Equifax hack acts as a cyber ‘case study’ for brokers

The recent hack on global credit reporting company Equifax can act as a case study for brokers and their clients on what to do, and what not to do, in the event of a cyberattack, an expert has said.

The hack, which was announced a month ago and was then said to have impacted 143 million people, has since been revealed to be worse than originally feared with a further 2.5 million people affected.

Meena Wahi, a specialist cyber broker and director of Cyber Data-Risk Managers, said that the hack and the fall-out following the breach – which has seen Equifax’s CEO retire and class action cases launched – could act as a “very typical” case study for brokers and clients.

“From an insurance perspective, I would urge my clients, especially businesses who don’t have insurance, to look at it as a case study,” Wahi told Insurance Business. “It is really an example that demonstrates no business can take cyber security lightly and, especially with larger enterprises, they are vulnerable on so many fronts.”

The attack came as Equifax failed to patch a vulnerability in its system, which was then exploited by unknown hackers. It took six weeks for Equifax to notify customers impacted as high-level executives sold off almost US$2 million in stock after discovering the breach in late July, before the firm went public with the news, according to The Washington Post.

Wahi said that the hack itself highlighted that businesses of any size cannot afford to let their guard down when it comes to cyber protection.

“You cannot think that you can relax on security and imagine that you will not have a data breach,” Wahi continued. “It highlights that a business their size didn’t have incident response planning and it highlights that, despite everything, a business can still make a stupid mistake and still have a data breach.”

Patch management has been to blame for several large scale cyberattacks so far in 2017, with both Petya and Wannacry earlier in the year exploiting similar vulnerabilities. Wahi said that brokers must ensure that clients keep up-to-date on their patch management or they could face a denial of claim.

“It can happen to any business, small or big,” Wahi noted. “Any website can get hit because they haven’t closed the vulnerability.”

Cyber Insurance: how it works and the benefits of Information Governance

As the number and size of cyber attacks on businesses continues to increase, the risk of experiencing a data breach is higher than ever. The resulting cost of these breaches can be significant – according to thePonemon Institute’s 2017 Cost of Data Breach Study, these totalled $2.51 million per year across the organisations that were recruited for the research.

As a result, an increasing number of organisations are choosing to invest in a cyber insurance policy, which allows them to claim cyber incident response expenses, regulatory fines, legal defence costs and business interruption losses. In other words, offset the cost of a potential data breach.

This article outlines the benefits of cyber insurance and explains why, in today’s digital age, it is vital for organisations to invest in this class of insurance, in addition to understanding the information governance obligations that their insurance policy places on them.

What is a cyber incident?

A cyber incident refers any event that threatens the security, confidentiality, integrity, or availability of information assets (electronic or paper), information systems, and/or the networks that deliver the information.  Any violation of computer security policies, acceptable use policies, or standard computer security practices is classified as a cyber incident. (Source : CABQ)

Information governance, along with risk management, may not prevent a cyber attack from occurring, but it can certainly reduce its impact on the affected company. A cyber threat or breach leaves the company exposed to a loss of integrity and compromised access to information. This also results in the inability to provide the right information to stakeholders and the failure to respond to regulatory obligations. Mature cyber risk governance and risk management plans can prevent the disruption of information governance.

Transfer of risk

When dealing with questions of risk transfer, executives may choose to self-insure. According to the Ponemon Institute’s 2017 Cost of Data Breach Study,, the average per cost per capita (per compromised record) of a data breach was $139 per organisation surveyed, with the average cost of data breach totalling $2.51 million. Thus a business experiencing at least two data breaches a year could be expected to set aside $5 million of company funds for data breach response. In such a scenario, investors are likely to find shareholder returns diminish over time compounded with reputational loss.

Investing in cyber insurance not only frees up investors’ resources, it is also more cost effective in the long term. In transferring risk to the insurer, businesses must give proof of their information governance practices. If there are no practices in place, the insurance can facilitate businesses to devise a plan to prevent cyber threat and the risk of legal issues, financial losses and company failures – before accepting the residual risk.

Business Continuity

As all businesses revolve and evolve based on their data, information is critical for ensuring business continuity. Since cyber threats and cyber theft do happen, it is important that businesses possess the capabilty to respond well- this includes having a plan in place to respond to the incident swiftly, professionally and with minimal impact.

A business needs to recognise its capability to access the right information to mitigate the effect of a cyber attack.  Key questions that any manager, executive or business owner must ask themselves are:

-        Does the information governance system, including cybersecurity policies and procedures, mandate backup of information assets, systems and data that can retried if a cyber incident leads to operational downtime?

-        Is there proof the business has a written down business continuity plan and are all employees that will need to act on it trained and knowledgeable as to what to do if the risk occurs?

-        It is essential that all employees and effected parties have access to information on how to respond to an incident to minimise any damage? And is this process exactly what cyber insurers want to see in place, in order to mitigate their own exposure?

