Thursday, 3 Nov 2016
A couple of weeks ago, I had a call from a client Steve who operates a Real Estate Agency in Wollongong*. During the usual greetings I noticed he was distressed. “I almost got done over” were his first words. Immediately concerned, I asked “what happened Steve, did you get broken into?” he replied “much worse than that!” He went on to explain how he received an email that morning from what appeared to be Australia Post with his monthly statement. He usually receives statements by post, however with the recent push by institutions to deliver all correspondence by emails he didn’t think anything untoward about the email and went on to click the link.
Instead of receiving his statement, he launched a CryptoLocker, which presented as a big black box on his screen with the words “Pirates of the People” and a notice that his system was now locked and that he had to deposit $5,000 in a bank account within 48 hours to receive a code to unlock his system otherwise his computer would be wiped.
He immediately called his IT provider who investigated the issue and was thankfully able to contain the CryptoLocker to the laptop, as he was not logged into his server at the time. Luckily the damage was limited to a laptop that he had to throw away, along with the loss of photos and documents that were stored on this laptop. Had the laptop been connected to his server at the time, his entire client database would have been in the hands of cyber criminals, and all confidential information such as details of property ownership and bank account numbers for clients would have been exposed.
And this is before consideration is made for any potential fines from regulatory bodies such as the Privacy Commission for breach of confidential data. These fines could be as high as $340,000 for directors and $1.7 Million for companies.
Only three months earlier when I met with this client to review their insurance program, I identified a gap in his cover being Cyber Risk Insurance. At the time, this client dismissed the need for this cover as he believed he had the best electronic security in place and took up all recommendations from his IT provider accordingly. However in this instance, the human component in the security structure had failed and by his own actions had unintentionally launched a cyber-attack on his system.
We are now going through the process of arranging Cyber Risk Insurance.
Due to this experience my client placed just as much importance in obtaining the right cover as he did on making sure he had the right security from his IT provider.
Cyber-crime is ever growing.
A report released by Lloyd’s of London in 2015 found that the global cost of cyber-crime reached USD $500 Billion, overtaking the drug trade at USD $435 Billion. And remember the drug trade once created the seventh richest man in the world.
Research conducted by Forbes Magazine in 2016 estimated that cyber-crime costs could reach as high as USD $2 Trillion by 2019.
Minister Assisting the Prime Minister for Cyber Security Dan Tehan stated only this month the national Computer Emergency Response Team (CERT Australia) had dealt with 14,804 cyber security incidents affecting Australian businesses in the last financial year. And these are only the attacks that have been reported as severe in their nature. This does not include the everyday attacks such as the one our client experienced.
A report released by government agency ACSC (Australian Cyber Security Centre) in October 2016 stated “Cyber crime remains a pervasive threat to Australia’s national interests and prosperity. Australia’s relative wealth and high use of technology such as social media, online banking and government services make it an attractive target for serious and organised criminal syndicates.”
The report also outlined the following industry sectors that are most targeted as shown in the graph below:
A study conducted my Microsoft this year found that 20% of small to mid-sized businesses have been cyber-crime targets.
The statistics are horrendously alarming!
Now the question must be asked, how do you properly prepare yourself? Like with all risks, prevention by way of up-to-date security and engaging an IT provider that is up to speed with this ever changing space is paramount, but just as important is getting the right insurance cover in place.
As with all insurance policies, not all Cyber Risk covers are the same. It is important to make sure you get the right one that has all the appropriate parts to adequately protect your business. Cyber Risk Insurance can be broken down into two main areas of coverage, known as first party cover and third party cover. First party cover is the most critical aspect of cover under a cyber risk insurance policy because it provides the Insured with immediate expenses at the time of an incident, and does not require a claim to be made by a third party for the cover to trigger.
First Party Cover
Privacy Notification Expenses – The costs associated with notifying individuals that have been affected by a breach, including setting up call centres and identity theft services. Immediate expenses such as crisis management costs, hiring a public relations firm to manage the fallout from an incident, a forensic IT expert to identify how and where the breach occurred and legal services, including advice on legislative requirements following a breach are also included.
Data Recovery Expenses – The costs associated with replacing, restoring and re-creating data as a result of a security breach, accidental human error and/or other covered incidents under the policy. This includes the costs of forensic experts involved in the process.
Loss of Business Income – The costs associated with a loss of business income due to a degradation in the Insured’s operation due to a security breach, accidental human error and/or other covered incidents under the policy. This also includes additional operating expenses such as the leasing of equipment etc.
Data Extortion Cover – The costs associated in dealing with a cyber extortion threat, including the payment of ransoms and the costs of experts to mitigate and remove such threat.
Third Party Cover
Security & Privacy Liability – The costs associated with defending claims from third parties, including the eventual claim settlements, along with the costs of regulatory investigations and the payment of fines and penalties.
Multimedia Liability – The costs associated with multimedia liability type claims, including defending such matters. This includes defamation and breach of copyright issues arising from the electronic publishing of information.
Usually when you think of insurance you immediately think of what you can see and feel, such as the office furniture and computers, and for that you get the best locks you can get and a back to base alarm; however what you overlook is the value of what you cannot see and feel; your data and the information you hold about your clients. Just like your office, even though you get the best locks and the best back to base alarm, it doesn’t mean you go without the insurance just in case your security doesn’t prevent the crime.
*Client details changed in order to protect the business identity.
Brian Barreto
Principal | Austbrokers City State