A Guide to Cyber Insurance

Cyber Insurance Introduction

cyber insurance fact 1Cyber Insurance should be considered an investment you never want to cash in.

Chances are that you are well familiar with these: public liability cover, builders insurance, commercial auto, key person insurance, just to name a few.

We will discuss cyber security and insurance protection in depth in this post.

With data breaches on the rise, Cyber Liability Insurance is the type of insurance that deserves your attention.

It is not contractually required (yet) in most cases but the lack of it can (and most possibly will) have devastating consequences.

We’ll take an in-depth look at what cyber insurance is, the covers it provides and the privacy laws that impact you.

Not only will we look at Cyber Insurance but we’ll also discuss the most common cyber attacks you could face.

According to Ponemon Cost of Data Breach 2018, it costs $108 per affected record with a data breach.

If you had just a 1000 individual records (that could include customer information, vendor information, email subscribers, anyone who signed up to your website with a password), your average cost would be $108,000.

Do you have this money set aside to cover a cyber breach incident?

If not, read on.

$0
Cost Per Record Breached
$0
Multiply the damage

What exactly is cyber insurance?

Cyber Insurance is designed to help offset your costs in the event of a data breach.

Like any other insurance, it’s a risk mitigation technique that allows you to transfer some of that risk to the insurance company.

Let’s face it; every business nowadays uses technology.

Whether you sell online, or simply have your customer information on a server in a cloud, if your computer is connected to the internet, the data is at risk.

The truth is, the data you are responsible for is never 100% secure, and hackers make it their mission to breach your computer’s defences.

Technology has massively changed the way business is done today. While technology in business has many advantages, it has opened the door to many new dangers and risks that didn’t exist before the digital era.

You may be a local business, but your reach is global the moment you’re online and at risk.

Cyber insurance will cover costs associated with notifying the individuals whose data has been stolen, forensic investigation costs and will protect you from lawsuits by people affected by the data breach whose records you were responsible for.

Of course, no policy is the same, so it’s important to look at each quote you receive to determine what exactly is covered.

Mandatory Notification Data Breach Scheme

Are there any laws that make Cyber Insurance necessary?

The new Notification Data Breach (NDB) scheme has changed the requirements for companies and agencies in protecting the Personal Identifiable Information (PII) they collect and store.

This new law made Cyber Insurance even more critical as there are new (costly) obligations to deal with if the breach happens.

On February 22, the Office of the Australian Information Commissioner (OAIC) established the NDB scheme as part of the Privacy Act.

What does this mean for you?

If your business, agency or non-for-profit organisation has an annual turnover of $3 million, it is now mandatory for you to report any data breaches to the OAIC.

Additionally, you must notify any individual whose sensitive information has been accessed and is likely to be harmed within 30 days of becoming aware of a data breach.

Why do I need cyber insurance?

If you recall, the introduction to this book gave an alarming statistic – an average cost the business incurs, is $108 per affected record.

With NDB in place, this average is sure to climb up for compliant businesses due to now mandatory notification and regulatory costs.

Simply put, the damages and consequences from a cyber attack can significantly hurt your business.

Keep in mind, that your costs will be far higher than the mandatory regulatory costs.

Consider this. If the data breach happens, will you want to hire a PR firm to mitigate the reputational damage and bad press?

Of course, you would.

What about the income that lessens due to your customers not trusting you anymore?

Wouldn’t you need some kind of financial supplement to keep you from shutting the doors due to no income?

Cyber Insurance attempts to keep your business running while you deal with the fallout from the breach. Business Interruption, Media & Relations and more are all covers available under the policy.

If you don’t have the protection Cyber Insurance provides against cyber risks, then there is a real chance that you will be the one who foots the bill from cyber damages along with any loss of data.

If you are a contractor, you may start to see the requirement of having a Cyber Liability Insurance policy included in your future contracts. People are beginning to realise that a cyber threat is real and everyone wants to be protected in case anything happens.

Do you:

  • Have your employees use computers, smartphones, and/or the internet as part of their jobs?
  • Create, keep and use sensitive customer information from customers, employees and suppliers?
  • As a consultant recommend or implement any security measures for your client?

If you answered yes to any of those questions, then you need cyber insurance.

I’m just a small business. Why would hackers want to target me?

According to various studies, at least 45% of all cyber attacks target small businesses.