Trust

Trust and relationships are the biggest factor in ensuring long term sustainability of a business. A savvy cyber insurance company will not accept the transfer of risk if a business cannot demonstrate adequate measures for maintaining trust of all stakeholders and most importantly, customers. Businesses are expected to prove their integrity through questions such as:

-        In storing customer data, does the business ensure information governance in collection, storage, use and archiving of data. Is the information encrypted or deidentified? Should customer information fall into the wrong hands, can the customer trust that the business can keep their identity safe?

How frequent and proactive is the security management practice of the business? Has the business got access to notification templates for notifying its customers of a data breach?

Cyber incidents affect company reputation and investor relations, which is why it is important that companies build their risk management strategies transparently and with clarity.

People, Policies & Procedures

A cyber insurance company will delve in to the business processes and policies before agreeing to a commitment. They will analyse a number of things, including:

-        Are roles and responsibilities understood?

-        Does information governance dictate checks for monitoring access rights to the information and misuse of access rights?

-        Are their approval controls for transfer of funds?

-        Does the business have an adequate privacy policy that communicates to stakeholders how the business collects and manages information?

-       Does the business have a regular patch management policy?

-        Does the business have a policy of ensuring ownership of risk and liability is described in all third part contracts?

Compliance, Disclosure & Transparency

Compliance is vital to a cyber insurance company – particularly for the legal team. The insurer will look at the below aspects of the potential business:

-        What information governance, risk management, security standards does the business conform to?

-        Is the business PCI compliant?

-        Does the business comply with the Privacy Act?

-        Has the business had a data privacy incident in the past?

-        When completing the application form, has a Director of the company signed the insurance application form?

 Transferring risk to a third-party insurer must be supported by evidence of information governance. Any negligence on information governance practices reflects the inability of a part of the business to take the right actions to prevent and mitigate a cyber incident.

Buying a Policy

Risk Register

While the myths on policy coverage are rampant, insurance policies are not to be blamed. Not only are the the complexities of cyber risk not well understood,  executives are unable to dedicate enough resources to demonstrate adequate information governance measures.

Policy wordings are designed to respond to specific cyber risk scenarios. Businesses seeking to buy a cyber policy must ensure that they articulate cyber scenarios in their risk register and seek insurance for them. Cyber risk scenarios and their potential impact must be eliminated and mitigated and only residual risk must be transferred.

Risk scenarios must be matched with plain policy wording and extent of coverage, for those scenarios must be obvious. Managers who do not carry out this exercise are lacking in the process to invest in insurance.

It is vital that cyber insurance policies suit both the insured and the business needs. This is easy to do with the help of a cyber insurance broker, as they will be able to recommend the most adequate cyber insurance policy and help negotiate the most suitable policies to match the business needs.

Risk Register:  Transfer Risk

Picture2.png

 

Role of Insurance Broker

Cyber risks are evolving. With technology becoming more advanced each day, it is difficult for companies to keep up. With emergent risks, traditional brokers have found it hard to move up the learning curve. Specialist cyber insurance brokers are able to discuss and analyse the business needs, requirements and obligations. They also understand complexities of cyber risk.  A broker can help a business to understand coverage, limits, exclusions and deductibles. At the time of buying cyber insurance, a cyber insurance broker will advise a business on how to obtain a health check on all insurance policies so that gaps in total coverage are not taken for granted.  A broker will also alert clients on their ongoing obligations for all cyber risk scenarios for which policy wordings are sought and matched.

Businesses wishing to assess their cyber risk can source a quote from a broker and know the cost of their cyber risk. Seeking a quote is free of charge and obligation.

Seeking a Cyber Insurance Quote

Usually your broker can procure an indication quote based on the questions below. However, a final quote can only be based on information provided in the full application form.

1.     What was your revenue in last 12 months? Yes/No

2.     What policy limit do you require? Yes/No

3.     What industry is your business in? Yes/No

4.     How many records does your business hold? Yes/No

5.     Do you have a business continuity plan? Yes/No

6.     Do you encrypt data held by your company on mobile and other devices? Yes/No

7.     Do you have firewalls, malware detection systems in place? Yes/No

8.     Do you store data on a third party cloud? Who is the cloud service provider? Yes/No

9.     Do your contracts indemnify any third party for a data breach? Yes/No

10.   Has your business had a data breach in the last two years? Yes/No

11.   Do you regularly implement a written patch management process? Yes/No

12.   Do you have a privacy policy? Yes/No

13.   Which state is your business located?

Cyber insurance policies come equipped with a panel of experts who are able to identify risks and reduce the impact of an incident response. They also have a skilled PR team, legal experts to minimise any associated threats or breach costs, and forensic experts that are able to decipher exactly what happened, why it happened and how to best avoid future incidents from occurring.


by Meena Wahi - Cyber, Data, IP Insurance Specialist.

Meena Wahi is a cyber insurance and data breach broker, specialising in cyber risk, data privacy, intellectual property risk and cyber crime.   She helps organisations identify potential cyber risks and believes that cyber insurance should be a key component of a company’s enterprise risk management strategy.

