Digital Risk: A Board Responsibility

Australia’s way of life is now integrally linked with the Internet. The Internet provides a global means of communication and interaction that underpins much of our lives – for government,  business and individuals. But while the Internet offers a huge range of opportunities, it also brings risks associated with a criminal and malicious activity that seeks to exploit those who use it. In particular, the activities and transactions conducted by business online require diligence to ensure that Australians maximize the opportunities offered by the digital economy (Cyber Crime & Security Survey Report 2012 CERT Australia, Mark Dreyfus) Digital transformation is the process of integrating digital technology / online business models. into all aspects of business, requiring fundamental changes in technology, culture, operations, and value delivery. According to Forrester research, Such a strategy focuses on:

• Deliver easy, effective and emotional customer experiences. Creating more personalized and engaging experiences for customers
• Focus operations on things customers value. Improved processes for suppliers and customers
• Build platforms and partnerships to accelerate and scale.
• Innovate at the intersection of experiences and operations. Development of new revenue streams

As a result of increased reliance on the internet for enabling digital transformation, businesses also face digital risk. Digital risk can impact the financial sustainability, reputation, customers, shareholders, data, and intellectual property of a business. In broad terms, digital risk management compliments digital transformation by identifying and mitigating digital risk and minimize chances of the risk occurring.

This article describes the following type of emergent digital risks that are becoming mainstream and demand are overall fiduciary response from boards.
1. Cyber risks
2. Reputation risks
3. Fraud risks/cybercrime
4. Regulatory risk
5. Intellectual property risk

Cyber risks
Cyber risk is risk associated business continuity risk when its systems and infrastructure are rendered unoperational due to cyber hacking events. Cyber risk has emerged has a direct result of businesses reliance on technology for their operations. Cyber risk is associated with financial loss, loss of customers or damage to an organization’s reputation.

CISCO Systems estimated that 10 billion devices were connected to the internet in 2013, and predicted that this number would rise to 50 billion by 2020. Activities that can materialize to cyber risks include:

• Malicious security breach
• Social engineering/ Ransomware attacks
• Internet of Things vulnerability
• Third party vendor vulnerabilities
• Supply chain system integration vulnerability
• Lack of security management strategy
• Bring Your Own Device (BYOD) at the workplace
• Human error by employees
• Logging into insecure WiFi using company devices
• Unsecure data storage and theft

Reputational risk
According to the Reputation Institute, a “reputation” is the emotional connection stakeholders have with a company. Adverse reputational situations can be customer related issues, technology or moral, social or ecological issues resulting in loss of revenue. Poor publicity and negative perceptions usually follow spurred on by ever-active social media and other forms of instant communication made possible by digital advances. Due to the internet harmful information can spread in an instant. Unfortunately, a loss of customers and fall in share price often leads to financial loss for the business. New information shared by the Australian Millennial Research Report 2019 has uncovered 10% of Millennials said they would change their bank because of the Royal Commission. (The Australian Millennial Research Report 2019). Most millennials are also high users of social media and communicate and share decisions with peers through digital social platforms.

Fraud
In the recent past, cyber crime has emerged as the greatest threat to businesses resulting from digital transformation. Cyber crime costs the economy more than $445 billion every year. In early 2018, one think tank estimated that cybercrime costs the global economy the equivalent of 0.8 percent of GDP. The financial sector in pursuing digital strategy may be particularly vulnerable as the sector transacts most money. The sector is also debating with issue of ownership of fraud liability related to handing of third party monies in order to come to an agreement on ownership of liability. Cyber criminals are continuously devising new method forcing business managers to react. Fraud awareness and education is now an integral part of digital risk management strategy.

The many causes of cyber crime include:
• Online payment methods/false bank accounts/ intercepting payments/self authorisation
• Online scams/Charity fraud/Dating scams/ Lottery scams
• Hacking /Data Theft/Email hacking
• Identity Theft/Credit Card/Medical
• Social Engineering /Trickery/Impersonation– Financial Fraud
• Phishing /Denial of Service/Malware– Financial Extortion

Regulatory Risk
Regulatory risk in a business is the potential for losses occur when laws and regulations in business are changed. Regulatory risk may lead to Directors and Officers holding the liability for the risk. In wake of Privacy laws in Australia, Consumers now expect that their most personal information will be handled sensitively and carefully; and significant consumer backlash awaits companies that fail to meet these expectations. Maximum penalties for serious or repeated interferences with privacy would be increased, from $2.1 million to the greater of:
• $10 million; or
• Three times the value of any benefit that wasgained by the company through misusing the personal information; or
• 10 per cent of a company’s annual domestic turnover. Businesses can be liable for misleading anddeceptive conduct via social media publications, including (depending on the circumstances) for statements not made directly by the company or for failure to remove abhorrent violent material from a platform. Mandatory regulatory requirement to notify individual customers of a privacy breach has increased expenses for all business for legal, postage and advertising expenses

Intellectual property risk
Businesses with intellectual properties are prone to digital risks as ideas, brandings, confidential information, trade secrets are potentially accessible to anyone due to the internet. Similarly intellectual property may be stored and shared digitally with supply chain partners such as subcontractors, investors, employees, and business associates. Examples of direct intellectual property threats come from Copyright pirates, Brand impersonators, Patent floaters, Business secret thieves. The risk involved with storing and sharing such information with the third party is termed as intellectual property risk, it opens the company to potential infringement and loss of intellectual property.

