Cyber Insurance: What is it and how it works & why all Australian businesses should be considering it

Cyber risk is the leading risk for Australian SME’s with the average cost of a cyber incident in excess of $270,000 and over 200 hours to recover[1].  Cybercrime continues to be a challenge for business owners meaning cyber insurance is no longer a luxury, it’s a must-have.

Most SMBs understand they require property, liability and workers’ compensation insurance, but many may be unaware how important cyber insurance is for their business.  With all of the regulatory changes, there are still misconceptions around payouts if a cyber attack happens.

Cyber Insurance – also known as cyber liability insurance – is an insurance policy that helps protect organisations from the fall out from cyber attacks and hacking threats.  It’s a contract that an entity can purchase to help reduce the financial risks associated with doing business online.  In exchange for a monthly or quarterly fee, the insurance policy transfers some of the risk to the insurer.

Having a cyber insurance policy can help minimise business disruption during a cyber incident and its aftermath, as well as potentially covering the financial cost of some elements of dealing with the attack and recovering from it.

Cyber Insurance is a new and emerging industry.  Policies can change from one month to the next, given the dynamic and fluctuating nature of the associated cyber risks.  Unlike well-established insurance plans, underwriters of cyber insurance policies have limited data to formulate risk models to determine insurance policy coverages, rates and premiums.

Cyber Insurance originates in errors and omissions (E&O) insurance, a separate form of insurance that protects against faults and defects in the services a company provides.  E&O insurance is analogous to product liability policies for companies that sell physical or digital products.  Whilst some policies contain provisions for E&O, most sell as separate and distinct policies.  E&O insurance doesn’t cover the loss of 3^rd party data such as customer credit card numbers.

Cyber insurance will not instantly solve all of your cyber security issues, and it will not prevent breach/attack.

The short answer is yes.  Cybercrime is on the rise and SME’s are most at risk because they typically have less protection.  Cyber incidents can result in thousands of dollars in remediation costs, customer notification costs, regulator fines, extortion costs or being sued by customers or employees for the loss of personal information.

In Australia personal information is protected by the Privacy Act 1988 and under its teams the Office of the Australian Information Commissioner (OAIC) may seek civil penalty order of up to $2.1 million in cases involving serious lapses in protecting privacy and this has been flagged to increase to $10 million or 10% of annual domestic revenue.

In the recent paper “Strengthening Australia’s Cyber Security Regulations and Incentives 2022”, the government cites research that shows company boards don’t have an adequate understanding of cyber risks.

Legal developments on cyber crime are expanding to increase the legal focus to filter down from regulators to company directors.  Just as understanding the totality of their company’s financial position is a critical director duty, it is likely that cyber risk management will form an integral part of the legal obligations a director owes their company.

Both APRA and ASIC have made it clear that cyber risks are an essential systems and control issue and have recently implemented new initiatives to increase cyber security rigor.

Directors should consider cyber security awareness an important part of their professional development.  Such awareness can lead to decreased vulnerability, lower losses from attacks, quicker data recovery and reputational repair, and greater protection from liability.

Basically anyone that uses a computer, mobile phone, iPad for work purposes can be a victim of cyber crime.

On top of this the Privacy Act 2020 introduced a privacy breach notification regime.  So if a breach occurs and it is likely to cause serious harm, the individual concerned and the Office of the Privacy Commission must be notified.  The costs associated with a breach could be substantial including legal costs, customer communication costs, regulatory fines and technology costs to fix your network and systems.

A quality cyber security strategy provided by a professional MSSP (Managed Security Service Provider) is now imperative and it should be done alongside cyber insurance to ensure in the case of an event, you can get back up and running quickly and with minimal financial cost.

Businesses of all industries should consider taking out cyber insurance because all businesses are operating in the digital space and are storing sensitive information online.  Industries where cyber insurance should be considered are:

• Healthcare/medical
• Financial Services
• Retail/wholesale
• Manufacturing
• Real estate
• Construction
• Telecommunications or Internet services
• Travel sector
• Education
• Law firms
• Insurance brokers
• Telemarketing

Cyber Insurance policies are all different and careful consideration should be taken before making your decision.  Typically, cyber insurance covers:

• Privacy breach notification & crisis management costs
  • Incident response costs and emergency hotline
  • Notifying third parties about the data breach, including mandatory notification and voluntary notification to clients, service providers or otherwise
  • Public relations costs associated with mitigating any reputational harm
  • Claims against your business for a privacy breach and loss of employee, personal or corporate information
• Privacy & Security Liability
  • Loss, theft or failure to reasonable protect personal data or confidential business information
  • Violation of privacy laws or data breach reporting requirements
  • Failure to implement adequate privacy or network security practices
  • Negligence resulting in a failure to prevent a network compromise that results in damage or loss of use to a 3^rd party computer system or data or transmission of malware or a denial of service attack to a 3^rd party
• Cyber Extortion
  • Is a threat against the insured computer system to provide ransom in order to prevent a cyber attack. Coverage can include the payment of a ransom, negotiation and mediation costs, crisis management costs and costs to resolve a security threat, and investigation costs to determine the cause of the extortion threat.
• Data recovery & system damage
  • Covers the costs and expenses for lost, damaged or destroyed IT systems, records and data. This can include the retrieving, repairing, restoring or replacing of data or systems including removing malware.
• Regulatory Defence and Fines
  • Cover for defence costs and regulatory fines that have resulted from a cyber incident such as a privacy or security breach
• Media Liability
  • Coverage for incidents such as
    • Libel, slander or other defamation or harm to a 3^rd party
    • Copyright infringement, intellectual property rights infringement, or plagiarism
    • Misrepresentation under the terms of the CCA
    • Infliction of emotional stress or mental anguish
• Incident response

Some insurance policies provides access to an incident team to help you recover from an attack.  When it comes to a cyber attack, hours count, so acting quickly can save thousands in the long run.