Connect with Meena on LinkedIn.

What Is Your Business’ Cyber Risk?

Cyber Risk is increasing for businesses. Businesses using the Internet for making transactions and conducting activities have never been more vulnerable. Mark Dreyfus – Attorney General of Austral summarize the cyber risk faced by businesses in the digital age in 2012 as:

____________________________________________

 Australia’s way of life is now integrally linked with the Internet. The Internet provides a global means of communication and interaction that underpins much of our lives – for government, business and individuals.But while the Internet offers a huge range of opportunities, it also brings risks associated with criminal and malicious activity that seeks to exploit those who use it. In particular, the activities and transactions conducted by business online require diligence to ensure that Australians maximize the opportunities offered by the digital economy

                       Mark Dreyfus -Attorney General of Australia      
        Cyber Crime & Security Survey Report 2012 CERT Australia

                                             __________________________________________________

 

To understand your business’ cyber risk, ask yourself these questions:

  • Does your company have a network connected to the internet or a website?
  • Does your business make use of mobile devices like laptops or mobile media to transport/store data including email communications?
  • Do you collect and store customer information through a CRM system?
  • Do you carry on trading through an e-commerce store?
  • Do you hold files with personal information of your employees?

With most business operations being conducted over the Internet, cyber risk exposures are increasing. What are your business’ first-party risk exposures and the third-party liability exposures? What kind of loss, expenses or fines could you possibly incur in the digital world?

 

First- Party Cyber Liability Exposure

1: Loss or damage to digital assets such as data or software programs (code), resulting in expense/loss/cost incurred in restoring, updating, re-creating or replacing those digital assets to the same condition they were prior to the loss or damage.

Example:
Over 100 Australian websites were hacked in 2013 resulting in damage to digital assets (websites). Businesses that suffered such loss included schools, community groups and a dry cleaning business. SMBs are prone to higher cyber risk.

 

2: Business interruption from unplanned network downtime is a major cyber risk causing interruption of service or failure of the network, resulting in loss of income/ cost of operations and/or extra cost having to be incurred in minimising loss plus forensic investigation for the network failure can hurt businesses.

Example:
In 2013, Nasdaq stock exchange suffered a three hour network shutdown– the reason was strain on the system for transmitting huge data/ high volume securities trading resulting in disruption of operations. Fewer shares traded on the stock exchange that day resulting in a loss for traders.
  

3. Cyber extortion risk– attempt to extort money by threatening to damage or restrict or deny service of the network/ or access to online store, threat of release of data obtained from the network and/or attempt to communicate with the customers using social engineering tools to get hold of personal information resulting in loss of revenue/ cost of ransom paid.

Example:
Australian Retailer Endless Wardrobe received an email asking for ransom and thereafter suffered a denial of service attack when they failed to pay the $3500 asked as ransom. They were unable to operate for over a week which resulted in loss of revenue and customers.
 
 

4. Reputation damage risk – due to data protection breach becoming public and  resulting in loss of customers and/or increased cost of operation

Example:
Large organisations like ANZ and Telstra have reported data breaches in the past. Customers may decide to leave a company after a data breach. New customers may weigh factors like their personal data security when using a company’s products or services.

 

Third-Party Cyber Liability Exposures

1. Security and privacy breaches pose a constant cyber risk – iinvestigation, defense cost and civil damages associated with security breach, transmission of malicious code, or breach of third-party /employee privacy rights or confidentiality, including failure by outsourced service provider

Example:
Firms like LinkedIn, Apple, Adobe, Google & Vodafone in the US have all faced class action lawsuits in the recent past related to data security or privacy.
 

2. Investigation, defence cost, awards and fines for privacy breach resulting from an investigation or enforcement action by a regulator as a result of security and privacy obligation can be a costly cyber risk.

Example:
Sony was fined by the UK Information Commissioner for the security breach of its PlayStation Network, which took place in 2011. The Information Commissioner’s Office (ICO) fined Sony  £250,000 in early 2013.
 
 

3. Customer notification expenses risk – legal, postage and advertising expenses if there is a mandatory legal or regulatory requirement to notify individuals of a cyber security or privacy breach.

Example:
The 2013 ‘Cost of Data Breach Study: Global Analysis’ released by Ponemon Institute in May 2013, estimated the average notification cost only of a data breach in Australia as USD 219.
 

4. Cyber risk associated with Multi-media liability – investigation, defence cost and civil damages arising from defamation, breach of privacy, negligence in publication of any content in electronic or print media, as well as infringement of the intellectual property of a third party.

Example:
The Australian Competition & Consumer Forum (ACCC) website states that a owner of Facebook and Twitter pages will become the publisher of third party content once it becomes aware of the content and decides not to remove it. Companies can be liable for misleading and deceptive conduct via social media publications, including (depending on the circumstances) for statements not made directly by the company.
 
