With cyber security threats on the rise worldwide, companies have begun utilising traditional risk transfer mechanisms, like insurance, to try and mitigate cost impacts if a data breach occurs.
RSA recently surveyed 272 security professionals globally and found that 40 per cent of the organisations that responded have already purchased cyber insurance, with another 50 per cent contemplating or actively seeking cyber insurance. Telstra’s Cyber Security Report 2017 found that 21.7 per cent of Australian organisations are not currently using or even considering cyber insurance.
Companies seem to be a bit complacent when it comes to cyber theft. In fact, our global survey found that only 22 per cent of organisations have zero tolerance for cyber theft of intellectual property and, even more surprisingly, a quarter of respondents believe that losing between 11-20 per cent of revenue from cyber theft is acceptable.
This calls into question whether the expansion of the cyber-attack surface and a limited understanding of how to use insurance as part of a cyber security strategy means that IP and revenue loss due to a cyber-attack has become accepted as just another cost of doing business. And is this the realistic attitude for organisations to have, or have we become too nonchalant in what we deem as acceptable cyber occurrence in business?
The passage of the mandatory data breach notification legislation in Australia sends the right message – that cyber security is taken seriously by government, and that Australia is saying that this needs to be the case in business, too. A laisses-faire attitude to cyber security will no longer cut it.
The legislation also heightens the case for cyber insurance, in particular for small to medium enterprises, which don’t necessarily have the in-house capability to execute and meet the requirements of the legislation.
However, while growing, cyber risk insurance remains a relatively new field. And while Australian businesses are increasingly turning to cyber risk insurance, many still don’t know to how to go about purchasing it.
Ideally, your cyber insurance policy should standalone, rather than being an addendum to an existing policy. It’s also advantageous if it can be customised to suit your organisation.
Just like normal household or car insurance, businesses also need to understand the level of coverage the various cyber insurance policies available provide.
First, consider the coverage for incident response and investigations. This is made more important by the mandatory data breach notification legislation. Does the policy provide reimbursable coverage for activities required under the new legislation? Most policies cover ‘boots on the ground’ response. This might include the mechanism to triage the adverse event, forensic analysis, investigations such as reverse engineering, containment and eradication, and evidence collection. Basically this should include anything that is needed to determine what occurred, how it happened, what was lost, where the lost data may have been sent, and how to repair damage and prevent the same type of breach from reoccurring.
Second, ensure the policy covers financial extortion and related lawsuits. Given the prevalence of ransomware, monetary loss through extortion is a very real threat. You want a policy that covers legal expenses associated with the loss of confidential information, IP, patents, legal settlements and regulatory fines. It is not unusual for organisations to face class action lawsuits following a data breach, in fact, it’s becoming more common. In the United States, notifications provided under legislation equivalent to the Privacy Amendment (Notifiable Data Breaches) Act 2016 have tended to closely coincide with the filing of data breach class action complaints.
Yahoo revealed in December 2016 that hackers had stolen data from more than one billion user accounts. The breach occurred back in August 2013. This begs the question: does your cyber insurance policy include post-purchase coverage? Does the policy recognise and address the issue of undiscovered breaches that have happened prior to the policy being purchased? It is traditional for policies to only provide coverage for events in the year of the claim. Many organisations only discover they’ve been breached when their IP and user information is published on the dark web, and that can be years after the hack occurred.
Look for a cyber insurance policy that includes monetary losses experienced from business interruptions and downtime, data loss recovery and any associated cost of managing the event. The new mandatory data breach notification legislation creates a direct relationship between information security and your business’ reputation. As such, you should consider things like whether the policy includes media and communications for repairing reputation damage.
Finally, examine the coverage and limits that may apply for third party providers. For instance, does the policy cover cloud providers? Do any of your service providers have their own cyber insurance? How does that work?
In a joint study, Lloyd’s and the University of Cambridge found the Australian economy faces a potential $16 billion damage bill from cyber-attacks over the next decade. According to Lloyd’s, local demand for cyber insurance has increased by 16,828 per cent in the past two years. Although a valid risk transfer mechanism, organisations need to understand that there are limits to what can be transferred.
So what does all of this mean for Australian organisations, in the wake of the mandatory data breach notification laws coming into effect? Businesses need to evaluate their cyber security posture and ensure they have breach monitoring and detection capabilities and a cyber security incident response plan in place. In addition, organisations should investigate an appropriate level of cyber insurance cover to mitigate cyber risk and insure business continuity if a security breach does occur.
Len Kleinman is RSA’s Chief Cyber Security Advisor, APJ.