniquely intended to compromise the availability of your IT infrastructure. This includes a distributed denial of service.
     
  5. Hacking which is malicious or unauthorised access to your IT infrastructure.
     
  6. Insider and privilege misuse which is unapproved or malicious use of your IT infrastructure by your employees, outsiders in collusion with your employees, or business partners who are granted privilege access to your IT infrastructure but does not include theft, socially engineered theft, identity-based theft or cyber theft.
     
  7. Miscellaneous errors where unintentional actions directly compromise a security attribute of an item of your IT infrastructure but does not include socially engineering or cyber fraud/theft.
     
  8. Privacy error where acts or omissions by your employees lead to unauthorised access to, unauthorised disclosure of or loss of data (including non-electronic data) which necessitates incurring notification costs or identity theft response costs.
     
  9. Payment card skimming involving a skimming device being physically implanted through tampering into an item of your IT infrastructure that reads data from a payment card.
     
  10. Physical theft and loss where an item of your IT infrastructure is missing or falls into the hands of a third party or the public whether through misplacement or malice.
     
  11. Point of sale intrusion being a remote attack against your IT Infrastructure where retail transactions are conducted, specifically where purchases are made by a payment card.
     
  12. Web app attacks where a web application was the target of attack against your IT infrastructure, including exploits of code level vulnerabilities in the application.
     

Personal Information

A lot of organisations hold personal information which belongs to clients, customers, suppliers and third parties. Under Australian law, personal information is defined as:

’Information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  1. whether the information or opinion is true or not.
     
  2. whether the information or opinion is recorded in a material form or not.’
     

A number of different types of information are explicitly recognised as constituting personal information under the Privacy Act. For example, the following are all types of personal information:

  • ‘sensitive information’ (includes information or opinion about an individual’s racial or ethnic origin, political opinion, religious beliefs, sexual orientation or criminal record, provided the information or opinion otherwise meets the definition of personal information).
     
  • ‘health information’ (which is also ‘sensitive information’).
     
  • ‘credit information’.
     
  • ‘employee record’ information (subject to exemptions).
     
  • ‘tax file number information’.
     

This list is not exclusive.

Hackers are often looking for personal information. Medical practices (including hospitals) are often the subject of cyber attacks because they hold personal information which cannot be altered and which can be used for the purposes of fraud.

If you hold personal information and that information is the accessed by a hacker, there has been a notifiable data breach which has to be notified to the Office of the Australian Information Commissioner and to the affected individuals. The cost of providing this notification can be high and it can be an onerous task to notify individuals particularly when they are former clients you may have lost touch with.

Cyber insurance can be an important tool in managing the notification process.

The section of cover to review on this relates to Incident Response Expenses or similar. Depending on the policy, it can cover costs relating to:

  1. To comply with consumer notification provisions of the Privacy Regulations in the applicable jurisdiction that most favours coverage for such expenses, but only to the extent that such compliance is required because of a Cyber Incident, including but not limited to:
     

    1. Retaining the services of a notification or call centre support service.
       
    2. Retaining the services of a law firm to determine the applicability of an actions necessary to comply with Privacy Regulations."
       
  2. To retain a legal or regulatory advisor to handle and respond to any inquiries by any government agency, or functionally equivalent regulatory authority, alleging the violation of Privacy Regulations, including communicating with such government agency of functionally equivalent regulatory to determine the applicability and actions necessary to comply with Privacy Regulations.
     

If you hold Personal Information, you need this cover.

Contact Us
Cyber Insurance Quote