 

5. Loss of third party data – liability for damage to or corruption / loss of third-party data or information, payment of compensation to customers for denial of access, failure software, data errors and system security failure.

Example:
Islington Town Hall in the UK agreed to pay compensation (2013) totaling £43,000  to residents whose personal details, including mental health problems and sexual orientation, were accidentally published by the council on a website.
 

Disclaimer:.

“The information provided is general advice only and does not take account of your personal circumstances or needs. Please refer to our financial services guide which contains details of our services and how we are remunerated.”

______________________________________________________________________________________

A cyber attack can cripple a business of any size. By planning in advance and purchasing a cyber insurance policy, businesses can minimize their risks, costs, and the impact of a cyber attack on their reputation and brand.

To learn how a Cyber/Data Breach Insurance policy can help you be prepared for a cyber attack, network security, or data breach event, please complete the box below. Or call Cyber Data-Risk Managers Pty Ltd 02 8987 1913.

Organisation/ Business Name
Phone
Email
Website
Comments
Captcha Field
Captcha Field

What Your Business Should Know About “Australian Privacy Act 1988”?

Australian Privacy Act, 1988 is getting updated.  Does your business know enough about the amendments to the Act and how they affect your business?

Q: Do you know that Privacy Act, 1988 will be updated in 2014?

The updates to existing Privacy Act, 1988 (Cth) will come into effect on 12 March, 2014.

Amendments to the the Australian Privacy Act 1988 (Cth) do away with the existing National Privacy Principles (NPP), which currently apply to the private sector in Australia, and the Information Privacy Principles (IPP), that currently apply to the public sector in Australia. Instead a set of uniform principles called the Australian Privacy Principles (“APPs“) shall apply to both public sector and private sector entities in Australia.

Q: Do you know if your business is covered by the Privacy Act, 1988 (Cth)?

The Australian Privacy Act, 1988 applies to organisations  in Australia with a turnover of $3 million or more. The Privacy Act, 1988 in the case of organisations, which have a turnover of less than $3 million applies to certain types of small businesses  only, for example where the small business:

  • provides personal information in exchange for any benefit, service or advantage
  • is related to a business that has an annual turnover of greater than $3 million;
  • provides someone else with a benefit, service or advantage to collect personal information;
  • provides health services and holds health information other than employee records; or
  • is a contracted service provider for a Commonwealth contract.

Note: Small businesses in Australia that aren’t covered by the  Privacy Act, 1988(Cth), can choose to “opt-in” if they so wish.

Q: Do you know that as per changes in the Privacy Act, 1988 (Cth)   your business could face fines for breaching personal information privacy?

Businesses  could face fines of up to $1.7 million & Individuals  could face fines for up to $340,000 under the new Privacy Act for serious and repeated interferences with privacy on confirmation of incidents of data breach.

Q: Do you know that your business has obligations for protecting personal information under the Australian Privacy Act, 1988?

A business must protect the identity of any person whose information they hold.

According to Australian Information Commissioner (OAIC) publication ‘Data breach notification — A guide to handling personal information security breaches, April 2012’ referred to as ‘OAIC guide’:

“Agencies and organisations have obligations under the Privacy Act 1988 (Cth) to put in place reasonable security safeguards and to take reasonable steps to protect the personal information that they hold from loss and from unauthorised access, use, modification or disclosure, or other misuse”.

Q: Are these DEFINITIONS related to the Privacy Act,1988(Cth)  understood by your business?

Personal Information

According OAIC website, personal information means “information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion”.

Personally Identifiable Information

According to Wikipedia definitionPersonal Information may be further qualified as “Personally identifiable information” (PII) i.e. the information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.

Data Breach

Data breach means when personal information held by an agency or organisation is lost or subjected to unauthorised access, use, modification, disclosure, or other misuse (OAIC Guide).

Contrary to the general belief, data breach is not breach of data held by an agency, but is the breach of personal information the entity holds. Privacy is the intrusion on someone’s seclusion or infringement of their right to anonymity.

Q: Does your business hold personal information that may be covered by the Australian Privacy Act, 1988?

All such data below may be classified as personal information of a person and covered by the Privacy Act, 1988. Does your business hold any of this data for consumers, employees, third party, suppliers, customers, etc?

  • name or address
  • bank account details and credit card information
  • photos, images, videos or audio footage
  • tax file no.
  • information about likes/dislikes
  • racial or ethnic origin
  • health or medical information
  • political opinions
  • places of work
  • memberships
  • beliefs (including religious or philosophical)
  • sexual preferences or practices
  • criminal record
  • biometric or genetic information

Q: How does a data breach occur that may be seen as a breach of Australian Privacy Act, 1988?