Conclusion
Digital transformation opens great opportunities for any business. It is the digital risk that businesses shall need to contend with through an overall fiduciary strategy as it challenging the measures in place for maintaining trust of customers and stakeholders. It is important that companies build their risk management strategies transparently and with clarity, ensure information governance in collection, storage, use and archiving of data and define ownership of risk and liability in the supply chain

Disclaimer: “The information provided is general advice only and does not take account of your personal circumstances or needs. Please refer to our financial services guide which contains details of our services and how we are remunerated.”

Reputation Management: The New Resource

A common definition of Reputation is that it lays the premises of an opinion which is established owing to social expectation of standards expected in a transaction. Reputation is a universal, unconstrained, and profoundly proficient component of social control in regular social orders.
Reputation takes into account a series of connections to underpin perception of brand identity – It may actually establish 70% to 80% of social capital identified with intangibles of brand value. Having an professed approach to reputation is moving  up in the array of board obligations with its acknowledgment as a key asset. A board may rightly pose the question “how does the reputation of our business contrast to that of our competitors”? Businesses do regularly find that a higher score on reputation contrasted with competitors may drive value creation for investors.

Digital transformation has paved the way for cost saving and efficiencies but now forms the basis of high reputational risk. Digital security incidents, in the recent past have stood out as newsworthy having a high impact on a business’s reputation – most firms now foresee a security issue (explicitly loss of client information) will significantly affect long term trust in the community. The truth of this is further borne by the fact that now Australian organisations are allocating higher spending budgets to digital security than before to plug the exposures and vulnerabilities. Research proves that new clients gauge factors like information security when utilizing an organisation’s products or services.
The effect of cyber-attack on investor behaviour too can be considerable and continued. It can expose the decision making process of the top executives – calling their actions to scrutiny. Many CEO may feel wary of impact of social media in amplifying adverse impact on business reputation. The ousting of the CEO of Target after the data breach offers a precedence.
Reputational hazard may happens as direct  or indirect result of the activities of the organisation itself associated with executive decisions, actions of Directors and Officers, ethics and morals and supply chain partnerships

Contextual investigation: Banking Royal Commission – Australia
Australia’s main four banks  attempt to rise out of the Hayne royal commission albeit with their reputation seriously harmed,
From March 2018 – Jan 2019 (source AFR), the banks stock fell considerably :

CBA: – 8.8%
Westpac: – 17.7%
NAB: – 20.8%
ANZ: – 11.5%

New information shared by the Australian Millennial Research Report 2019 has uncovered that in the wake of Royal Commission discoveries, Australian 20 to 30-year-olds obviously appraised their trust in banking and called it misplaced. Over 10% said they would change their bank because of the Royal Commission. (The Australian Millennial Research Report 2019).

Reputational Loss Insurance
Most digital protection insurances  pay for reputational loss; however this might be constrained to public relations cost for revamping image and notification costs. London underwriters are responding to challenges of fast emerging reputational loss risk by creating products that help in quantifying and paying for the loss. The product aims to meet expectation of reputational loss protections to provide liquidity rapidly and offset losses which may likewise result in loss of income. The accompanying procedures to protect reputational loss has a defined approach:

Business must:

  • Outline situations to be secured
  • Brands to be secured
  • Detail income  for the period to be secured

Reputational situations that are secured under the arrangement can be customer related issues, technology or moral, social or ecological issues. At the point when the unfavorable occasion happens, the business may experience loss leading the insurance policy to trigger. Through forensic bookkeeper, the insurance agency decides the amount of the loss connected to the occasion so as to make a payout.  The advent of such insurance products prove that we may now be entering an era of quantification of intangible resources such as reputation and their importance to the business.

Disclaimer: “The information provided is general advice only and does not take account of your personal circumstances or needs. Please refer to our financial services guide which contains details of our services and how we are remunerated.”

Health Sector and Cyber Risk

Health sector and cyber risk

Privacy Act 1988 regulation impose obligations on health practices for safekeeping and privacy of health records which include sensitive personal information of patients and their medical condition

The Australian government introduced the notifiable data breach scheme on 22nd February, 2018. As per this scheme, health practices can be penalised by the Privacy Commissioner for negligence in protecting sensitive information held by the medical practice. They must now notify individual’s whose data has been compromised.

Combined with regulatory risk, the threat of malicious activity or human error in relation with IT systems can cause security events which can cause of loss of critical data, system glitches and interruption to business operations and result in loss of profit.

Investment in cyber security

Health practices must maintain security postures and demonstrate investment security initiatives firewalls, anti- virus, encryption, patch management and staff training. Cyber risk calls for risk management through a combination of elimination, mitigation and transfer mechanisms. Similarly, the increase in social engineering attacks puts at risk operational continuity of a health practice because of which patient could find it hard to access the right treatment when required.

Cyber insurance

  • Cyber insurance offsets operational, regulatory and financial costs associated with security incidents.
  • Cyber insurance offsets cost of notification
  • Cyber insurance provides incident response.

Cyber insurance – Coverage

  • Notification Costs/ PR Expenses – Expenses for notifying individuals and use of Public Relation firms and their fees
  • Regulatory Fines – payment for fines imposed by the Privacy Commissioner
  •  Restoration costs related to data and system – cost of restoring data and systems if they are made inaccessible after an incident
  • Cyber Response Team – Clients are provided with a Panel when they make a claim – this panel consists of a PR firm, Legal firm and Forensic firm, this panel is made available within 24 hours after an incident . The cost of this panel is borne by the Insurance company 

IT considerations before acquiring cyber insurance

  • The clinic must ensure it can demonstrate both financial and operational investment into cyber security tools such as firewalls, backups, processes and privacy policies
  • Consult your IT provider and request a comprehensive cyber security risk assessment
  • Ensure your staff are aware of what cyber security is and that they can demonstrate awareness of the risks associated with cyber crime
  • Consult your IT provider to ensure that your practice is compliant with the cyber insurance IT requirements

 

About: 

Rend Tech Associates is one of Australia’s leading Healthcare IT firms focussing on cyber security, healthcare innovation and technology solutions supporting healthcare service delivery.

