Choosing the Right Cyber Umbrella
In the face of increasing cyber attacks on Australian businesses, at the end of June this year, Prime Minister Turnbull and his government gave the green light to unprecedented use of offensive military cyber-warfare operations to shut down and destroy foreign criminal networks, as reported by AFR. (See here)
Since the end of 2014, the Australian Cybercrime Online Reporting Network (ACORN) has seen 114,000 reports of which more than 23,700 had been filed in the first six months of 2017.
Yet businesses cannot only rely on government agencies to protect them. Organisations, small and large, must take the necessary steps to protect themselves. Size is not a criterion and the attacks do not discriminate, as seen in the recent WannaCry attack (which was done by scanning the Internet for computers that were not patched or were running obsolete versions of the Operating System) or the Mirai botnet.
Risk management is a significant component in this defence. Cyber insurance is another aspect. However these two components need to be correlated in a way that protects the organisation and allows for fast recovery in breach cases.
The Cyber insurance space is still nascent in Australia, as nine out of ten cyber insurance policies are written in the USA, according to a recent AoN report. (See here)
The main reason of the cyber insurance take-up in the US is the presence of state breach notification laws in force for the past 10 years. This type of law has only been introduced in Australia in February 2017 and will be effective from February 2018.
In Australia, the large insurance companies offering Cyber policies are Allianz, Zurich, Liberty, Lloyds (various), Chubb, AIG and CGU.
No policy is offered without going through a questionnaire that lists pre-requisites like Business Continuity Plan, Risk management, up-to-date IT tools (Backup and off-site storage, Antivirus protection, Intrusion detection systems, Firewalls, etc).
A typical cyber insurance policy will protect companies against extortion like ransomware attacks, the investigation costs (forensics), network restoration and Public Relations. It is important to differentiate between First-party cover and Third-party cover. The Third-party policies cover the costs for litigation if sued by stakeholders, clients, fines imposed by the regulators, fees and fines from the financial institutions affected by the breach, etc.
But there are caveats. Companies that did not download a Microsoft patch issued on the 17th March to protect users from vulnerabilities exploited by WannaCry were out of luck, since many cyber policies exclude coverage in such an instance.
Companies using pirated software are also unlikely eligible for an insurance payout according to the AoN report. These conditions will be part of the Exclusions and will waive the Insured’s right to claims.
When choosing an insurance policy, the organisations must understand:
- The extent of coverage and the exclusions
- What liabilities you wish to insure, in close correlation with the Risk management system (to cover what is not mitigated in the usual course of business)
- Understanding of possible claims that can arise in the case of a breach scenario
- Dependency on third parties and full understanding of risks introduced through these relationships
We recommend that you analyse your internal Risk management system, the complex relationships with your Stakeholders and the full gamut of consequences of an attack before chosing the appropriate cover.
It is important you find a broker that understands Cyber risk and tailor an insurance policy to cover the residual risk.