Cyber Attacks and Insurance

Alex Conlon , 13 August 2015

What are the exposures of hacking and other cyber criminal activity to your business? Alex Conlon of BJS Insurance Brokers considers the issues in this emerging risk area.

Cyber and hacking exposures in business continue to grow and, importantly, cyber attacks are now commonly targeting small- to medium-sized businesses. We have had a number of clients who have been subjected to a cyber attack – it seems that, regardless of your IT security, you are not immune to the risk of having your business severely impacted by such an attack.

There are two common misconceptions about such attacks:

1. It won’t happen to me!

It’s not a matter of if, but when.

“More than 20% of Australian businesses experienced cyber crime in 2012 (CERT Australia), and 40% of all attacks were directed at Small and Medium Enterprises” — Symantec

This risk applies to any business, regardless of industry. Companies should be establishing contingency plans in the event that such an attack is made against their computer networks.

One option is engaging a qualified IT consultant to identify the exposures to your practice and develop tailored solutions to respond.

2. Isn’t this risk covered by one of my other insurance policies?

Probably not.

Traditional insurance policies (for example, Public and Products Liability, Business Interruption, Professional Indemnity, Management Liability) contain exclusions that will prevent you making a successful claim.

Cyber insurance solutions are available either by way of extensions to existing Management Liability policies or stand-alone products. Extensions provide a limited protection but a stand-alone product provides a more comprehensive cover. More on this later …

What are some of the exposures?

Technology is developing at an exponential rate, resulting in ever-changing goal posts on risk exposure. Several current issues are worth considering when planning your cyber security and insurance needs:

  • Smaller business are easier targets – they do not have the same level or sophistication of security as larger businesses.
  • The tangible equipment used to transfer data (i.e. CD/DVD/BluRay/USB/Flash Drives) has an increased exposure to viruses being transferred.
  • Mobile phones, tablets and laptops may be attacked by hackers, or misplaced and lost with the risk of confidential and private information falling into the wrong hands.
  • Malicious emails can infect a company’s computer network with viruses, which are then easily transmitted to your colleagues, clients or third parties.
  • Ransom attacks against a company’s network prevent the access of systems, with the threat of deletion of all data unless paid.
  • Failure to implement strong encryption on computer data/backups and regularly updated passwords for computer, network and programs create easier access to virtual criminals looking for vulnerabilities to manipulate.
  • New Privacy legislation came into effect in March 2014. This includes penalties of $340,000 for individuals and $1.7 million for companies that are exposed as a result of breaching the legislation (Office of the Australian Information Commissioner).

The exposure will be different for every company, depending on the nature and size of the business. As this is a rapidly growing risk, there are still new exposures to be discovered.

Insurance provides an element of protection

New insurance products are emerging on the market, but their cover ranges widely – it can be like comparing apples and oranges. Uncertainty of the changing risk also makes it difficult to determine the suitability and protection of insurance for an individual’s needs.

The core cover offered under a broad cyber insurance policy includes the following:

  • First Party Costs – Insurers provide the ability to claim reimbursements for the costs a business would incur to respond to a breach, such as IT forensic costs, credit monitoring costs, public relations expenses and cyber extortion costs (including ransom payments to hackers).
  • Third Party Claims – Any attack to your computer system can create a liability exposure to third parties from a failure to keep data secure. Claims for compensation by third parties, investigations, defence costs and fines and penalties from breaching the Privacy Act may result. This part of the policy is designed to provide protection for your legal liability.
  • Business Interruption – This section provides reimbursement for the loss of profits resulting from the breach, as well as any additional necessary expenses it may need to incur to continue business as usual.

Managing the risk of a technology breach, hack or ransom is similar to managing the risk of a home situated in a high-risk bushfire zone. The people who take mitigating steps to remove debris, clear gutters and secure the perimeter of their residence reduce the likelihood of damage occurring to their property. However, those who ignore the warning signs may suffer losses, which could have been reduced or avoided.

It is important that business owners take action now to understand the exposures of hacking and cyber attacks and how they may impact their business. We recommend your contingency plan include consideration to offset some of the business risk with a cyber insurance solution.

This video, Who needs cyber insurance? from the National Insurance Brokers Association, may provide more information.

Alex Conlon is a senior account manager at BJS Insurance.