Cyber Data-Risk Mangers is a recognised expert in the field of cyber insurance. Meena Wahi, Director of the company. She speaks at conferences along with CISO, law firms and consulting firms on Cyber risk.

Disclaimer:. “The information provided is general advice only and does not take account of your personal circumstances or needs. Please refer to our financial services guide which contains details of our services and how we are remunerated.”

______________________________________________________________________A Cyber attack can cripple a business of any size. By planning in advance and purchasing a cyber insurance policy, businesses can minimize their risks, costs, and the impact of a cyber attack on their reputation and brand. To learn how a Cyber/Data Breach Insurance policy can help you be prepared for a cyber attack, network security, or data breach event, please complete the box below. Or call Cyber Data-Risk Managers Pty Ltd 03 8640 0962.

 

Organisation/ Business Name
Phone
Email
Website
Comments
Captcha Field
Captcha Field

Equifax hack acts as a cyber ‘case study’ for brokers

The recent hack on global credit reporting company Equifax can act as a case study for brokers and their clients on what to do, and what not to do, in the event of a cyberattack, an expert has said.

The hack, which was announced a month ago and was then said to have impacted 143 million people, has since been revealed to be worse than originally feared with a further 2.5 million people affected.

Meena Wahi, a specialist cyber broker and director of Cyber Data-Risk Managers, said that the hack and the fall-out following the breach – which has seen Equifax’s CEO retire and class action cases launched – could act as a “very typical” case study for brokers and clients.

“From an insurance perspective, I would urge my clients, especially businesses who don’t have insurance, to look at it as a case study,” Wahi told Insurance Business. “It is really an example that demonstrates no business can take cyber security lightly and, especially with larger enterprises, they are vulnerable on so many fronts.”

The attack came as Equifax failed to patch a vulnerability in its system, which was then exploited by unknown hackers. It took six weeks for Equifax to notify customers impacted as high-level executives sold off almost US$2 million in stock after discovering the breach in late July, before the firm went public with the news, according to The Washington Post.

Wahi said that the hack itself highlighted that businesses of any size cannot afford to let their guard down when it comes to cyber protection.

“You cannot think that you can relax on security and imagine that you will not have a data breach,” Wahi continued. “It highlights that a business their size didn’t have incident response planning and it highlights that, despite everything, a business can still make a stupid mistake and still have a data breach.”

Patch management has been to blame for several large scale cyberattacks so far in 2017, with both Petya and Wannacry earlier in the year exploiting similar vulnerabilities. Wahi said that brokers must ensure that clients keep up-to-date on their patch management or they could face a denial of claim.

“It can happen to any business, small or big,” Wahi noted. “Any website can get hit because they haven’t closed the vulnerability.”

Cyber Insurance: how it works and the benefits of Information Governance

As the number and size of cyber attacks on businesses continues to increase, the risk of experiencing a data breach is higher than ever. The resulting cost of these breaches can be significant – according to thePonemon Institute’s 2017 Cost of Data Breach Study, these totalled $2.51 million per year across the organisations that were recruited for the research.

As a result, an increasing number of organisations are choosing to invest in a cyber insurance policy, which allows them to claim cyber incident response expenses, regulatory fines, legal defence costs and business interruption losses. In other words, offset the cost of a potential data breach.

This article outlines the benefits of cyber insurance and explains why, in today’s digital age, it is vital for organisations to invest in this class of insurance, in addition to understanding the information governance obligations that their insurance policy places on them.

What is a cyber incident?

A cyber incident refers any event that threatens the security, confidentiality, integrity, or availability of information assets (electronic or paper), information systems, and/or the networks that deliver the information.  Any violation of computer security policies, acceptable use policies, or standard computer security practices is classified as a cyber incident. (Source : CABQ)

Information governance, along with risk management, may not prevent a cyber attack from occurring, but it can certainly reduce its impact on the affected company. A cyber threat or breach leaves the company exposed to a loss of integrity and compromised access to information. This also results in the inability to provide the right information to stakeholders and the failure to respond to regulatory obligations. Mature cyber risk governance and risk management plans can prevent the disruption of information governance.

Transfer of risk

When dealing with questions of risk transfer, executives may choose to self-insure. According to the Ponemon Institute’s 2017 Cost of Data Breach Study,, the average per cost per capita (per compromised record) of a data breach was $139 per organisation surveyed, with the average cost of data breach totalling $2.51 million. Thus a business experiencing at least two data breaches a year could be expected to set aside $5 million of company funds for data breach response. In such a scenario, investors are likely to find shareholder returns diminish over time compounded with reputational loss.

Investing in cyber insurance not only frees up investors’ resources, it is also more cost effective in the long term. In transferring risk to the insurer, businesses must give proof of their information governance practices. If there are no practices in place, the insurance can facilitate businesses to devise a plan to prevent cyber threat and the risk of legal issues, financial losses and company failures – before accepting the residual risk.

Business Continuity

As all businesses revolve and evolve based on their data, information is critical for ensuring business continuity. Since cyber threats and cyber theft do happen, it is important that businesses possess the capabilty to respond well- this includes having a plan in place to respond to the incident swiftly, professionally and with minimal impact.

A business needs to recognise its capability to access the right information to mitigate the effect of a cyber attack.  Key questions that any manager, executive or business owner must ask themselves are:

-        Does the information governance system, including cybersecurity policies and procedures, mandate backup of information assets, systems and data that can retried if a cyber incident leads to operational downtime?