The incident response team may also pay costs for IT security and forensic services, legal advice, credit monitoring specialists, public relations consultants as well as call centre and mail house services.

Most states require companies to notify customers of a data breach involving personally identifiable information – a process that can be very expensive. Additionally, even though most states don’t require companies to offer free credit monitoring following a breach, such a gesture goes a long way with public relations.

While cyber insurance provides financial protection for business with respect to their digital assets, it doesn’t cover all.  Some things a policy may exclude are:

• An upgrade to your system post a cyber attack to prevent a future attack or incident
• Future profits
• Decreased valuation of the business
• Electromagnetic Discharge
• Power failure or core internet infrastructure failure
• Product IP & Patient Infringement
• Unsolicited Communications and Data Collection

These are only general examples, each insurance policy is different and standard exclusions may apply.  Make sure that you read your PDS and contact your insurance advisor to review your specific policy.

With the number of insurance policies available in the market, it is important to understand what key elements should be considered and look for in a cyber policy.

Most policies will include some coverage for all of these components.  It is imperative to compare the following as they greatly vary from one provider to the next.

• Limits
• Deductibles
• Coverage triggers
• Scope of coverage

Due to the heightened cyber threat environment, cyber insurance underwriters have responded with a laser focus on data security controls when evaluating risks. Virtually all cyber insurance insurers will require evidence, of at the very least, some preventive controls.

These are likely to include:

• Multi-Factor Authentication (MFA)
• Remote Desktop Protocol (RDP)
• data backup practices
• segregation of networks
• encryption
• proactive patch management
• Privileged Account Management (PAM)
• employee training and a host of others

Cyber insurance applications often require additional ransomware supplemental applications that may involve many questions around controls specifically designed to prevent or mitigate the effects of a ransomware attack.

Without some of these controls in place, many carriers are refusing to quote on insurance cover for the businesses concerned. Those that do will likely demand significant rate increases. Even businesses considered to be best in class risks that comply with all underwriting required security controls should brace for potential rate increases, limited capacity and possible coverage restrictions.

It is not just the insurance companies that are urging all Australian businesses to improve their cyber security posture but also the ACSC with their recent alert.  It is our recommendation for all Australian businesses to begin the process to comply with the ACSC Essential Eight Maturity Level 1 or 2 as a minimum.

Here are some real life stories of some cyber claim examples and how cyber insurance protected them.(2)

A real estate company discovered malicious software had been uploaded to its servers by an unidentified third party which resulted in corrupted files. Files containing personal information including credit card information had been accessed.

Subsequent to the data breach, fraudulent charges were made on various credit cards in multiple countries. Lawyers advised the company to notify all affected individuals. As a result of the fraudulent credit card transactions, the company offered affected individuals credit monitoring services.

These expenses were covered under the Customer Support and Reputational Expenses section of the insurance policy. The company also wanted to manage reputational repercussions due to the breach and employed a public relations expert. The fees for the public relations consultant were covered under Crisis Management Costs.

The breach resulted in IT forensic investigation fees of approximately $250,000. Other expenses covered by the insurance policy included the cost of identifying and notifying affected individuals and setting up and staffing a call centre to respond to enquiries. Additionally, $150,000 was paid in legal fees to determine reporting requirements and respond to regulatory authorities. Approximately $29,000 was spent on data restoration costs and remediation of IT vulnerabilities and business income loss of $250,000 was paid.

A small health clinic discovered that an unauthorised third party had gained remote access to a server that contained electronic medical records. The third party posted a message on the network stating that the information on the server had been encrypted and could only be accessed with a password that would be supplied if the insured made a “ransom” payment.

The insured contacted law enforcement and working with law enforcement determined that the payment ($2,500) should be made. The payment constituted cyber extortion monies under the policy. Furthermore, loss of business income amounted to $65,000 and IT forensic costs of $5,000 were paid in accordance with the coverage provided by other sections of the policy.

A law firm received a cyber extortion threat and ransomware attack on their computer network. All servers (10) were encrypted and these systems provided core business functionality. Unfortunately, the only copy of the backups, those being conducted over the network were also encrypted. Given there was no known way to decrypt this variant of Ransomware, brute-force or otherwise, a decision was made by Underwriters for payment of the ransom of 0.6 Bitcoin (approximately AUD5,300.00).

After a long delay it was confirmed that the decryption key did not work. The insured’s IT consultants in the meantime continued a manual rebuild of the insured’s computer network focusing on restoring basic function as a matter of priority.

A claim for first-party costs and expenses and loss of business income incurred as a result of a first-party insured event that occurred on the insured’s computer network.

1. https://www.cgu.com.au/business/cyber-insurance
2. http://www.lauw.com.au/wordpress/wp-content/uploads/2020-08-10-LAUW-Cyber-Claim-Examples.pdf