According to OAIC guide, Data breaches can occur through a number of ways. Some examples include:

  • lost or stolen laptops, removable storage devices or paper records containing personal information.
  • hard disk drives and other digital storage media (integrated in other devices, for example, multifunction printers, or otherwise) being disposed of or returned to equipment lessors without the contents first being erased.
  • databases containing personal information being ‘hacked’ into or otherwise illegally accessed by individuals outside of the agency or organisation.
  • employees accessing or disclosing personal information outside the requirements or authorisation of their employment.
  • paper records stolen/found from insecure recycling or garbage bins.
  • an agency or organisation mistakenly providing personal information to the wrong person, for example by sending details out to the wrong address.
  • an individual deceiving an agency or organisation into improperly releasing the personal information of another person.

 

Disclaimer:

The information provided is general advice only and does not take account of your personal circumstances or needs. Please refer to our financial services guide which contains details of our services and how we are remunerated.

_____________________________________________________________________________________

A cyber attack can cripple a business of any size. By planning in advance and purchasing a cyber liability insurance/data breach insurance policy, businesses can minimize their risks, costs, and the impact of a cyber attack on their reputation and brand.

To learn how a Cyber/Data Breach Insurance policy can help you be prepared for a cyber attack, network security, or data breach event, please complete the box below. Or  call Cyber Data -Risk Managers Pty Ltd 02 8987 1913.

Organisation/ Business Name
Phone
Email
Website
Comments
Captcha Field
Captcha Field

Public Relations After Cyber Attack

Public Relations After Cyber Attack / Data Breach Incident

Cyber attacks and data breaches are now ranked as the top threat to a business’s reputation, along with environmental incidents. According to the Reputation Institute, a “reputation” is the emotional connection stakeholders have with a company. By bringing to light negligence within the company, a data breach/cyber-attack can break the emotional connection between the company and its stakeholders. Poor publicity and negative perceptions follow, spurred on by ever-active social media campaigns, text messages, and other forms of instant communication made possible by technological advances. The double-edged sword of the internet strikes; harmful information can spread in an instant. Unfortunately, a loss of customers and fall in share price often leads to financial loss for the business.

A Ponemon Insitute study—The Aftermath of a Mega Data Breach: Consumer Sentiment found that 29% of existing customers would discontinue relationship with the company after a data breach.

Building Trust with Customers after a Data Breach/Cyber Attack

How a company responds to the event, along with how quickly and skillfully it communicates with those affected by the incident, can greatly affect its success in retaining customers. Most companies spend large quantities of time debating on whether to go public about the cyber-attack/data breach. By doing so, they waste valuable time during which customer identities may on sale on the black market. Catch of the Day, Australia’s online department store, took 38 months to report a data breach that happened in 2011—a staggeringly long span of time during which much harm was likely done.

Communication after Cyber Attack/ Data Breach

Notification Letters
Mandatory notification law does not exist in Australia. However, OAIC guidelines do stipulate notification to affected clients after a data breach. For data breach notification letters, companies must provide true facts. Consumers seek an honest answer from the company about the data breach and also expect directions on how best to protect their personal information. Consumers are likely to be most fearful about their stolen identifies and possible financial losses, and are at the highest danger of losing trust in the company at this stage. Receiving a personal letter from the business can go a long way in creating or maintaining trust—investing time in the customers will grant them a sense that they are being cared for and protected.
Other stakeholders, such as investors, are more likely to be concerned with how news of the breach could affect the stock price and the valuation of the company; in this time, it is important for them to learn about acts of restoration and recovery being performed by the business.

Social Media
Communication media for reaching out stakeholders need to be evaluated. Twitter & Facebook provide an interactive option to post messages and for customers to vent their fears, giving companies the opportunity to respond and reassure the troubled public.

Website
Businesses must post the right message on their website as soon as possible, as it serves as the most trusted source of information. Customers are most likely to go to a company website to check out the true version about the cyber attack/ data breach. By quickly informing the public, businesses can minimize the rumors and speculations sure to spread.
According to the Ponemon Study, a vast majority of respondents found details about data breaches in the media useful for understanding the extent of data compromised and taking actions to protect their personal information from identity theft.

Cost of Crisis Management

Restoring reputation involves an expensive, lengthy process and may never be fully complete. A cyber-attack/data breach places the burden of extra cost on the business. Companies may need to hire Public Relations firms to work out crisis management strategies. A PR firm with experience in managing crisis communications and damage control can help in rebuilding credibility for the company and its brand—a crucial element for business hoping to recover.
Cyber liability/data breach insurance offers a comprehensive risk management solution for assisting in cyber-attack and/or data breach crisis management. Coverages such as the following (depending on the specific policies and endorsements) are included:

Crisis management and customer notification expenses: Emailing/ posting letters, telephone calling with a personalized message for each individual affected by cyber attack/ data breach explaining the data breach. Target, after its cyber attack incident in December 2013, sent an e-mail from CEO Gregg Steinhafel explaining the breach, apologizing, and offering free credit monitoring services to all customers whose data was stolen.

According to a study by Ponemon Institute in 2012, the average notification expense for a company in Australia was USD 219,986. Companies with insurance could have this cost alleviated.