-        Is there proof the business has a written down business continuity plan and are all employees that will need to act on it trained and knowledgeable as to what to do if the risk occurs?

-        It is essential that all employees and effected parties have access to information on how to respond to an incident to minimise any damage? And is this process exactly what cyber insurers want to see in place, in order to mitigate their own exposure?

Trust

Trust and relationships are the biggest factor in ensuring long term sustainability of a business. A savvy cyber insurance company will not accept the transfer of risk if a business cannot demonstrate adequate measures for maintaining trust of all stakeholders and most importantly, customers. Businesses are expected to prove their integrity through questions such as:

-        In storing customer data, does the business ensure information governance in collection, storage, use and archiving of data. Is the information encrypted or deidentified? Should customer information fall into the wrong hands, can the customer trust that the business can keep their identity safe?

How frequent and proactive is the security management practice of the business? Has the business got access to notification templates for notifying its customers of a data breach?

Cyber incidents affect company reputation and investor relations, which is why it is important that companies build their risk management strategies transparently and with clarity.

People, Policies & Procedures

A cyber insurance company will delve in to the business processes and policies before agreeing to a commitment. They will analyse a number of things, including:

-        Are roles and responsibilities understood?

-        Does information governance dictate checks for monitoring access rights to the information and misuse of access rights?

-        Are their approval controls for transfer of funds?

-        Does the business have an adequate privacy policy that communicates to stakeholders how the business collects and manages information?

-       Does the business have a regular patch management policy?

-        Does the business have a policy of ensuring ownership of risk and liability is described in all third part contracts?

Compliance, Disclosure & Transparency

Compliance is vital to a cyber insurance company – particularly for the legal team. The insurer will look at the below aspects of the potential business:

-        What information governance, risk management, security standards does the business conform to?

-        Is the business PCI compliant?

-        Does the business comply with the Privacy Act?

-        Has the business had a data privacy incident in the past?

-        When completing the application form, has a Director of the company signed the insurance application form?

 Transferring risk to a third-party insurer must be supported by evidence of information governance. Any negligence on information governance practices reflects the inability of a part of the business to take the right actions to prevent and mitigate a cyber incident.

Buying a Policy

Risk Register

While the myths on policy coverage are rampant, insurance policies are not to be blamed. Not only are the the complexities of cyber risk not well understood,  executives are unable to dedicate enough resources to demonstrate adequate information governance measures.

Policy wordings are designed to respond to specific cyber risk scenarios. Businesses seeking to buy a cyber policy must ensure that they articulate cyber scenarios in their risk register and seek insurance for them. Cyber risk scenarios and their potential impact must be eliminated and mitigated and only residual risk must be transferred.

Risk scenarios must be matched with plain policy wording and extent of coverage, for those scenarios must be obvious. Managers who do not carry out this exercise are lacking in the process to invest in insurance.

It is vital that cyber insurance policies suit both the insured and the business needs. This is easy to do with the help of a cyber insurance broker, as they will be able to recommend the most adequate cyber insurance policy and help negotiate the most suitable policies to match the business needs.

Risk Register:  Transfer Risk

Picture2.png

 

Role of Insurance Broker

Cyber risks are evolving. With technology becoming more advanced each day, it is difficult for companies to keep up. With emergent risks, traditional brokers have found it hard to move up the learning curve. Specialist cyber insurance brokers are able to discuss and analyse the business needs, requirements and obligations. They also understand complexities of cyber risk.  A broker can help a business to understand coverage, limits, exclusions and deductibles. At the time of buying cyber insurance, a cyber insurance broker will advise a business on how to obtain a health check on all insurance policies so that gaps in total coverage are not taken for granted.  A broker will also alert clients on their ongoing obligations for all cyber risk scenarios for which policy wordings are sought and matched.

Businesses wishing to assess their cyber risk can source a quote from a broker and know the cost of their cyber risk. Seeking a quote is free of charge and obligation.

Seeking a Cyber Insurance Quote

Usually your broker can procure an indication quote based on the questions below. However, a final quote can only be based on information provided in the full application form.

1.     What was your revenue in last 12 months? Yes/No

2.     What policy limit do you require? Yes/No

3.     What industry is your business in? Yes/No

4.     How many records does your business hold? Yes/No

5.     Do you have a business continuity plan? Yes/No

6.     Do you encrypt data held by your company on mobile and other devices? Yes/No

7.     Do you have firewalls, malware detection systems in place? Yes/No

8.     Do you store data on a third party cloud? Who is the cloud service provider? Yes/No

9.     Do your contracts indemnify any third party for a data breach? Yes/No

10.   Has your business had a data breach in the last two years? Yes/No

11.   Do you regularly implement a written patch management process? Yes/No

12.   Do you have a privacy policy? Yes/No

13.   Which state is your business located?

Cyber insurance policies come equipped with a panel of experts who are able to identify risks and reduce the impact of an incident response. They also have a skilled PR team, legal experts to minimise any associated threats or breach costs, and forensic experts that are able to decipher exactly what happened, why it happened and how to best avoid future incidents from occurring.


by Meena Wahi - Cyber, Data, IP Insurance Specialist.

Meena Wahi is a cyber insurance and data breach broker, specialising in cyber risk, data privacy, intellectual property risk and cyber crime.   She helps organisations identify potential cyber risks and believes that cyber insurance should be a key component of a company’s enterprise risk management strategy.

Connect with Meena on LinkedIn.

What Is Your Business’ Cyber Risk?