Look, the tech giants like Apple, Yahoo, Facebook and more, all anticipate data breaches and have whole departments that deal with data security.

A big corporation will have teams of people monitoring their security and susceptibility to attacks 24/7, and even they are not immune.

Just think of Equifax data breach scandal that affected over 143 million Americans.

Small businesses are often targeted because it’s easier.

Their data is less secure, they don’t invest enough (or at all) into security countermeasures and thus is seen as an easier job for the hackers.

Sometimes, the hackers themselves don’t even intentionally target you. They may have automated malware randomly flooding vulnerable systems, and your business happens to be one of the victims.

 CYBER ATTACKERS

What are the most common types of cyber attacks?

There is a wide range of methods cyber criminals use to breach your system and steal your data.

A short list of common techniques these criminals might use includes malware, phishing, DDOS, SQL Injection, and Social engineering.

To give you a better understanding of the threats you could potentially be facing online, please see below the brief overview of each of these methods.

Malware

This is one of the most common ways for cyber criminals to breach your system.

Malware is a harmful software intended to be used maliciously against your machine; once installed, it can spread and disable your computer, overload your servers, and steal your records.

Common types of malware include viruses, ransomware, worms, and spyware.

Attackers will disguise malware as harmless links or email attachments to trick you or your staff into clicking.
Once clicked, malware can be used to gain control of your system, spy on your activities, monitor keystrokes and passwords, create vulnerabilities to be accessed further or crash your computer and network.

Phishing

Phishing is a cyber attack where the perpetrator pretends to be someone else to trick you into providing passwords or financial details.

They may pretend to be a reputable business or organization, a regular person who is in a rough situation, or a group that is in charge of giving you some kind of prize or award.

DDOS

Short for distributed denial of service, DDOS attacks are used to crash computers, servers, or networks.

They work by overloading the system with incoming data from multiple sources; often the attacker will use a group of people or bots to send repeated information to the system from numerous different connections.

They might enlist the help of people from a website or else use various different servers to hit your system from many entry points.

SQL Injection Attack

Standard query language (SQL) is a management language that is used to query and handle information within databases.

In an SQL Injection attack, the attacker will use code to “trick” a database into providing them sensitive or valuable information by exploiting vulnerabilities in the system.

Before you have any chance of reacting, the attacker has copied this information from your database and now has full access to it.

Imagine if your system stored medical files, credit card details, or tax file numbers and fell victim to this kind of attack!

Social engineering

Social engineering involves an elaborate ploy to manipulate an individual into giving up sensitive information.

Cyber attackers will use human interaction to coerce the individual to break procedure and either directly or indirectly give them access to valuable information.

Attackers often use tactics that, on the surface, seem completely innocent and harmless but that, in actuality, can seriously jeopardize the safety of your data.

Who commits cyber crimes?

cyber insurance ebookCyber crime has evolved dramatically in the last decade. Back in the 90’s a typical hacker was a lone wolf who wrote a virus to show everyone what he could do.

These days cyber crime is a “legitimate business” for many criminal organisations that devote considerable resources to writing viruses and creating scams to get access to your private data.

The type of people who commit these crimes go by many names: Hackers, identity thieves, organized criminals, and cyber terrorists, just to name a few.

Whatever they are referred to as, these attackers have a common goal: to steal your data.

The threat, however, can sometimes come from much closer to home – your data can be stolen by competitors, your employees, or even be a simple human error.

Competitors

This one isn’t hard to believe. The perpetrators can be your competitors wanting to give themselves an edge over you.

There are numerous, unethical and creative ways unscrupulous competitors can try and get access to your data.

They might contact your employees, use theft or hack into your computers to get the information and disrupt the operation of your business.

You can’t underestimate how far a competitor might be willing to go to gain an advantage. Whatever their motivation or strategy is, competitors represent a real risk to your system and your sensitive information.

Employees

Cyber threats aren’t just outside your organisation.

Employees can also pose a threat.

Employees, both past, and present, could hijack your proprietary information to sell it to another party or use it to start their own business venture.

They might steal important financial data for their own benefit. Whether they are out for revenge or simply looking for financial gain, it is essential to have processes in place to safeguard your data.

Human Error

Data breaches aren’t always the work of cyber criminals. Sometimes a data breach can simply be a result of basic human error.