Credit/identity theft monitoring cost: Cyber liability/data breach insurance helps in monitoring of credit card usage, credit card numbers, reissue of credit cards help in post breach personal identity protection. It also serves as a good PR tactic as companies admit to the breach and promise to work with their customers to mitigate all possible harm.

Public relations consultant fees: Hiring of PR consultants to offset reputation loss and re-establish trust of customers may include paying PR consultants. Cyber liability/data breach insurance coverage includes PR consultants fees under PR expenses.
In managing the crisis after a cyber-attack/data breach, a business must communicate not only with its customers, but also with the shareholders employees, regulators, and the community. Corporate boards are increasingly viewing cyber attacks as a risk. The Social & Reputational Capital of a business is dependent upon trust, communication & relationships. PR firms may find cyber attacks/data breach incidents as an opportunity to provide a benefit to the world of business and the society.

As can be seen, cyber-attacks and data breaches are far from simple issues. However, with effective and timely communication and the help of Public Relations professionals, companies can restore and rebuild their reputations. As always, preparation is exceedingly helpful. Knowing the proper steps and measures discussed here before a crisis strikes could be the difference between a serious blow to your company or a minor bruise. Choose the latter.

Disclaimer:.
“The information provided is general advice only and does not take account of your personal circumstances or needs. Please refer to our financial services guide which contains details of our services and how we are remunerated.”
______________________________________________________________________________________
A cyber attack can cripple a business of any size. By planning in advance and purchasing a cyber insurance policy, businesses can minimize their risks, costs, and the impact of a cyber attack on their reputation and brand.
To learn how a Cyber/Data Breach Insurance policy can help you be prepared for a cyber attack, network security, or data breach event, please complete the box below. Or call Cyber Data-Risk Managers Pty Ltd 02 8987 1913.

Organisation/ Business Name
Phone
Email
Website
Comments
Captcha Field
Captcha Field

Get ready to shop for Cyber liability Insurance

Cyber liability insurance policies (also known as “data breach” insurance)  and their  coverage vary dramatically by insurance carriers. For businesses, choosing the right cyber liability insurance policy can be a challenge. Working with a knowledgeable insurance broker who has experience with cyber liability insurance policies can reduce the challenges.

Before you start shopping, though, there are a few things you need to do to get ready:

1) Assess your cyber hygiene

Before applying for cyber liability  insurance, businesses should have policies and procedures in place that show they are protecting and securing their data as well as enforcing their security and privacy policies. While cyber liability insurance can help businesses mitigate risks, it cannot replace good cyber hygiene.

2) Evaluate your needs and priorities

Has your business assessed its risks for a data breach? Depending on your industry, your risk for a data breach may be considered anywhere from minimal to very high.

Has your business conducted a risk assessment? Evaluate, identify and mitigate any gaps in your privacy and security programs prior to applying for a cyber liability insurance policy. The risk assessment can help you assess your needs for cyber liability policy coverage matched to your business vulnerabilities.

3) Predict your data breach

Once you have assessed your risks, you will want to think of as many possible data breach scenarios as you can that could happen to your business. The purpose of this exercise is to arm you with potential data breach scenarios and prepare you to go on a search, with a knowledgeable insurance broker, for a cyber liability policy that fits your needs. While this may seem like a time-consuming process, it could help ensure that you’re covered in the event one of these scenarios happens. The whole purpose of purchasing cyber liability insurance, after all, is to ensure that you are protected from potential risk.

After these three steps, you are ready to compare different cyber liability insurance policies.

*Disclaimer: Conditions apply for each policy and the information expected from you for a policy to trigger. Coverage may differ based on specific clauses in individual policies. Please ask your broker to explain the additional benefits and exclusions pertaining to your policy.

“The information provided is general advice only and does not take account of your personal circumstances or needs. Please refer to our financial services guide which contains details of our services and how we are remunerated.”
_____________________________________________________________________________________

A cyber attack or a data breach event can cripple a business of any size. By planning in advance and purchasing a cyber liability insurance or data breach insurance policy, businesses can minimize their risks, costs, and the impact of a cyber attack on their reputation and brand.

To learn how a Cyber Liability Insurance/Data Breach Insurance policy can help you be prepared for a cyber attack, network security incident, or data breach event, please complete the box below. Or call Cyber Data-Risk Managers Pty Ltd 02 8987 1913.

Organisation/ Business Name
Phone
Email
Website
Comments
Captcha Field
Captcha Field

Australian Websites Hacked: Insurance Case Study

HACKING a form of cyber attack is an increasing risk faced by Small and Medium Businesses (SMBs). Hackers attacked a number of Australian websites recently. SMBs websites that were hacked lost all their content and had only visible message posted by the hackers : “Stop spying on Indonesia.” Considering the time, effort and money involved in creating and maintaining websites, many such SMBs would consider such a hacking incident nothing short of a crisis. The common reaction to the hack attack may be ‘why them’ ?