Cyber Risk is increasing for businesses. Businesses using the Internet for making transactions and conducting activities have never been more vulnerable. Mark Dreyfus – Attorney General of Austral summarize the cyber risk faced by businesses in the digital age in 2012 as:

____________________________________________

 Australia’s way of life is now integrally linked with the Internet. The Internet provides a global means of communication and interaction that underpins much of our lives – for government, business and individuals.But while the Internet offers a huge range of opportunities, it also brings risks associated with criminal and malicious activity that seeks to exploit those who use it. In particular, the activities and transactions conducted by business online require diligence to ensure that Australians maximize the opportunities offered by the digital economy

                       Mark Dreyfus -Attorney General of Australia      
        Cyber Crime & Security Survey Report 2012 CERT Australia

                                             __________________________________________________

 

To understand your business’ cyber risk, ask yourself these questions:

  • Does your company have a network connected to the internet or a website?
  • Does your business make use of mobile devices like laptops or mobile media to transport/store data including email communications?
  • Do you collect and store customer information through a CRM system?
  • Do you carry on trading through an e-commerce store?
  • Do you hold files with personal information of your employees?

With most business operations being conducted over the Internet, cyber risk exposures are increasing. What are your business’ first-party risk exposures and the third-party liability exposures? What kind of loss, expenses or fines could you possibly incur in the digital world?

 

First- Party Cyber Liability Exposure

1: Loss or damage to digital assets such as data or software programs (code), resulting in expense/loss/cost incurred in restoring, updating, re-creating or replacing those digital assets to the same condition they were prior to the loss or damage.

Example:
Over 100 Australian websites were hacked in 2013 resulting in damage to digital assets (websites). Businesses that suffered such loss included schools, community groups and a dry cleaning business. SMBs are prone to higher cyber risk.

 

2: Business interruption from unplanned network downtime is a major cyber risk causing interruption of service or failure of the network, resulting in loss of income/ cost of operations and/or extra cost having to be incurred in minimising loss plus forensic investigation for the network failure can hurt businesses.

Example:
In 2013, Nasdaq stock exchange suffered a three hour network shutdown– the reason was strain on the system for transmitting huge data/ high volume securities trading resulting in disruption of operations. Fewer shares traded on the stock exchange that day resulting in a loss for traders.
  

3. Cyber extortion risk– attempt to extort money by threatening to damage or restrict or deny service of the network/ or access to online store, threat of release of data obtained from the network and/or attempt to communicate with the customers using social engineering tools to get hold of personal information resulting in loss of revenue/ cost of ransom paid.

Example:
Australian Retailer Endless Wardrobe received an email asking for ransom and thereafter suffered a denial of service attack when they failed to pay the $3500 asked as ransom. They were unable to operate for over a week which resulted in loss of revenue and customers.
 
 

4. Reputation damage risk – due to data protection breach becoming public and  resulting in loss of customers and/or increased cost of operation

Example:
Large organisations like ANZ and Telstra have reported data breaches in the past. Customers may decide to leave a company after a data breach. New customers may weigh factors like their personal data security when using a company’s products or services.

 

Third-Party Cyber Liability Exposures

1. Security and privacy breaches pose a constant cyber risk – iinvestigation, defense cost and civil damages associated with security breach, transmission of malicious code, or breach of third-party /employee privacy rights or confidentiality, including failure by outsourced service provider

Example:
Firms like LinkedIn, Apple, Adobe, Google & Vodafone in the US have all faced class action lawsuits in the recent past related to data security or privacy.
 

2. Investigation, defence cost, awards and fines for privacy breach resulting from an investigation or enforcement action by a regulator as a result of security and privacy obligation can be a costly cyber risk.

Example:
Sony was fined by the UK Information Commissioner for the security breach of its PlayStation Network, which took place in 2011. The Information Commissioner’s Office (ICO) fined Sony  £250,000 in early 2013.
 
 

3. Customer notification expenses risk – legal, postage and advertising expenses if there is a mandatory legal or regulatory requirement to notify individuals of a cyber security or privacy breach.

Example:
The 2013 ‘Cost of Data Breach Study: Global Analysis’ released by Ponemon Institute in May 2013, estimated the average notification cost only of a data breach in Australia as USD 219.
 

4. Cyber risk associated with Multi-media liability – investigation, defence cost and civil damages arising from defamation, breach of privacy, negligence in publication of any content in electronic or print media, as well as infringement of the intellectual property of a third party.

Example:
The Australian Competition & Consumer Forum (ACCC) website states that a owner of Facebook and Twitter pages will become the publisher of third party content once it becomes aware of the content and decides not to remove it. Companies can be liable for misleading and deceptive conduct via social media publications, including (depending on the circumstances) for statements not made directly by the company.
 
 

5. Loss of third party data – liability for damage to or corruption / loss of third-party data or information, payment of compensation to customers for denial of access, failure software, data errors and system security failure.

Example:
Islington Town Hall in the UK agreed to pay compensation (2013) totaling £43,000  to residents whose personal details, including mental health problems and sexual orientation, were accidentally published by the council on a website.
 

Disclaimer:.

“The information provided is general advice only and does not take account of your personal circumstances or needs. Please refer to our financial services guide which contains details of our services and how we are remunerated.”

______________________________________________________________________________________

A cyber attack can cripple a business of any size. By planning in advance and purchasing a cyber insurance policy, businesses can minimize their risks, costs, and the impact of a cyber attack on their reputation and brand.

To learn how a Cyber/Data Breach Insurance policy can help you be prepared for a cyber attack, network security, or data breach event, please complete the box below. Or call Cyber Data-Risk Managers Pty Ltd 03 8640 0962.

Organisation/ Business Name
Phone
Email
Website
Comments
Captcha Field
Captcha Field

What Your Business Should Know About “Australian Privacy Act 1988”?