For example, an employee might dispose of paperwork by throwing it in the bin. Unbeknownst to the employee, those papers contained valuable information that gets into the wrong hands.

It’s not uncommon for business owners to completely underestimate or even ignore the risks posed by members of their own staff with inside access to their data and key information.

Another human error example is an employee losing his work laptop (or it being stolen).

Is it employee’s fault?

Usually no.

But it can be a severe risk in the wrong hands.

STAYING SAFE ONLINE

Insurance should be seen as the last line of protection for your business when all other measures fail.

After all, prevention is better than cure.

Insurers also look more favourably upon businesses that are taking precautions to prevent a data breach and could result in better premiums and terms for cover.

You cannot stop a cyber attack because if a criminal really wants to access your system, they’ll find a way, but you can make it as hard as you can for them. Often, that would be enough of a deterrent.

After all, most would rather do a quick hack, get in and get out rather than spending considerable amount of time and resources hacking a well protected business that they don’t know what they’ll find in.

Besides having cyber insurance, here are some ways to minimise a cyber hack and the damaging aftermath.

Invest in security software

Security software is a must for keeping your data secure and protecting the information you are responsible for from cyber attacks.

Security software is a worthwhile investment, and both antivirus and firewall should be installed to protect you against the most common forms of cyber attacks.

An antivirus protects you against malware.

A firewall helps prevent any unauthorised access.

Make sure that you are continually upgrading your software, as newer and more sophisticated viruses and methods are developed every day.

Antivirus software can only be truly effective when it is prepared for the latest and most high-risk malware floating around on the web.

Encrypt your data

Encryption is a simple but highly effective way to make data harder to access by hiding its readability. You’d be surprised at how much more secure your data can become using simple encryption software.

Update your software to the latest versions

When software is updated, the developers add code to protect against the latest forms of cyber attacks. It’s best to update your software to the latest versions on a regular basis.

Often, vulnerabilities or exploits that were present in earlier versions will also be patched up by the developers.

Restrict access

For highly sensitive or valuable information, it is a very good idea to restrict access so that only those who you trust and who need to see it can use it. After all, it doesn’t make much sense to let sensitive information be accessed by people who don’t need to see it, right?

Regular backup

For crashes and other more obvious cyber attacks, regular backups will be a lifesaver in protecting and restoring your data against damage or deletion.

Utilize both cloud and physical backups and update them regularly. This will ensure that your backup is always relatively current and that you don’t lose any key information due to an attack.

Regular backup and safe storage of the backup is often a condition insurers want to see in a business they are assessing for cover.

Implementing Security Awareness programs

Security Awareness Program is a training for your employees to educate them on proper online use, who to contact if they discover a security threat and that data is an important corporate asset.

Stay Smart Online program, an Australian government initiative, has collated tips on safe online behaviour to help you stay secure online. You can get it on the StaySmartOnline.gov.au website.

Some good precautionary measures for online use would be to restrict the use of social media during work hours and disallowing sending work-related data to/from employee’s personal email.

The amount of time it takes to teach your staff some of the basics of safe online use is well worth the risks it might protect your organisation against.

Change your password regularly

A very easy way to protect against cyber attacks is to change your password regularly. Some good recommendations would be to increase the complexity of your passwords and to not write them down anywhere.

It’s not at all uncommon for an attacker to gain access to a system due to an easily hacked password.

THE COST OF CYBER SECURITY

How much damage can a cyber breach do?

According to the findings from the 2017 Cost of Data Breach Study: Australia conducted by IBM and the Ponemon Institute, notifications due to a cyber breach have an average cost of $500,000.

$500,000

Activities that are involved with notifications include the building of contact databases, checking to see if the business meets regulatory requirements, discussing the breach with outside experts, and miscellaneous costs related to the communication to those affected.

Those are just the costs of notification activities!

We haven’t even started to factor in other costs related to the damages.

Additionally, consider these numbers:

  • The total cost of a data breach averages out to $2.51 million
  • The cost per lost or stolen record is an average of $139
  • The financial, services, technology, communications, industrial, and education industries have greater costs due to the sensitive information they use.
$2,510,000

Another thing to keep in mind, is the fact that often the breach is not discovered immediately.

Usually the attack runs in the background getting all the incoming information straight to the bad guy on the other end.

The longer the attack happens, the higher the cost.

Multiply those costs by hundreds or thousands of records and you can see how quickly the numbers grow.

