Cyber liability insurance is attracting a lot of buzz in the Australian marketplace, but this heightened interest is not yet reflected in the number of purchases of cyber policies. While high profile multi-nationals are more likely to have already obtained cyber cover, small and medium enterprises (SMEs) do not seem to be purchasing cover despite facing increasing vulnerability to cyber-risks. With mandatory reporting of privacy breaches looking more likely, SMEs are facing an increased risk of a costly cyber incident, yet aren’t buying insurance protection for this risk.
At Carter Newell Lawyers we see this disconnect demonstrated where there are claims made under existing policies which are not covered, but perhaps could have been covered under a cyber-policy. We have outlined below, a few examples of such claims.
After a work-function, an employee of a mortgage broking firm left their laptop on the train on the way home. The laptop contained financial and personal information of the firm’s clients, including some credit card details.
The firm did not have cover for privacy breaches under its traditional policies, and faced costs associated with:
- Assistance in dealing with the possible privacy breaches, including possible notification to the Information Commissioner;
- Contacting the affected clients;
- PR expenses in dealing with media coverage;
- Credit monitoring services for the affected clients;
- Liability for any losses suffered by clients as a result of the possible malicious use of the credit card information; and
- Forensic accounting to ascertain whether and to what extent the laptop and the information it contained had been used to access the firm’s systems and network.
Cyber-policies can provide cover for these losses, as well as assistance in co-ordinating responses to an incident.
A company providing complementary health therapies had one of its employees open up a competing business while still an employee of the business.
He set up a separate email account, but which still contained the company’s name so that clients thought he was connected to the business. However he charged clients using his own EFTPOS terminal, funnelling the money into his own accounts, which meant that clients were unable to claim from Medicare and private health insurers as they had not paid the business itself.
For various reasons, the claim was not covered by the company’s non-cyber policy. Potentially (and depending on the policy) the company could have been covered under a cyber policy for:
- Claims made against the business by the disgruntled clients for the privacy breach resulting from the misused personal information;
- A forensic examination of the computer system to determine the extent of the unauthorised access;
- Legal advice to the firm about the extent of their notification obligations;
- PR assistance if necessary; and
- Procuring a call centre service to handle inquiries by affected individuals.
A cyber policy may have given this practical assistance to help the insured navigate through the technical complications as well as the regulatory environment, which was something it had never envisaged having to consider.
A not-for-profit organisation was engaged in a bitter, high profile dispute with a government body. The government body applied for an injunction ordering that the not-for-profit organisation remove certain information about the government from its website, issue a correction and refrain from future publication of such information.
The not-for-profit organisation made a claim under its traditional liability policy which, as is typical, covered legal fees for claims for damages. However, in this case, the government body was not seeking damages, but was seeking an injunction regarding the publication of information on the organisation’s website. As such, the organisation had no cover for its legal fees.
One of the distinguishing features of cyber policies is that they can provide cover for injunctive relief (as opposed to a claim for damages) which is a relevant limitation of traditional policies when it comes to cyber-risks, and one that insureds may not think to consider.
Cyber policies can provide an effective means of risk transference for SMEs and can bridge the gap between coverage provided under traditional insurance policies and the new risks associated with the digital age.
A whole of business approach towards minimising cyber risks and the associated fall-out from a cyber event should be taken. As part of this, we recommend companies consider how their present insurance coverage responds to cyber events and whether obtaining specialised cyber risk insurance coverage is necessary. It is generally too late to undertake such an exercise in the wake of a cyber event and from our experience, companies can often be left with the significant costs of managing cyber events themselves.