Australian Privacy Act, 1988 is getting updated.  Does your business know enough about the amendments to the Act and how they affect your business?

Q: Do you know that Privacy Act, 1988 will be updated in 2014?

The updates to existing Privacy Act, 1988 (Cth) will come into effect on 12 March, 2014.

Amendments to the the Australian Privacy Act 1988 (Cth) do away with the existing National Privacy Principles (NPP), which currently apply to the private sector in Australia, and the Information Privacy Principles (IPP), that currently apply to the public sector in Australia. Instead a set of uniform principles called the Australian Privacy Principles (“APPs“) shall apply to both public sector and private sector entities in Australia.

Q: Do you know if your business is covered by the Privacy Act, 1988 (Cth)?

The Australian Privacy Act, 1988 applies to organisations  in Australia with a turnover of $3 million or more. The Privacy Act, 1988 in the case of organisations, which have a turnover of less than $3 million applies to certain types of small businesses  only, for example where the small business:

  • provides personal information in exchange for any benefit, service or advantage
  • is related to a business that has an annual turnover of greater than $3 million;
  • provides someone else with a benefit, service or advantage to collect personal information;
  • provides health services and holds health information other than employee records; or
  • is a contracted service provider for a Commonwealth contract.

Note: Small businesses in Australia that aren’t covered by the  Privacy Act, 1988(Cth), can choose to “opt-in” if they so wish.

Q: Do you know that as per changes in the Privacy Act, 1988 (Cth)   your business could face fines for breaching personal information privacy?

Businesses  could face fines of up to $1.7 million & Individuals  could face fines for up to $340,000 under the new Privacy Act for serious and repeated interferences with privacy on confirmation of incidents of data breach.

Q: Do you know that your business has obligations for protecting personal information under the Australian Privacy Act, 1988?

A business must protect the identity of any person whose information they hold.

According to Australian Information Commissioner (OAIC) publication ‘Data breach notification — A guide to handling personal information security breaches, April 2012’ referred to as ‘OAIC guide’:

“Agencies and organisations have obligations under the Privacy Act 1988 (Cth) to put in place reasonable security safeguards and to take reasonable steps to protect the personal information that they hold from loss and from unauthorised access, use, modification or disclosure, or other misuse”.

Q: Are these DEFINITIONS related to the Privacy Act,1988(Cth)  understood by your business?

Personal Information

According OAIC website, personal information means “information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion”.

Personally Identifiable Information

According to Wikipedia definitionPersonal Information may be further qualified as “Personally identifiable information” (PII) i.e. the information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.

Data Breach

Data breach means when personal information held by an agency or organisation is lost or subjected to unauthorised access, use, modification, disclosure, or other misuse (OAIC Guide).

Contrary to the general belief, data breach is not breach of data held by an agency, but is the breach of personal information the entity holds. Privacy is the intrusion on someone’s seclusion or infringement of their right to anonymity.

Q: Does your business hold personal information that may be covered by the Australian Privacy Act, 1988?

All such data below may be classified as personal information of a person and covered by the Privacy Act, 1988. Does your business hold any of this data for consumers, employees, third party, suppliers, customers, etc?

  • name or address
  • bank account details and credit card information
  • photos, images, videos or audio footage
  • tax file no.
  • information about likes/dislikes
  • racial or ethnic origin
  • health or medical information
  • political opinions
  • places of work
  • memberships
  • beliefs (including religious or philosophical)
  • sexual preferences or practices
  • criminal record
  • biometric or genetic information

Q: How does a data breach occur that may be seen as a breach of Australian Privacy Act, 1988?

According to OAIC guide, Data breaches can occur through a number of ways. Some examples include:

  • lost or stolen laptops, removable storage devices or paper records containing personal information.
  • hard disk drives and other digital storage media (integrated in other devices, for example, multifunction printers, or otherwise) being disposed of or returned to equipment lessors without the contents first being erased.
  • databases containing personal information being ‘hacked’ into or otherwise illegally accessed by individuals outside of the agency or organisation.
  • employees accessing or disclosing personal information outside the requirements or authorisation of their employment.
  • paper records stolen/found from insecure recycling or garbage bins.
  • an agency or organisation mistakenly providing personal information to the wrong person, for example by sending details out to the wrong address.
  • an individual deceiving an agency or organisation into improperly releasing the personal information of another person.

 

Disclaimer:

The information provided is general advice only and does not take account of your personal circumstances or needs. Please refer to our financial services guide which contains details of our services and how we are remunerated.

_____________________________________________________________________________________

A cyber attack can cripple a business of any size. By planning in advance and purchasing a cyber liability insurance/data breach insurance policy, businesses can minimize their risks, costs, and the impact of a cyber attack on their reputation and brand.

To learn how a Cyber/Data Breach Insurance policy can help you be prepared for a cyber attack, network security, or data breach event, please complete the box below. Or  call Cyber Data -Risk Managers Pty Ltd 03 8640 0962.

Organisation/ Business Name
Phone
Email
Website
Comments
Captcha Field
Captcha Field

Public Relations After Cyber Attack

Public Relations After Cyber Attack / Data Breach Incident

Cyber attacks and data breaches are now ranked as the top threat to a business’s reputation, along with environmental incidents. According to the Reputation Institute, a “reputation” is the emotional connection stakeholders have with a company. By bringing to light negligence within the company, a data breach/cyber-attack can break the emotional connection between the company and its stakeholders. Poor publicity and negative perceptions follow, spurred on by ever-active social media campaigns, text messages, and other forms of instant communication made possible by technological advances. The double-edged sword of the internet strikes; harmful information can spread in an instant. Unfortunately, a loss of customers and fall in share price often leads to financial loss for the business.