The hardest cost to quantify is the loss of customer trust

If you knew your best friend’s data was compromised because he was doing business with Company A, would you willingly give them your personal information?

Of course not.

I wouldn’t either.

So that company has already lost you and me as their potential customers.

It’s easy to see how this could snowball quickly resulting in no new customers, reduced or non existent business income all while incurring unexpected expenses.

Recent examples are the worldwide trending #DeleteFacebook and Mark Zuckerberg in damage control as an impact of the lost of the trust.

Target and Yahoo! are other recent examples that made headlines.

There’s no doubt the damage to the trust amongst their customers would have a negative impact on their business.

How much cyber insurance do I need?

It depends.

Some factors to consider are your industry, how and where you operate your business, the size of your business and the type of information you keep.

The limits you need can also be dictated by the contract requirements you have with your clients or vendors.

How much does cyber liability insurance cost?

Again, it depends.

This is like asking “how much would it cost me to buy a house?”

You can’t give a cookie-cutter answer because the factors involved is different for everybody. You have to consider the location of your house, the size of it and many more factors that are unique for every buyer.

As with buying a house, when purchasing an insurance policy the cost depends on several factors.

The most important being the size and nature of your business, as well as, the level of cover you wish to have.

The cost of cyber liability insurance is never a certain until your risks are properly reviewed by the underwriters, however a rough, indicative starting range of cyber insurance premiums can be between $900 to $2,500, for cover between $500,000 to $2 million for a small business.

~ $1,000
~ $1,500
~ $2,500

Corporate businesses that have larger operations or across border will have much greater costs but they also have a great deal to lose.

It may seem like the unnecessary cost but the cost of the yearly premium is so much less than what a business would have to pay if the incident was to happen.

What does cyber insurance cover?

First party damages

This covers the costs incurred by your business.

It’s important because it provides you the money needed to respond to a breach and get you back to operating at the same level before the breach occurred.

A policy can include:

Privacy Notification & Crisis Management Expenses

  • Notification of the data breach to those affected. A vital cover to the cost of complying with the new NDB scheme.
  • Hiring a forensic firm to investigate the breach.
  • Hiring a PR firm to manage the bad press and restore your customer’s faith.
  • Providing credit monitoring to those affected

Business Interruption Costs

This cover your loss as a result of a hack and to get you back in business again.

  • Loss of income – compensating the business for lost income while it is dealing with the fallout from the breach.
  • The cost to recover the data and system restoration.
  • Extortion and ransom payments – payments to the extortionist that is holding your data hostage or is threatening an attack.

Social engineering damages

A cyber insurance policy can cover offline damages sustained due to the use of deception in manipulating individuals into divulging confidential, personal information which can be used for illicit purposes.

Third party liability costs

This covers the costs you will incur to compensate those that have been negatively affected as a result of your system being breached.

Let me demonstrate. Imagine your business was to clean one-of-a-kind widgets. You take the widget from the customer to be cleaned at your workshop. Overnight, a fire starts and destroys the dirty, but functioning, widget.

You are liable for the costs to replace the widget. However, you may also be liable for the costs incurred by the client as a result of losing the widget.

Cyber Policy works in a similar same way – third party portion of the cover protects your business against a legal action and costs incurred by others as a results of their data being compromised in your possession.

Multimedia costs

Coverage can extend to social media damages; for instance, libel and slander. Additionally, it can also cover the costs of copyright infringement.

It’s important to look through a policy and see if it meets any needs you might have in this area.

What should I look for in a cyber insurance policy?

It is vital that you understand the definitions and wordings within the agreement. Some of the covers we discussed may not be included in a package. One insurer might define something as a cyber event while another would not.

Other important details to note are limits, sub-limits, and time frames.

Finally, you will want to consider the unique risks to your business, what exclusions are present in the policy, and whether or not you want to consider extensions for third parties.

Businesses that need more.

Some businesses, due to their real or perceived level of risk, will be more difficult to organize a policy for.

Examples of types of businesses that are included in this category are adult content sites, application development, credit card processing sites, government and medical professions with a large number of records, online retailers with a large online presence and restaurant franchises.

I ALREADY HAVE CYBER COVER

I have public liability insurance. Doesn’t it cover cyber crime?

Yes and no.

While there are certainly some business insurance policies that cover cyber-related instances, there are also many that don’t.

