Protecting Reputations Since 2005
Cyber Insurance Professional Indemnity | Financial Institutions | Directors & Officers | Management Liability | Medical Malpractice | Media Liability
Level 35, 100 Miller Street North Sydney, NSW 2060, Australia T 02 8912 6400 AFSL 295894 ABN 40 114 962 435
www.lauw.com.au
Cyber Insurance Barely a day goes by without some form of data breach being reported in the media, be it a competitor looking to gain an edge by stealing sensitive data, a disgruntled exemployee looking to take retribution on a former employer, or the more traditional image of a technology “nerd” sitting in his bedroom pitting his wits against mankind. The media and politicians have chosen to label this kind of activity “Cyber Crime” or “Cyber Warfare”, and it is a lot more prevalent than people realise. Interestingly it is not just big corporate organisations that are at risk, so too are small to medium businesses (SMBs). For example a survey released mid 2013 by McAfee found 45% of surveyed SMBs (between 25 – 250 employees) had been the target of an electronic attack in the prior year and 46% had suffered a data or security breach perpetrated by disgruntled and current employees. This is now potentially the biggest threat your company faces, yet many companies still choose to bury their heads in the sand. With recent changes in legislation and more changes coming from various government bodies, now is the time to start understanding your exposures and preparing yourself. Part of this is considering risk transfer with insurance cover.
Cyber insurance typically includes: Technology Professional Services This covers your liability in the event you are sued as a result of your technology services. This could include breach of contract, efficacy (fitness for purpose), plagiarism, defamation, libel or slander.
Multimedia Liability This covers your liability in the event you are sued as a result of information provided in your multimedia e.g. your website or publications and advertising material. Examples would be breach of copyright, libel or slander, plagiarism or defamation and infringement of the right to one’s privacy.
Security and Privacy Liability This covers your liability in the event you suffer a data breach and you are sued by the affected party including customers or employees. This also includes theft or altering of data, viruses or malware, denial of service and other loss of data from your systems.
Customer Support and Reputational Expenses If a data breach occurs, this will cover costs incurred to maintain your reputation and provide support to your clients, such as a public relations firm to help repair damage to your brands; legal costs for notifying your affected customers or offering credit monitoring services; setting up call centres for concerned customers; and bringing in IT forensic teams to ascertain the cause of the data breach and potentially remove the hacker from your system.
Data Recovery and Business Interruption
What is Cyber Insurance? As an insurance market we have not helped ourselves by labelling our product “Cyber”. Most other products do what they say, for example “Property Damage” covers damages to property. You can purchase Cyber insurance to protect your balance sheet and it is typically on a pick and choose modular basis that can be tailored to your risks and price point.
This covers the costs incurred to restore, re-collect or replace affected data stored at your premises or at your external backup data centre or storage facilities, and loss of revenue due to network downtime because of a security breach.
Privacy Regulatory Defence and Penalties Investigation by regulators can be expensive to defend. This covers your legal costs to comply with any regulatory action taken against you following a data breach and can also pay for civil penalties (where allowed) and compensatory awards levied by regulators.
Cyber Extortion Hackers can threaten to release confidential information or damage your computer networks in an attempt to extort money. This covers ransom paid to avoid the threat from becoming real.
About LAUW London Australia Underwriting Pty Ltd (LAUW) is an Australian-based underwriting agency established in 2005 with a proven claims paying track record and an established reputation for service and innovation. Please visit our website www.lauw.com.au for more information.
What else should you know? There’s plenty of information out there, some of which can be found on our website (www.lauw.com.au/cyber-insurance). However, below are some recent results from surveys that may help you in understanding your exposure. • The average cost per individual for a data breach in 2012 was $141 in Australia, US$188 in the USA, and GBP86 in UK, according to the Ponemon Institute’s 2013 Cost of a Data Breach Report. • The average cost per data breach in 2012 was $2.72m in Australia, US$5.4m in the USA, and GBP2m in the UK, according to the Ponemon Institute’s 2013 Cost of a Data Breach Report. • The Verizon Data Breach Investigations 2013 reports that, of the 47,000 incidents in 2012, 37% affected financial organisations; 23% affected retail firms and restaurants; 20% affected manufacturing, transportation and utilities; and 20% affected information & professional services firms.
• They also report that 52% of incidents used some form of hacking; 76% of network intrusions exploited weak or stolen credentials; 40% incorporated malware e.g. viruses, trojans, botnets; 35% involved physical attacks e.g. coming onto your site to install spyware; 29% leveraged social attacks e.g. socially engineered emails; and 13% resulted from privilege misuse and abuse e.g. an employee abusing clearance rights. • On 12 March 2014 new Australian Privacy Principles (APPs), amendments to the Privacy Act and fines of up to $1.7 million for agencies and companies and $340,000 for individuals for serious or repeated invasions of privacy (i.e. for breaches of the APPs/Privacy Act) become effective.
Risk Management Tips Purchase a LAUW Cyber eRisks insurance policy Write and put in place a data breach response plan in the event of a breach Put in place a tried and tested business continuity plan for network downtime Make sure you are aware of all regulatory requirements for all territories you work in or distribute to Conduct employee training to ensure your staff are aware of risks the company faces Put in place a “bring your own device to work” policy if you allow employees to use their own devices for work Look at contracts with third party vendors providing data storage. Are there limitations of liability? Conduct an external penetration test to highlight potential areas to address Review system protection you have in place e.g. anti-virus, firewalls etc. and update regularly Keep all your systems and software patched up
02 8912 6400
www.lauw.com.au