A Ponemon Insitute study—The Aftermath of a Mega Data Breach: Consumer Sentiment found that 29% of existing customers would discontinue relationship with the company after a data breach.

Building Trust with Customers after a Data Breach/Cyber Attack

How a company responds to the event, along with how quickly and skillfully it communicates with those affected by the incident, can greatly affect its success in retaining customers. Most companies spend large quantities of time debating on whether to go public about the cyber-attack/data breach. By doing so, they waste valuable time during which customer identities may on sale on the black market. Catch of the Day, Australia’s online department store, took 38 months to report a data breach that happened in 2011—a staggeringly long span of time during which much harm was likely done.

Communication after Cyber Attack/ Data Breach

Notification Letters
Mandatory notification law does not exist in Australia. However, OAIC guidelines do stipulate notification to affected clients after a data breach. For data breach notification letters, companies must provide true facts. Consumers seek an honest answer from the company about the data breach and also expect directions on how best to protect their personal information. Consumers are likely to be most fearful about their stolen identifies and possible financial losses, and are at the highest danger of losing trust in the company at this stage. Receiving a personal letter from the business can go a long way in creating or maintaining trust—investing time in the customers will grant them a sense that they are being cared for and protected.
Other stakeholders, such as investors, are more likely to be concerned with how news of the breach could affect the stock price and the valuation of the company; in this time, it is important for them to learn about acts of restoration and recovery being performed by the business.

Social Media
Communication media for reaching out stakeholders need to be evaluated. Twitter & Facebook provide an interactive option to post messages and for customers to vent their fears, giving companies the opportunity to respond and reassure the troubled public.

Website
Businesses must post the right message on their website as soon as possible, as it serves as the most trusted source of information. Customers are most likely to go to a company website to check out the true version about the cyber attack/ data breach. By quickly informing the public, businesses can minimize the rumors and speculations sure to spread.
According to the Ponemon Study, a vast majority of respondents found details about data breaches in the media useful for understanding the extent of data compromised and taking actions to protect their personal information from identity theft.

Cost of Crisis Management

Restoring reputation involves an expensive, lengthy process and may never be fully complete. A cyber-attack/data breach places the burden of extra cost on the business. Companies may need to hire Public Relations firms to work out crisis management strategies. A PR firm with experience in managing crisis communications and damage control can help in rebuilding credibility for the company and its brand—a crucial element for business hoping to recover.
Cyber liability/data breach insurance offers a comprehensive risk management solution for assisting in cyber-attack and/or data breach crisis management. Coverages such as the following (depending on the specific policies and endorsements) are included:

Crisis management and customer notification expenses: Emailing/ posting letters, telephone calling with a personalized message for each individual affected by cyber attack/ data breach explaining the data breach. Target, after its cyber attack incident in December 2013, sent an e-mail from CEO Gregg Steinhafel explaining the breach, apologizing, and offering free credit monitoring services to all customers whose data was stolen.

According to a study by Ponemon Institute in 2012, the average notification expense for a company in Australia was USD 219,986. Companies with insurance could have this cost alleviated.

Credit/identity theft monitoring cost: Cyber liability/data breach insurance helps in monitoring of credit card usage, credit card numbers, reissue of credit cards help in post breach personal identity protection. It also serves as a good PR tactic as companies admit to the breach and promise to work with their customers to mitigate all possible harm.

Public relations consultant fees: Hiring of PR consultants to offset reputation loss and re-establish trust of customers may include paying PR consultants. Cyber liability/data breach insurance coverage includes PR consultants fees under PR expenses.
In managing the crisis after a cyber-attack/data breach, a business must communicate not only with its customers, but also with the shareholders employees, regulators, and the community. Corporate boards are increasingly viewing cyber attacks as a risk. The Social & Reputational Capital of a business is dependent upon trust, communication & relationships. PR firms may find cyber attacks/data breach incidents as an opportunity to provide a benefit to the world of business and the society.

As can be seen, cyber-attacks and data breaches are far from simple issues. However, with effective and timely communication and the help of Public Relations professionals, companies can restore and rebuild their reputations. As always, preparation is exceedingly helpful. Knowing the proper steps and measures discussed here before a crisis strikes could be the difference between a serious blow to your company or a minor bruise. Choose the latter.

Disclaimer:.
“The information provided is general advice only and does not take account of your personal circumstances or needs. Please refer to our financial services guide which contains details of our services and how we are remunerated.”
______________________________________________________________________________________
A cyber attack can cripple a business of any size. By planning in advance and purchasing a cyber insurance policy, businesses can minimize their risks, costs, and the impact of a cyber attack on their reputation and brand.
To learn how a Cyber/Data Breach Insurance policy can help you be prepared for a cyber attack, network security, or data breach event, please complete the box below. Or call Cyber Data-Risk Managers Pty Ltd 03 8640 0962.

Organisation/ Business Name
Phone
Email
Website
Comments
Captcha Field
Captcha Field

Get ready to shop for Cyber liability Insurance

Cyber liability insurance policies (also known as “data breach” insurance)  and their  coverage vary dramatically by insurance carriers. For businesses, choosing the right cyber liability insurance policy can be a challenge. Working with a knowledgeable insurance broker who has experience with cyber liability insurance policies can reduce the challenges.

Before you start shopping, though, there are a few things you need to do to get ready:

1) Assess your cyber hygiene

Before applying for cyber liability  insurance, businesses should have policies and procedures in place that show they are protecting and securing their data as well as enforcing their security and privacy policies. While cyber liability insurance can help businesses mitigate risks, it cannot replace good cyber hygiene.