Even with a cyber liability endorsement to a liability policy, you will never get the same limits that you would with a standalone Cyber policy.

Typically, the endorsements have an aggregate limit of $50,000 which will vanish very quickly leaving you to foot the rest of the bill.

Also, the extension endorsements often do not include first party cover – basically you may not be covered for PR / Media relations cost, forensic investigation and incidents covered by multimedia cover or social engineering cover.

My employee or staff member organises our insurance. What’s there to be concerned about?

While financial officers play a very important and necessary role in a company, it’s worth keeping in mind that their performance may be measured in terms of saving money.

As a result, they may opt for the cheaper insurance policy that doesn’t adequately cover your business against cyber risks in order to meet their cost objectives.

As the director, you could be the one held accountable in case of a data breach and subsequent lawsuit. Because of this, you are going to want to make sure you are covered for events like a cyber breach.

My IT people say my system is rock solid. Is there any reason to worry?

While they may truly believe that’s the case (in which case, get their word in writing so that they will accept responsibility in the event of a breach), the fact of the matter is that no system, no matter how secure, is immune to breaches or vulnerabilities.

You also might want to review your agreement with your IT service providers and see what happens in case of a breach.

It’s a good idea to have clarity in your contract and find out exactly what would happen were your system to be exploited.

GETTING CYBER PROTECTED

How do I get a cyber insurance quote?

Our process for getting you a quote has been streamlined and is made very easy.

For most small businesses, getting a quote can be started here with our online quote request.

We genuinely believe it’s one of the most important covers a business can have and we are on a mission to bring awareness of those risks, and how Cyber Policy can solve them to every business we can.

Because not every business is the same, we will have a necessary conversation where we find out more about your operation, your risks and verify any additional information an insurer will ask to provide the quote. Then we’ll take it from there and present you with a proposal, approved by one of our highly rated insurers.

Please contact us at 0456 456 085.

Which product is right for me?

With the influx of new products on the Australian market, it can be difficult to know which one is the right fit for your business.

This is a situation where having an experienced insurance broker can pay off.

Once we get an adequate understanding of your business’s particular cyber risks, needs, and goals, we will work hard to match your requirements with the right product and insurer.

We will be your guide in the confusing (and new) world of Cyber Liability Insurance.

CONCLUSION

At the end of the day, there are numerous high-cost risks being posed to nearly every business in the world by cyber attackers. Your business could potentially be facing huge issues with data breaches and system attacks.

No system can be 100% protected from these kinds of risks, and no business can spend all of their time monitoring their computers and data to make sure everything is fine.

It makes much more sense to simply take out a cyber insurance policy so that, if such a breach or cyber event were to happen, you know your business would not be financially culpable for the damages.

Contact us today, and we will show you your options and set you up with the right policy for your business. We will make sure that you have a peace of mind that your business is protected in the event of a cyber attack.

John Catibog
John CatibogDirector
About The Author

John Catibog is the director of Indagard Insurance Services. He has a degree in Computer Science with Deakin University and is an experienced insurance broker with in-depth knowledge of today’s insurance marketplace.

References

The Office of the Australian Information Commissioner (2018), Notifiable Data Breaches scheme, https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme

Ponemon Institute (2018), 2018 Ponemon Cost of Data Breach Study, https://www.ibm.com/security/au/en/data-breach/

Rapid7, Common Types of Cybersecurity Attacks, https://www.rapid7.com/fundamentals/types-of-attacks/

Stay Smart Online (2018), Security Awareness Implementation Guide, https://www.staysmartonline.gov.au/get-involved/guides/security-awareness-implementation-guide

Simpson, K. (2017), Top 10 Tips for Data Theft Prevention, Inc., https://www.inc.com/thehartford/10-data-theft-prevention-tips.html

Dual Australia (2014), DUAL CLAIMS EXAMPLES – CYBER & PRIVACY PROTECTION, http://www.athoc.com.au/news-and-info/athoc-content/uploads/2014/10/Dual-Cyber-Privacy-Protection-Claims-Examples-03-14.pdf

Birkett, R. (2018), Business Law Breakfast on Privacy, Aitken Partners, Lecture 7 March 2018

Joseph, M. (2018), Austbrokers Cyber Pro, Austbrokers Cyber Pro Pty Ltd, Lecture 22 March 2018

2018-11-29T11:15:57+00:00