The truth is that it that hackers can target anyone. In the above hacking incident, hackers claimed links to the international activist group “Anonymous”.  Apparently  they enjoyed the chaos such a hack attack would cause for the SMBs such as dry cleaners, plumbers, schools and small private practices which owned the hacked sites.

A mere few days prior to the hack attack, the Internet security company McAfee had highlighted in a study that SMBs were operating under a false sense of security about their exposure to cyber risk. SMBs with fewer than 100 employees are actually more vulnerable to a hack attack due to the fact that their defenses are often not as strong as larger businesses. Unfortunately, SMBs are also likely to suffer more financially from a hack attack and face a difficult process of recovering from an attack. 

Most  hacked SMBs are not only faced with the cost of re-building their website and other forms of online presence such as an e-commerce store, fund-raising platform, donor sign-up page, etc. – they also are confronted with the loss of revenue and the harm to their reputation which frequently accompany website downtime after a hacking incident.
While it cannot be ascertained if SMBs who owned the individual websites that were hacked had hacking insurance coverage or cyber insurance as it is commonly referred to, below is an outline of how such a hacking insurance coverage could have come to their rescue in managing the crisis:

Hacking Insurance Coverage that is part of Cyber Insurance Coverage * could help the business owner(s) pay for the cost of:

1: Website Hack:

- reasonable and necessary expenses incurred for returning the contents and platform of the  hacked websites to the same condition they were in prior to being damaged, destroyed, altered, corrupted, copied, stolen or misused

- hiring a public relations firm to assist in re-establishing business reputation after the hack.

- hiring a forensic consultant to establish the identity of the hacker

- hiring a security consultant to review current electronic security and possible security to prevent future hacking incidents

2: Ransomware:

If your website/e-commerce store cannot function due to a cyber attack and the hacker demands ransom, the hacking insurance policy would cover:

- payment of or reimbursement for the ransom paid to the hacker

- hiring a consultant for the handling and negotiation of the ransom demand (conditions apply) with the hacker

3: Loss of Revenue:

-  hacking insurance coverage  usually pays for the loss amount for each consecutive hour that your revenue (including internet revenue) is continuously interrupted or materially impaired after the hack; time retention usually applies in such hacking cases
- payment for the necessary expenses incurred by your business to stop the loss of revenue after the hack

*Disclaimer: Conditions apply for each hacking policy coverage and the information expected from you for filing your claim. Coverage may differ based on specific clauses in individual hacking policies. Please ask your broker to explain any additional benefits and exclusions pertaining to your policy.

“The information provided is general advice only and does not take account of your personal circumstances or needs. Please refer to our financial services guide which contains details of our services and how we are remunerated.”

___________________________________________________________________________________________

A hack attack can cripple a business of any size. By planning in advance and purchasing a hacking insurance policy, businesses can minimize their risks, costs, and the impact of a hack attack on their reputation and brand.

To learn how the hacking Insurance policy  commonly referred to as cyber Insurance policy can help you be prepared for a hacking incident, cyber attack, network security, or data breach event.

Request a Quote by  completing the box below or call Cyber Data- Risk Managers Pty Ltd on 02 8987 1913

Organisation/ Business Name
Phone
Email
Website
Comments
Captcha Field
Captcha Field

Evaluating Cyber Liability Insurance Policies

Cyber liability insurance or  also known as data breach insurance have been purchased by businesses to help with response costs. Now, it seems they’re purchasing it out of fear of a lawsuit. With many data breach lawsuits making recent headlines, it’s no surprise. Finding the right policy, though, is an important step in being fully protected.

Once you are ready to shop for cyber liability insurance its important to carefully evaluate the purchase of a the cyber liability insurance policy from a variety of angles. The types of coverage offered by cyber liability insurance policies vary dramatically by insurance carrier, so its good to start by talking with a knowledgeable insurance broker who has experience with cyber liability insurance policies.

When evaluating and considering the purchase of a cyber liability insurance policy, there are several important steps prior to actually investing in the policy:

Determine how much insurance you need and how much risk you can afford to retain. Once the amount of insurance you need is determined, figure out how much you can afford to pay out of pocket before any cyber liability insurance claims may be paid. This will help you determine your retention or deductible.

Review the types of coverage provided. While cyber liability insurance policies are not standard policies, and vary widely, coverage typically falls into three categories: liability, breach response costs, and fines and penalties. Some things to consider are: Does the insurance carrier have experience with your industry? Is there any special cyber liability coverage applicable to your specific industry or business?

Know what triggers the policy. Will your cyber liability insurance coverage be triggered for a stolen or lost unencrypted laptop or USB flash drive? Loss related to the failure to secure data? Loss related to a breach caused by a negligent employee? Data held in the cloud? What happens if you experience a data breach in which public data is exposed?

What types of data are covered? Some carriers specify the types of data covered, while others do not. Some things to consider: How is sensitive data defined in the specific cyber liability policy? Are paper records included?

