ANY COMPANY THAT
STORES PERSONAL DATA,
ARE RELIANT ON COMPUTER
OR TELEPHONE NETWORKS,
OR THE INTERNET FACES
We are one of the largest insurance brokers in the world
We have over 180 years of history and experience in
insurance; we currently operate in over 400 offices in nearly
120 countries, with a global team of approximately 17,000
Associates serving clients in some 190 countries
USD 32.2 billion of global premiums placed through
Today, using computers and logging on to public and private networks has become second nature in both our personal and business lives. We are all constantly producing and saving data, surfing the net, uploading content and sending and receiving email traffic. It is difficult to recall how we were ever able to manage without such technologies and the benefits they bring. However, in creating this new digital world we have also created a by-product – Cyber risks.
Cyber risks are faced not just by e-commerce companies and those undertaking transactions over the internet, but also by companies that store personal data, are reliant on computer or telephone networks, holds digital information or uses the internet. In short, just about every business is faced with Cyber risks. The statistics are concerning:
• Approximately 14% of Australian businesses experienced computer security incidents in a given year1
• From cyber crime alone, estimates of losses to Australian businesses range from upwards of $595 million1
• Half of all companies that suffer data breaches from a cyber attack have fewer than 1,000 employees2
• In Australia alone in 2010 and 2011, 2.95 million cyber attacks have been detected, originating mainly from Canada, the US and China2
Meanwhile, there is growing attention afforded to privacy rights, particularly after the media hacking scandals in the United Kingdom. For instance, the Commonwealth Government is currently inviting comment on the Australian Law Reform Commission’s recommendation to introduce a statutory cause of action for serious invasions of privacy. We note that Australia already has significant privacy protections in place under the Privacy Act 1988 (Cth).
Further, the Australian Privacy Commissioner has recently signalled a tough new approach to dealing with serious privacy breaches, indicating a preparedness to use its powers under the Privacy Act to direct how privacy complaints are resolved, and to publish its investigation reports. The Commissioner also foreshadowed the possibility of stronger powers being afforded to him, including the ability to impose civil penalties and accept enforceable undertakings.
In light of the growing crime trends, and combined with an increased focus in Australia on individuals’ rights to privacy, it is timely to consider whether your business is adequately protected for its cyber risks.
Some of the core Cyber exposures include:
>> BREACH OF PRIVACY
Anyone that stores personal identifiable information is exposed to data breaches. Data breaches may occur from a hack, a disgruntled employee or even a lost laptop.
This is the most common form of loss incurred under a cyber liability insurance policy, and the quantum of the losses incurred can be significant. For example, the costs incurred by Sony when hackers gained access to 77 million of its customer’s accounts, were estimated at over GBP109 million; excluding compensation claims by customers.3
However, even absent criminal activity, data breaches can occur, resulting in the potential for significant costs to be incurred by organisations in the reporting and managing of such breaches, along with the potential for reputational damage.
Two recent Australian incidents highlight this well: in 2008 Telstra Corporation Ltd was undertaking a mail out to a number of its customers. Unfortunately, it sent out 60,300 letters containing account information belonging to other customers. Telstra attributed this to a “mail merge error”. Telstra was subsequently investigated by the Privacy Commissioner, and of its ownvolition, took a number of positive actions, including notifying affected customers. Another example is the Vodafone breach, which media reports suggest involved losses to Vodafone of several hundred thousand dollars, even though the Privacy Commissioner eventually found that no personal information had been disclosed in breach of the National Privacy Principles, as had been alleged. This incident related to media reports and allegations that Vodafone had customers’ records publically available on its website.
As can be seen above, breach of privacy is a key cyber risk, involving the potential for significant internal costs along with liability to third parties as a result of a data breach, which can be accidental or a result of cyber crime.
>> NETWORK DOWNTIME
Most companies are reliant on networks, whether it’s the network that interconnects various company sites, enterprise private networks or the critical backbone network that deals with network performance management and network congestion. Network downtime can be caused not just by malicious hacks such as a ‘Denial of Service’ (DoS) attack, but also by operational failures involving software and hardware failures, both of which can have a significant financial impact on a business.
>> MULTIMEDIA RISKS
Social media is now a key marketing strategy utilised by companies. However ‘User Generated Content’ (UGC) and the posting of unlicensed content has caused a dramatic increase in online defamation claims and intellectual property infringement claims. The use of such sites requires additional infrastructure and maintenance resources, to ensure the appropriate defensive layers are in place to protect the company. Monitoring of chat rooms is not always possible and reliance on self regulation by the audience is a dangerous strategy. Also, pre-screening is not possible on Facebook and Twitter and the minimum fallback must be relevant staff training.
>> CYBER EXTORTION
Cyber extortion is a crime involving an attack, or threat of attack, against a company, coupled with a demand for money to stop the attack. There are various types of Cyber extortion but originally DoS attacks were the most common method. More recently Cyber criminals have developed actual ransomware that can be used to encrypt the targets data. The attacker then demands money for the decryption key. The probability of prosecuting the criminals is low because criminal gangs usually operate from countries other than those of their target. Cyber extortion is big business and with criminals earning millions of pounds annually the majority of Cyber extortion episodes go unreported because victims do not want the publicity.