2) Evaluate your needs and priorities

Has your business assessed its risks for a data breach? Depending on your industry, your risk for a data breach may be considered anywhere from minimal to very high.

Has your business conducted a risk assessment? Evaluate, identify and mitigate any gaps in your privacy and security programs prior to applying for a cyber liability insurance policy. The risk assessment can help you assess your needs for cyber liability policy coverage matched to your business vulnerabilities.

3) Predict your data breach

Once you have assessed your risks, you will want to think of as many possible data breach scenarios as you can that could happen to your business. The purpose of this exercise is to arm you with potential data breach scenarios and prepare you to go on a search, with a knowledgeable insurance broker, for a cyber liability policy that fits your needs. While this may seem like a time-consuming process, it could help ensure that you’re covered in the event one of these scenarios happens. The whole purpose of purchasing cyber liability insurance, after all, is to ensure that you are protected from potential risk.

After these three steps, you are ready to compare different cyber liability insurance policies.

*Disclaimer: Conditions apply for each policy and the information expected from you for a policy to trigger. Coverage may differ based on specific clauses in individual policies. Please ask your broker to explain the additional benefits and exclusions pertaining to your policy.

“The information provided is general advice only and does not take account of your personal circumstances or needs. Please refer to our financial services guide which contains details of our services and how we are remunerated.”
_____________________________________________________________________________________

A cyber attack or a data breach event can cripple a business of any size. By planning in advance and purchasing a cyber liability insurance or data breach insurance policy, businesses can minimize their risks, costs, and the impact of a cyber attack on their reputation and brand.

To learn how a Cyber Liability Insurance/Data Breach Insurance policy can help you be prepared for a cyber attack, network security incident, or data breach event, please complete the box below. Or call Cyber Data-Risk Managers Pty Ltd 03 8640 0962.

Organisation/ Business Name
Phone
Email
Website
Comments
Captcha Field
Captcha Field

Australian Websites Hacked: Insurance Case Study

HACKING a form of cyber attack is an increasing risk faced by Small and Medium Businesses (SMBs). Hackers attacked a number of Australian websites recently. SMBs websites that were hacked lost all their content and had only visible message posted by the hackers : “Stop spying on Indonesia.” Considering the time, effort and money involved in creating and maintaining websites, many such SMBs would consider such a hacking incident nothing short of a crisis. The common reaction to the hack attack may be ‘why them’ ?

The truth is that it that hackers can target anyone. In the above hacking incident, hackers claimed links to the international activist group “Anonymous”.  Apparently  they enjoyed the chaos such a hack attack would cause for the SMBs such as dry cleaners, plumbers, schools and small private practices which owned the hacked sites.

A mere few days prior to the hack attack, the Internet security company McAfee had highlighted in a study that SMBs were operating under a false sense of security about their exposure to cyber risk. SMBs with fewer than 100 employees are actually more vulnerable to a hack attack due to the fact that their defenses are often not as strong as larger businesses. Unfortunately, SMBs are also likely to suffer more financially from a hack attack and face a difficult process of recovering from an attack. 

Most  hacked SMBs are not only faced with the cost of re-building their website and other forms of online presence such as an e-commerce store, fund-raising platform, donor sign-up page, etc. – they also are confronted with the loss of revenue and the harm to their reputation which frequently accompany website downtime after a hacking incident.
While it cannot be ascertained if SMBs who owned the individual websites that were hacked had hacking insurance coverage or cyber insurance as it is commonly referred to, below is an outline of how such a hacking insurance coverage could have come to their rescue in managing the crisis:

Hacking Insurance Coverage that is part of Cyber Insurance Coverage * could help the business owner(s) pay for the cost of:

1: Website Hack:

- reasonable and necessary expenses incurred for returning the contents and platform of the  hacked websites to the same condition they were in prior to being damaged, destroyed, altered, corrupted, copied, stolen or misused

- hiring a public relations firm to assist in re-establishing business reputation after the hack.

- hiring a forensic consultant to establish the identity of the hacker

- hiring a security consultant to review current electronic security and possible security to prevent future hacking incidents

2: Ransomware:

If your website/e-commerce store cannot function due to a cyber attack and the hacker demands ransom, the hacking insurance policy would cover:

- payment of or reimbursement for the ransom paid to the hacker

- hiring a consultant for the handling and negotiation of the ransom demand (conditions apply) with the hacker

3: Loss of Revenue:

-  hacking insurance coverage  usually pays for the loss amount for each consecutive hour that your revenue (including internet revenue) is continuously interrupted or materially impaired after the hack; time retention usually applies in such hacking cases
- payment for the necessary expenses incurred by your business to stop the loss of revenue after the hack

*Disclaimer: Conditions apply for each hacking policy coverage and the information expected from you for filing your claim. Coverage may differ based on specific clauses in individual hacking policies. Please ask your broker to explain any additional benefits and exclusions pertaining to your policy.

“The information provided is general advice only and does not take account of your personal circumstances or needs. Please refer to our financial services guide which contains details of our services and how we are remunerated.”

___________________________________________________________________________________________

A hack attack can cripple a business of any size. By planning in advance and purchasing a hacking insurance policy, businesses can minimize their risks, costs, and the impact of a hack attack on their reputation and brand.

To learn how the hacking Insurance policy  commonly referred to as cyber Insurance policy can help you be prepared for a hacking incident, cyber attack, network security, or data breach event.

Request a Quote by  completing the box below or call Cyber Data- Risk Managers Pty Ltd on 02 8987 1913

Organisation/ Business Name
Phone
Email
Website
Comments
Captcha Field
Captcha Field