What to look for in a Cyber Insurance policy

Insurance is a tricky path to navigate, pick the wrong product and you could be out of pocket thousands of dollars when you come to make a claim.

In the case of a cyber security breach you could be up for business interruption costs, forensics and legal costs and if your business meets the criteria of the Notifiable Data Breach Scheme then you may very well also have to report the matter to the Privacy Commissioner and fulfil the disclosure requirements for that, all whilst trying to get your business back on track.

How do I know which policy is right for my business?


There are a number of cyber liability focused policies available on the market, some are limited to Australia and New Zealand only whilst others are worldwide.

Whilst we can't give you specific recommendations for your business, we can highlight a few of the risks to consider for your business, the various inclusions cyber liability insurance can cover and highlight where insurance has come to the rescue for different businesses.

What are some of the risks I might face in my business?


Below are some real-life examples of where a business may incur expenses in relation to cyber liability, some may be pretty obvious, but others such as multimedia liability are lesser known:

Brand Protection


After a breach caused by hackers, a software provider was found by the Privacy Commissioner to have failed to take ‘reasonable steps’ to protect their customers’ personal data. In order to save the brand’s reputation, the company had to spend a lot of money engaging a public relations.

 

Hacker Attack


A transport company’s servers are attacked by an unidentified third party and information such as customers’ credit card details have been accessed. The company is obligated to foot the bill for credit monitoring services, expenses incurred by notifying all those affected, as well as any legal costs.

Extortion


When ransom software is installed on an accounting firm’s system, the company is blackmailed into paying the hackers a large sum of money in exchange for the unlocking of client records.



Multimedia Liability


A hotel’s marketing person publishes a blog post that contains an image or logo similar to a design that has been copyrighted by another entity. This entity approaches the hotel and the matter is taken to court. The legal costs are immense.

Employee Error


A retail employee causes a breach of privacy by accidentally emailing customers’ personal data. Some of the affected individuals decide to pursue the matter in court. Legal fees and other costs associated with rectifying the issue total a hefty sum.

 Computer Crime


A manufacturing firm’s accountant responds to a convincing email scam and unwittingly transfers company funds to thieves. On top of the money lost in the scam, costs to secure their IT systems were also incurred.


What should I be looking for?


Cyber Liability insurance can be purchased as a coverage extension under a another policy such as Business Pack or Management Liability or as a standalone insurance policy. Standalone is considered better in terms of coverage and is generally not that much more expensive.

Coverage for social engineering may be obtained as part of Crime (Management Liability) policies or under Cyber
Liability, social engineering is a growing risk vector for cyber attacks.

Depending on the type of business you run and the likely risks, here are some areas to consider when buying your policy:
 

    • Data loss and restoration including decontamination and recovery
    • Business interruption loss due to a network security failure or attack, human errors, or programming errors.
    • Incident response and investigation costs
    • Delay, disruption, and acceleration costs from a business interruption event
    • Crisis communications and reputational mitigation expenses
    • Liability arising from failure to maintain confidentiality of data
    • Liability arising from unauthorised use of your network
    • Network or data extortion / blackmail (where insurable)
    • Online media liability
    • Regulatory investigations expenses
    • Make sure your policy covers for both 1st party and 3rd party losses.


    Cyber Liability Insurance in action


    Although we all aim to never have to claim on our insurance policies there may be instances where we unfortunately need to, these real-life examples show just how much can be at stake financially and reputationally in the event of a cyber liability incident:


    Third-Party Administrator

    Employees: 500

    Annual Turnover: $65,000,000

    A clandestine organisation hacked an administrator’s network prior to a major holiday weekend and stole personally identifiable information. In addition to obtaining the names and credit card information of 25,000 customers, the organisation stole the employee data of the 250 staff members.

    A virus was also placed into the administrator’s IT network, rendering the firm unable to conduct business for 72 hours.

    The administrator’s clients were
    unable to access the network for business purposes and sustained
    virus related impacts to their own systems. The clients sued the administrator for impaired access
    and conduit related injuries.

    The administrator incurred costs of $250,000 for forensic investigations, notification and monitoring measures, system restoration and legal advice.

    They also sustained more than $2,000,000 in lost business income and extra expense associated with the system shutdown.

    $300,000 in defence cost where incurred and $5,000,000 in damages where paid to customers who were unable to access the administrator’s network.



     Manufacturer

    Employees: 50

    Annual Turnover: $10,000,000

    A manufacturer leased a copying machine for a 2 year period through a third-party intermediary.

    During the 2 years the manufacturer made copies of business information, including proprietary client information and its own employee data. After the lease expired the manufacturer returned the machine via the third-party intermediary.

    Prior to making its way back to the actual leasing company a rogue employee of the third-party intermediary accessed the machine’s data and stole and sold the proprietary information.

    The manufacturer incurred $75,000 in connection with a forensic investigation, notification, identity monitoring, restoration services and independent counsel fees.

    It also incurred approximately $100,000 in legal defence costs and $275,000 in indemnity associated with the theft and sale of proprietary client information

     



    Solicitor

    Employees: 55

    Annual Turnover: $20,000,000

    Hackers obtained access to a law firm’s network and claimed to have access to sensitive client information, including a public company’s acquisition target, another company’s prospective patent technology, the draft prospectus of a venture capital client and a significant number of claimants’ personally identifiable information.

    The firm was contacted by the hacker group seeking $10,000,000 not to place the stolen information on-line.

    The law firm incurred $2,000,000
    for forensic investigation, extortion related negotiations, a ransom payment, notifications, credit and identity monitoring, restoration services and independent lawyers’ fees.

    The firm also sustained $600,000 in lost business income and expenses associated with the system shutdown.



    In summary, it is clear that cyber liability insurance is no longer a luxury for a business to have, but rather a necessity.  At FortiTech we have assisted businesses in both the aftermath of a cyber security incident and in securing their environment, but we do leave the insurance up to the professionals, if you would like to find out more about Cyber Liability insurance just contact us and we will pass along details of our preferred insurance broker.