1The Australian Business Assessment of Computer User Security: a national survey, Australian Institute of Criminology Research
and Public Policy Series 102
2As advised by Chubb Insurance Company of Australia Ltd. 3http://www.bbc.co.uk/news/technology-14247883
The table below looks at some of the most common types of Cyber claims and highlights the associated costs that companies could face as a result:
TYPE OF COSTS INCURRED
Retail A hacker accessed the retailer’s network and stole 15 million customers’ personal details.
The retailer incurred significant costs to deal with the breach including forensic costs, notification costs, fines and credit monitoring costs. Liability claims followed.
Privacy/Network Security Liability/ Privacy event mitigation costs, fines.
Hotel A hotel group’s point of sale network was hacked into and 6 million customer’s credit card details were taken.
The hotel experienced high forensic costs to isolate the hack. Additional costs included mandatory notification costs and fines. The hotel offered all of the individuals 2 years credit monitoring service. They also received liability claims for damages from the banks.
Privacy/Network Security Liability/ Privacy event mitigation costs, fines.
Airline An airline received a Distributed Denial of Service (DDoS) attack bringing down their online sales platform for 48 hours.
The airline experienced a significant loss of revenue during the network downtime plus increased costs of working.
Non-physical business interruption. Media The media company utilised
content on their website without obtaining the appropriate licences.
They were successfully sued for over AUD 1.5M for copyright infringement.
Multimedia Liability. Financial Services An employee of a financial
services company left a laptop in a public place containing the personal financial details of its clients.
Costs included the hire of a PR firm, notification to all of the customers affected, setup of an ID theft/credit alert service call centre and credit monitoring services.
Privacy/Network Security Liability/ Privacy event mitigation costs. Gaming A hacker threatened to
take down the private network of the gaming company unless they paid them AUD 8M.
Investigation costs to identify the threat plus the extortion demand amount.
Willis FINEX, in conjunction with key Cyber insurers has developed a market leading Cyber Insurance solution:
1. Liability to third parties for damages and claims expenses as a result of a privacy breach.
2. Legal costs in defending regulatory proceedings for privacy breaches. 3. Liability for fines imposed as a result of privacy breaches (case by case basis). 4. Notification expenses to notify victims of privacy breaches.
5. Forensic costs to contain a breach and carry out the necessary forensic audits following a breach.
6. PR expenses to help limit the reputational impact following a breach. 7. Credit monitoring costs to monitor the victim’s credit history for fraudulent
PLUS other Cyber liability coverages including:
8. Network Security Liability: third party liability for damages and expenses as a result of your system security failures causing harm to third party systems. 9. Negligent transmission of a virus: for damages to customers’ computer
systems and data.
10. Intellectual property infringement, defamation or breach of privacy due to email or website content.
LOSS OF DIGITAL ASSETS INCLUDING NON-PHYSICAL
1. Data/electronic information loss: The costs to restore data that has been lost or corrupted.
2. Indemnification for loss of revenue following unplanned system outage and increased cost of working arising from an unauthorised access to your systems or a cyber attack.
3. Cyber theft: your loss arising from your funds being transferred as a result of hacking, or your customers or other third parties being induced to transfer funds as a result of your systems being hacked.
4. Cyber extortion: covers expenses and the extortion demand amount related to a threat to commit a computer attack.
Our e-solution experts can further develop and tailor the coverages so that it is aligned with your specific risk profile.
What about your Crime insurance cover?
It is important to note that most businesses’ crime insurance arrangements are not sufficient to cover the scope of exposures insured under a Cyber policy. Specifically, a Crime policy will not generally cover the following exposures:
1. Liability for damages and legal expenses for third party claims – such as the breach of privacy cover which is a major feature of the cyber liability policy. 2. Intangible property – most Crime policies typically only cover direct loss
of money or other defined securities. Loss arising from theft of intellectual property would therefore not usually be covered.
3. Electronic fraud or theft committed by (or in collusion with) an Employee. 4. Business interruption or extortion coverage.
WHY WILLIS FINEX
Willis has placed and designed Executive and Professional Risk policies since these coverages incepted almost 100 years ago. Building on this tradition, the FINEX division of Willis Australia is dedicated to helping clients protect key assets and reduce exposure.
With expert Associates from complementary disciplines working together
in Willis FINEX, we are able to maximise the value we deliver to our clients. Taking advantage of the synergies in our team, our FINEX Associates can marshal all of Willis’ global capacity and resources to provide seamless delivery of insurance solutions.
FINEX Australia offers specific industry insight and placement experience to fully identify exposures to then design bespoke market solutions. From risk identification and insurance analysis to strategic claims management, Willis provides the
experience, thought leadership and market savvy to help make Professional, Financial and Executive risks truly manageable. By developing an in-depth understanding of our clients’ business, we anticipate future needs and are well placed to work with clients in close partnership.
If you are concerned about Cyber risk, contact us and arrange an initial consultation.
NSW Alex Atkinson +61 2 9285 4062 email@example.com VIC Kelly Butler +61 3 8681 9796 firstname.lastname@example.org WA John Barr +61 8 9420 9208 email@example.com SA Kathryn Pinyon +61 8 8224 4756 firstname.lastname@example.org QLD Roger Smith +61 7 3004 8511 email@example.com
Willis Australia 179 Elizabeth St Sydney NSW, 2000 AUSTRALIA Tel: +61 2 9285 4000 www.willis.com.au
Willis Australia Limited, ABN: 90 000 321 237. AFSL: 240600 2011/12 - ver. 1.0