Insurance is a tricky path to navigate, pick the wrong product and you could be out of pocket thousands of dollars when you come to make a claim.
In the case of a cyber security breach you could be up for business interruption costs, forensics and legal costs and if your business
meets the criteria of the Notifiable
Data Breach Scheme
then you may very well also have to report the matter to the Privacy Commissioner and fulfil the disclosure requirements for that, all
whilst trying to get your business back on track.
How do I know which policy is right for my business?
There are a number of cyber liability focused policies available on the market, some are limited to Australia and New Zealand only whilst others are worldwide.
Whilst we can't give you specific recommendations for your business, we can highlight a few of the risks to consider for your business,
the various inclusions cyber liability insurance can cover and highlight where insurance has come to the rescue for different businesses.
What are some of the risks I might face in my business?
Below are some real-life examples of where a business may incur expenses in relation to cyber liability, some may be pretty obvious, but others such as multimedia liability are lesser known:
After a breach caused by hackers, a software provider was found by the Privacy Commissioner to have failed to take ‘reasonable steps’ to protect their customers’ personal data. In order to save the brand’s reputation, the company had to spend a lot of money engaging a public relations.
A transport company’s servers are attacked by an unidentified third party and information such as customers’ credit card details have been accessed. The company is obligated to foot the bill for credit monitoring services, expenses incurred by notifying all those affected, as well as any legal costs.
When ransom software is installed on an accounting firm’s system, the company is blackmailed into paying the hackers a large sum of money in exchange for the unlocking of client records.
A hotel’s marketing person publishes a blog post that contains an image or logo similar to a design that has been copyrighted by another entity. This entity approaches the hotel and the matter is taken to court. The legal costs are immense.
A retail employee causes a breach of privacy by accidentally emailing customers’ personal data. Some of the affected individuals decide to pursue the matter in court. Legal fees and other costs associated with rectifying the issue total a hefty sum.
A manufacturing firm’s accountant responds to a convincing email scam and unwittingly transfers company funds to thieves. On top of the money lost in the scam, costs to secure their IT systems were also incurred.
What should I be looking for?
Cyber Liability insurance can be purchased as a coverage extension under a another policy such as Business Pack or Management Liability or as a standalone insurance policy. Standalone is considered better in terms of coverage and is generally not that much more expensive.
Coverage for social engineering may be obtained as part of Crime (Management Liability) policies or under Cyber
Liability, social engineering is a growing risk vector for cyber attacks.
Depending on the type of business you run and the likely risks, here are some areas to consider when buying your policy:
- Business interruption loss due to a network security failure or attack, human errors, or programming errors.
- Incident response and investigation costs
- Delay, disruption, and acceleration costs from a business interruption event
- Crisis communications and reputational mitigation expenses
- Liability arising from failure to maintain confidentiality of data
- Liability arising from unauthorised use of your network
- Network or data extortion / blackmail (where insurable)
- Online media liability
- Regulatory investigations expenses
- Make sure your policy covers for both 1st party and 3rd party losses.
Cyber Liability Insurance in action
Although we all aim to never have to claim on our insurance policies
Third Party Claims: From failure to keep data secure, including claims for compensation, investigations, payment of fines and penalties. We will also pay defence costs and legal representation expenses.
Business Interruption: Reimbursement for lost profits, as well as necessary expenses incurred to maintain operation of the business as a result of the interruption.
Remediation Costs: Reimbursement of the Insureds own costs including credit monitoring, cyber extortion, data restoration, forensic, notification and public relations costs, and legal representation expenses.
Social Engineering, Phishing & Cyber Fraud: Cover for Direct Financial Loss and/or Loss which the Insured is legally liable to pay due to: Social Engineering, Phishing, Phreaking, Cyber Fraud, Business Interruption, Contingent Business Interruption.
Annual Turnover: $65,000,000
A clandestine organisation hacked an administrator’s network prior to a major holiday weekend and stole personally identifiable information. In addition to obtaining the names and credit card information of 25,000 customers, the organisation stole the employee data of the 250 staff members.
A virus was also placed into the administrator’s IT network, rendering the firm unable to conduct business for 72 hours.
The administrator’s clients were
unable to access the network for business purposes and sustained
virus related impacts to their own systems. The clients sued the administrator for impaired access
and conduit related injuries.
The administrator incurred costs of $250,000 for forensic investigations, notification and monitoring measures, system restoration and legal advice.
They also sustained more than $2,000,000 in lost business income and extra expense associated with the system shutdown.
$300,000 in defence cost where incurred and $5,000,000 in damages where paid to customers who were unable to access the administrator’s network.
Annual Turnover: $10,000,000
A manufacturer leased a copying machine for a 2 year period through a third-party intermediary.
During the 2 years the manufacturer made copies of business information, including proprietary client information and its own employee data. After the lease expired the manufacturer returned the machine via the third-party intermediary.
Prior to making its way back to the actual leasing company a rogue employee of the third-party intermediary accessed the machine’s data and stole and sold the proprietary information.
The manufacturer incurred $75,000 in connection with a forensic investigation, notification, identity monitoring, restoration services and independent counsel fees.
It also incurred approximately $100,000 in legal defence costs and $275,000 in indemnity associated with the theft and sale of proprietary client information
Annual Turnover: $20,000,000
Hackers obtained access to a law firm’s network and claimed to have access to sensitive client information, including a public company’s acquisition target, another company’s prospective patent technology, the draft prospectus of a venture capital client and a significant number of claimants’ personally identifiable information.
The firm was contacted by the hacker group seeking $10,000,000 not to place the stolen information on-line.
The law firm incurred $2,000,000
for forensic investigation, extortion related negotiations, a ransom payment, notifications, credit and identity monitoring, restoration services and independent lawyers’ fees.
The firm also sustained $600,000 in lost business income and expenses associated with the system shutdown.