Cyber insurance: what is it, do I need it and what does it cost? Those are just some of the questions around cyber insurance, interest in which is being driven by two key factors.
Firstly, the proposed changes to privacy laws. The Privacy Amendment (Notifiable Data Breaches) Bill 2016 is currently before the Federal parliament. It provides for mandatory disclosure for certain breaches. Debate about this long-awaited and much-criticised amendment comes on the back of a high-profile data breach at the Red Cross Blood Service in October 2016, described as Australia’s largest security breach.
Australia has no effective equivalent to the USA’s comprehensive disclosure obligations imposed in the USA by the HIPA Act, which requires mandatory and far-reaching disclosure for breaches in the health industry. The Red Cross Blood Service had no legal obligation to contact those affected. In communicating with those whose data was compromised, they followed what is little more than a recommendation by the Office of the Australian Information Commissioner (OAIC). However, they appear to have done a good job of communication, providing comprehensive details to those affected as soon as the issue was detected (including one Loop staffer!).
The Privacy Commissioner has the power to impose significant fines and to make other orders regarding apologies to the 550,000 blood donors whose medical and sexual records were made public, but unlike other jurisdictions, such penalties are rarely used in Australia, where self-regulation and education are preferred to penalty.
Perhaps this outcome provides some justification for the OAIC’s softly-softly approach to enforcement.
The second driver for legislative change is the relentless growth of hacking and serious data breaches in the past three years. These can be disruptive attacks, such as the DDoS attack on the Census that brought IBM so much trouble in 2016.
We don’t hear much about breaches in Australia due to our current legal frameworks and the tepid enforcement approach taken by the OAIC. It is far from clear whether this will change under the new legal regime. The bill is complex with plenty of woolly definitions and layers of overlapping exclusions and exceptions that will have clocks spinning at law firms for some time before companies are able to determine what they must do to comply.
What is clear is that, if enacted, the new data protection provisions will impose more significant obligations on companies and government agencies to disclose information about breaches to those affected. Consumers feel this is a good thing, but most large organisations and, indeed, government appear more concerned at the extra cost and administrative burden of having to disclose. Further, a lack of clarity about exactly what should be disclosed, when and to whom will doubtless add confusion for some time.
This leads us to cyber insurance, which is seen as a way to protect businesses and individual users from IT security risks. Different types of policies are currently available for large or small firms, as each have different levels of risk to protect against.
The pricing also differs. As an example, most ransomware attacks are focused on small and mid-sized firms (presumably because the success rate is higher). So getting compensation for resulting loss is increasingly of interest to smaller businesses. Smaller firms should ask themselves whether they would be better to invest the premiums in user-awareness training, newer technologies on the network perimeter and more sophisticated storage and backup regimes – particularly when examining the many exclusions and exceptions in the fine print of cyber insurance policies.
Most enterprises and large firms in Australia already have cyber insurance in place. These policies can be complex and there is often significant overlap with other policies. Many have substantial exclusion clauses designed to limit the circumstances in which the insurer will pay out. I suspect many executives and boards of directors do not fully understand the nature of the protection and the limitations of the policies they have purchased. They just feel more secure having bought one.
Common categories of risk identified in such policies include: data breach, multimedia, extortion and denial of service. The costs covered may include rectification of the vulnerable environment though incident response, the costs of disclosure, lawsuits and other consequential loss.
Liabilities that are covered are sometimes categorised as third-party or first-party costs and damages. Third-party liabilities are losses incurred by a company other than the company taking out the policy. An example would be a managed security service provider that suffers a breach causing loss or damage to the data of one of its customers. Another could be an IT reseller installing a device in a customer environment in such a way that it allows an attack to occur. The apparent shortcomings with the DDoS protection in the environment created for the Commonwealth Census is an example of such an exposure.
First-party liabilities are those incurred directly by the insured company; for example, when a company is hacked and data is stolen. In such a case there may be different types of damage, such as the cost of replacing or recovering the data compromised, notifying those affected or of repairing the environment or the data. Sometimes even the damage to the reputation of the company. The Target breach in December 2013 in the USA was a good example of dramatic financial and brand damage resulting from an intrusion.
Technology service providers such as consulting firms or systems integrators as well as companies acquiring technology for their own internal purposes are both potential purchasers of cyber insurance.
Buyers need to look carefully at the risks they wish to protect and the insurance products that are available to provide cover.
Next page: Avoid the overlap
Top buying tips
- Carefully consider the risks the business wishes to protect against. Are they first-party or third-party liabilities or maybe both?
- What level of cover is needed for the business activities being performed or the services being provided?
- Investigate available policies. This is usually done with help from an insurance broker. But brokers have a vested interested in selling insurance.
Most companies already have various policies in place, so it is probably better to go to the incumbent broker or insurer for advice.
- Understand the exceptions in the policy. Create a list of the circumstances when the insurer will not pay out. This involves a careful look at the policy document.
- Understand the cost of the insurance. Can this be passed on as part of the cost of doing business? For example, consulting firms are finding that the costs of professional indemnity insurance are becoming a significant part of the cost of business as premiums increase.
- Weigh up whether the costs of the policy offset the risks being covered, particularly if it is heavily conditional. In other words, is internal staff education and self-insuring a better option?
- If dealing with IT suppliers such as vendors or resellers, should companies ask questions about the type of cyber insurance those partner firms have in place? This is a common practice in relation to some forms of insurance. Consulting firms and integrators are regularly asked to confirm the amount and nature of professional liability insurance they have in place. It is now increasingly common to see tenders asking questions about cyber insurance cover.
- Consider if the policy covers new risks as well as existing or known risks. To use a medical example, it’s the difference between being covered for a pre-existing condition and a new ailment.
- Investigate whether policy costs can be reduced if certain security controls and technologies are in place. A bit like the insurer that provides a discount if you keep your car in a garage or have an alarm on your house and deadlocks on the windows.
- Determine if there is overlap with professional indemnity or other liability insurance that is already in place or is being considered.