In this day and age, it’s highly likely that your business depends on the following to operate smoothly:
- Access to the internet,
- Access to software and customer data that’s stored in the cloud or a networked server,
- Access to emails, and
- An operational website.
While technology has enabled businesses to become more efficient, it has also created a new cyber risk that business owners need to manage.
“The scale and reach of malicious cyber activity affecting Australian
businesses is now unprecedented. The rate of compromise is increasing
and the methods used by malicious actors are rapidly evolving”
Australia’s Cyber Security Strategy Report
Cyber Insurance can protect your business from financial loss following a cyberattack in the following ways:
- Data and system restoration – the costs to hire cyber experts to identify and remove malware, clean out networks and recover data.
- Breach Costs – reimbursement of your own addition costs when a data breach occurs.
- Business Interruption – the financial loss your business may suffer if you’re unable to operate following a cyber-attack.
- Cyber Extortion – Costs involved with hiring cyber experts, ransom demands and prevention of future threats.
- Privacy Protection – Third party claims from a failure to keep data secure.
- Regulatory Breach Liability – Covers legal expenses and the costs and fines arising from investigation of a government regulator.
- Electronic Media Liability – third party claims as a result of content in email, on the intranet, or website.
- Notification and Monitoring – the cost of notifying customers of a security breach and monitoring their credit card details to prevent further attacks.
- Crisis management expenses – Provides cover for the costs of managing a crisis caused by a cyberattack.
- Covers financial loss resulting from cyber criminals using deception to manipulate an individual into paying a fake invoice or divulging confidential or personal information that may be used for fraudulent purposes.
Did you know
Download our flyer: Cyber Protection Insurance at a glance .
The Insured’s system, which held confidential medical information on their patients, was compromised by a ransomware attack. As the Insured could not access their patient’s medical data, they were unable to operate.
The Insured’s policy was triggered and the insurer appointed an IT Forensic Consultant to fix the damage to the Insured’s system and investigate if the hacker still had access to the system.
A law firm was also appointed to assist the remediation process and advise if the client had to report the matter to the Privacy Commissioner. Payment was made in relation to business interruption loss, forensics and legal costs.
The Insured used a third party cloud-based software provider to hold confidential client information. The cloud provider advised the Insured that their account had been accessed by an unauthorised identity who had deleted data relating to 5,000 clients.
As a result of the hack, the client was unable to operate as usual due to the missing data and limited access to their software.
The insurer appointed IT Forensic Consultants to assist the client in investigating whether their systems had also been compromised. As the incident occurred prior to the new privacy regime taking effect, the Insured did not have to report the privacy breach, however in order to be transparent with the Commissioner and its clients, the Insured advised the Privacy Commissioner of the potential breach.
The Insured was able to claim for business interruption costs, forensics and legal costs.
Optional Social Engineering, Phishing and Cyber Fraud Claims Examples
A hacker impersonated a client of the Insured, using an identical email address. The hacker emailed the Insured advising that future payments should be made to a new bank account.
When the Insured was due to pay the client, they paid $41,000 into the fraudulent account.
The Insured claimed against their Cyber policy which triggered the optional Social Engineering cover. Indemnity was granted for the direct financial loss suffered by the Insured.
The Insured hired a contractor to perform works on one of their properties. The Insured received an invoice for $13,000 from the contractor.
The following week the Insured received an email claiming to be the contractor, stating that their bank details had changed and provided the new details. The Insured subsequently paid the $13,000 into the ‘new’ bank account.
A few days later the contractor followed up the Insured for payment for their works at which time it was identified that their emails had been compromised and the Insured had paid a fraudulent account.
The Insured made a claim on their Cyber Policy and after conducting investigations, indemnity was granted under the optional Social Engineering Fraud cover. The Insured was reimbursed for the direct financial loss suffered as a result of the fraud.
10 Tips to prevent a cyber attack
As an insurance broker, we work with many specialist insurers and underwriting agencies to source our client’s comprehensive coverage at market leading rates. In the cyber insurance space, one of the speciality underwriting agencies we work with is Dual Australia. Dual have significant experience in underwriting Cyber insurance globally and have put together the following tips to help prevent a Cyber attack.
Back up data frequently with the backups stored off site and not connected to your network.
Ensure all staff have frequent cybersecurity training so they are aware of potential risks and how to identity fraudulent emails.
Use operating systems with embedded firewalls and anti-virus protection software (such as Windows or MAC OS x), or run separate commercially licensed firewall or anti-virus protection software.
Protect your data with encryption including mobile phone, laptops and other portable devices.
Do not store credit card details on websites – do not keep them saved on notes or documents on computer systems.
Keep passwords strong and secured and set up two factor authorisation.
Any requests to alter supplier and customer details including bank account details, should be independently verified, preferable verbally, with a know contact for authenticity.
Ensure that at least two members of staff authorise any transfer of funds, signing of cheques and the issuance of instruction for the disbursement of assets, funds or investments.
Have a well-planned approach to addressing and managing a cyber attack to help respond to, and recover from a network security incident.