What response costs and services are covered in the event of a breach? Most carriers offer coverage for breach response costs and breach services. You will want to check to see if the following are covered (at least) in the cyber liability insurance policy on offer: crisis management and breach notifications, credit monitoring, loss of business income, privacy regulatory defense and penalties, computer forensics investigation, and the hiring of a privacy lawyer.

Find out if you can select your own vendors or counsel. Often, businesses prefer to select their own vendor or counsel, especially if they have a pre-existing relationship with these professionals. Find out upfront whether or not you have a choice or must use the vendors and/or counsel selected by the insurer as part of the cyber liability insurance coverage.

Cyber risk is now considered one of the top emerging risks a business faces and data breaches will continue to happen. Cyber liability insurance offers a great solution to responding to a breach and helps offer peace of mind if a lawsuit were to happen.

 

Disclaimer: Conditions apply for each policy and the information expected from you for a policy to trigger. Coverage may differ based on specific clauses in individual policies. Please ask your broker to explain any additional benefits and exclusions pertaining to your policy.

“The information provided is general advice only and does not take account of your personal circumstances or needs. Please refer to our financial services guide which contains details of our services and how we are remunerated.”
_____________________________________________________________________________________

A cyber attack/data breach can cripple a business of any size. By planning in advance and purchasing a cyber liability insurance policy, businesses can minimize their risks, costs, and the impact of a cyber attack on their reputation and brand.

To learn how a Cyber/Data Breach Insurance policy can help you be prepared for a cyber attack, network security situation, or data breach event, please complete the box below. Or call  Cyber Data- Risk Managers Pty Ltd 02 8987 1913.

 

 

Organisation/ Business Name
Phone
Email
Website
Comments
Captcha Field
Captcha Field

Strategies for Dealing With Data Breaches

Data Breaches can happen to any businesses of all sizes and therefore the question that must be asked is when one will happen, rather than if one will happen.

Most businesses today realize that, while a data breach can’t be predicted, it should be expected. The focus should shift to how to best handle data breaches that do occur.

Good planning will make the difference between a living nightmare for the whole organization or a prepared organisation that is ready to mitigate harm. The cost of poor planning, meanwhile, can be huge financial losses or even bankruptcy for small and midsized businesses.

This was the case for Impairment Resources LLC , a US medical records firm. The firm filed for bankruptcy in March after a break-in on New Year’s Eve 2011 that led to the compromise of roughly 14,000 files. The cost of dealing with the data breach was prohibitive for the firm, leading to its demise.

Creating a data breach incident response plan, and incorporating it into the organization’s business continuity plan, simply makes business sense. Here are seven things your business can do once your endpoint has been compromised:

- Stay calm. Don’t rush out the minute you learn about your data breach and announce it to the world. You will want to take a deep breath and organize your response team. Involve designated key employees, a privacy attorney, a computer forensics expert, and your cyber insurance agent as part of total data breach response strategy.

- Call your insurance agent. While traditional business insurance policies do not cover data breaches, a cyber insurance policy will. Your cyber insurance carrier would help coordinate your incident response team.

- Get a computer forensics investigator involved. Before you send out your notification letters, you will want to know whether any sensitive personally identifiable information (PII) was accessed/stolen. Knowing this will trigger whether or not you need to report your data breach and determine if notification letters need to be sent.

- Speak with/hire a data privacy lawyer. If you believe that your data breach has exposed sensitive PII, you will want to hire a data privacy attorney to help coordinate your breach from start to finish.

- Send out notifications to potential breach victims. Each state where you do business and where your customers reside will have its own requirements for reporting breaches. Follow state notification laws and adhere to specified time frames for sending out notification letters.

- Offer an identity-theft/credit-monitoring service. While not a requirement, it’s become an industry standard to offer some type of identity-theft/credit-monitoring service to each potential victim.

- Tighten your endpoints and fix data leakage. While no security system is 100 percent foolproof, installing firewalls, updating antivirus systems, investing in an IPS or IDS system, and updating software and patches can help your business minimize the risks of an additional data breach.

How your business responds to a data breach can either harm or enhance your reputation. Take the time to think about the steps involved and to create a data breach incident response plan before a data breach happens.

Disclaimer: Conditions apply for each policy and the information expected from you for a policy to trigger. Coverage may differ based on specific clauses in individual policies. Please ask your broker to explain any additional benefits and exclusions pertaining to your policy.

“The information provided is general advice only and does not take account of your personal circumstances or needs. Please refer to our financial services guide which contains details of our services and how we are remunerated.”
_____________________________________________________________________________________

A cyber attack can cripple a business of any size. By planning in advance and purchasing a cyber liability or data breach insurance policy, businesses can minimize their risks, costs, and the impact of a cyber attack on their reputation and brand.

To learn how a Cyber Liability/Data Breach Insurance policy can help you be prepared for a cyber attack, network security situation, or data breach event, please complete the box below. Or call Cyber Data-Risk Managers Pty Ltd. 02 8987 1913.

Organisation/ Business Name
Phone
Email
Website
Comments
Captcha Field
Captcha Field