Cyber risk is here now – do not let someone ruin your business through malicious intent or by accident.
We used to deliver our letters by horse in the 1800’s. Then, as time passed, more by train, by car, and by plane. Way back in the early 1990’s you may have sent and received less than 10 letters in day, plus the odd fax here and there. Now, you could be sending and receiving a huge number of messages at work via predominantly emails (pick a number – 50, 100 or ?) in a day.
This increase in the volume of communication is incredible. The world has changed, and with it, the IT revolution is now in full cycle. This is good, but what risks are entailed with all this communication and digital data held by you. ‘Business information’ is close to the most important asset of a business i.e. how you do, what you do, your client information, your supplier information are all parts of this information. An accompanying factor to this, is how do you keep this. For nearly all businesses, this information is kept “as data within a computer”.
To reduce the risk on holding this date, appropriate IT Data Security and proper back-ups are important. However, an employee receiving an email which appears to be from their bank, or clicking on an advertisement on websites of Disney, Facebook or newspaper site(1) whilst at work on your server can decimate the precautions put in place, and allow ‘malware’ into your system with ramifications.
The resultant exposures of losing control on your data, can include:
- Having your data held to ransom with resultant ransom costs, and negotiation costs, remembering that the person you are negotiating with, does not care about you or your situation.
- Your data being used maliciously – this could be done by someone external or even internal to an organisation.
- Loss of income through not having access to the data
- IT Consultant costs – to find the issue, to rectify it, and to mitigate the chance of it happening again.
- Public Relation costs to rebuild your business and brand
- Potential Third Party claims from persons including your clients or suppliers, from your data being held and used fraudulently by the criminal party.
- Legislative government and regulatory requirement costs
If you are in business you need to be in business – not out of business, paying ransoms, using up your management time, and paying IT consultants on a reactive (not proactive) basis.
We have had normal clients affected by this issue. This ABC 7.30 Report video (2) [Link: http://www.abc.net.au/7.30/content/2012/s3597812.htm on the words ABC 7.30 Report video] makes for enlightening viewing . During the video, CERT Australia (government body assisting on cyber security issues) makes an important statement about what is happening in Australia:
“What we have seen over the last year is an increase in the number of incidents – about 5,000 in the last year alone, which is about 130 a week.”
Cyber Insurance is definitely a newer form of insurance, but it is one, that businesses in 2016 need to be aware of.
(1) Article – Malicious advertisements on major websites lead to ransomware, June 6, 2014, Jeremy Kirk, IDG News Service www.pcworld.com.au
(2) http://www.abc.net.au/7.30/content/2012/s3597812.htm ABC Report, 25th September, 2012
If you can control computer crime and computer attacks by third parties, and administrative, operational mistakes or malicious actions by employees and third party providers, there is no real need for you to have this insurance. If not, then read on.
Cyber risk comes in the following forms:
Cyber is one of the new types of insurance in today’s marketplace, and is an important insurance for companies that value their data and intellectual property. It is your “Intangibles” not your “tangibles” that often make the difference so much in business, and the computer data you hold whether it be your own or your customer’s or suppliers, is a crucial piece of the jigsaw in today’s competitive environment. Your computers systems, which include your notebooks, your computers, your servers, and even the cloud, holds this important information.
Cyber insurance relates to insurance of your data, your Intangibles, and also the data of others.
This type of insurance has developed markedly in recent years, and we find that there is a major difference in coverage offered by the market.
This insurance is called various different names such as:
- Cyber Crime
- Cyber Security
- Cyber Liability
- Privacy Protection
Our preference is to simple call this Cyber insurance, because the exposures from Cyber encompass First Party, Third Party, and Loss of Income exposures and the risk itself should be looked at in it’s totality.
As a wise man once said:
“A computer lets you make more mistakes faster than any invention in human
history- with the possible exception of handguns and tequila.”
Cyber insurance protects you first and foremost in two major areas.
Loss or damage to digital assets and the resultant costs incurred in restoring, updating, recreating or replacing lost or damaged data.
Business interruption and extra expense covering lost income, investigation and mitigation expenses caused by network interruption, degradation or failure (see below for more info).
Other major benefits are covering your costs of extortion monies following a direct extortion demand including threats to your network, digital assets or integrity of your customer data.
Representational cover (PR firms do cost) following a public report which damages your businesses reputation, will be covered as well.
Loss of income as a result of a Cyber attack is a major reason why Cyber insurance should be taken.
Under your standard business property policy, there is a requirement called a “damage provision”. For this cover to pay, and insured event eg Fire, Storm must occur first.
With Cyber attacks, none of this happens, hence your traditional property policy does not respond.
What you do need is a properly structured Cyber policy.
If the insured infringes a third party’s intellectual property rights, unintentionally defames them, breaches their privacy or is negligent in the publication of any content in electronic or print media, the policy will pay defence costs as well as any civil damages.
Expenses associated with a large data breach include:
- Detection, Escalation, Notification and Response – A sophisticated attack by a hacker may take months to uncover after which the full extent of the damage may not be known for a while. Repairing a breach is expensive and involves hiring a forensic expert to discover the source of the intrusion.
- Lost Business – Business is lost as a result of customer attrition as well as difficulty in attracting new customers.
- Fines and Penalties – Fines and penalties can come, and the government is toughening legislation.
- Damages – Individuals and businesses that have been damaged as a result of a data breach seek compensation.
- Lost Productivity – lost productivity is a real cost of a data breach. Depending on the nature of the breach, IT personnel may be pulled off other projects to identify the source of a breach and fix it. Employees will be tasked with identifying affected businesses and individuals; notifying them and responding to questions. Time is money.
- Additional Audit and Security Requirements – Companies experiencing a data breach will need to implement enhanced monitoring and auditing protocols – this would be forced upon you by government agencies also.
- Miscellaneous Additional Costs – Don’t forget legal and consultant fees….
It is clear that cyber risks are not intended be covered on traditional policies and also a review of various classes of traditional insurance policies shows there are numerous gaps in coverage (e.g. scope, definitions, exclusions etc.) for cyber risks.
Below are some examples why a separate Cyber policy is required:
- Property and Business Interruption policies limit coverage to damage and/or loss of use of tangible physical property resulting from a physical peril. The tangible loss then allows the business interruption cover to respond. In the event of a cyber-attack, physical damage does not occur.
- Public Liability policies are triggered by Property Damage and Bodily Injury to Third Parties. A cyber-attack will not involve Property Damage or Bodily Injury.
- Crime policies require direct loss from employee theft of money or other tangible property.
- Management Liability policies contain data security breach exclusions.
- Professional Indemnity provide cover for your business providing a service as per your business description, for a fee, and a wrongful act occurring.
Traditional insurance policies do not cover or respond to cyber risk.
This in turn leaves businesses exposed.
To become unexposed, talk to Business Insurance Specialists.
For a review of your Cyber insurances, contact Business Insurance Specialists Pty Ltd