Cybercrime and data breach incidents have the potential to affect all individuals and businesses. “Cybercrime” can mean both crimes directed at computer technology (such as hacking) and crimes where computers are an integral part of an offence, such as online fraud or identity theft. Data breaches may be caused by malicious cybercrime, such as theft and hacking, or inadvertent human or technical error.
A 2014 study conducted by Hewlett Packard, found that the average annual cost of cybercrime incurred by a sample of 30 Australian organisations was $4.3 million. This study also found that the average time to resolve a cyber-attack was 23 days at an average cost of $276,323. The Attorney-General’s Department reported in its 2013 National Plan to Combat Cybercrime that the cost of cybercrime in Australia is as high as $2 billion annually.
In many cases, legacy insurance policies will not cover these new and evolving cyber risks. For example, business interruption insurance policies are often drafted to cover losses caused by a tangible, physical event and would therefore be unlikely to cover any losses caused by a cyber-attack. Other policies expressly exclude internet-related loss. Businesses should therefore consider obtaining advice regarding the scope of their existing policies and whether additional, specialised cyber liability coverage is necessary.
Assessment of new Cyber Liability Insurance Offerings
The insurance industry has responded to the growing risks and costs faced by businesses as a result of cyber breaches. Insurance providers have developed specific cyber-liability or network security and privacy insurance to cover these new and evolving risks.
Cyber insurance may include a range of coverage options tailored to relevant cyber risks, such as:
- data or privacy breach management cover for the cost of responding to an incident, notification of the affected individual or organisation, remediation, court costs and regulatory fines
- media liability cover for third-party damages for defacement of a website or intellectual property infringements
- extortion liability cover as a result of the threat of extortion
- network security liability cover for third-party damages as a result of a cyber-attack on network security
- network interruption insurance for net income that would have been earned had the security failure not occurred.
Businesses should consider the scope and coverage of their existing insurance arrangements and the possibility of transferring risk by obtaining a specialised cyber-liability policy as part of a cyber-liability and data breach assessment.
Imperative for risk assessment and mitigation
The statistics clearly demonstrate the significant risks posed by the evolving threats of cybercrime and data breaches to Australian companies.
In addition to arranging appropriate insurance coverage, businesses should:
- understand the risks including any industry or organisation specific risks they may face. For example, the risks posed to financial institutions that hold sensitive customer financial information are different in nature to the risks posed to health agencies or organisations that hold sensitive personal health information
- be familiar with the regulatory and compliance framework and the possibility of a shift towards mandatory data notification laws
- be familiar with publications that provide information about how to protect against and respond to cyber-attacks and data breach incidents. The Office of the Australian Information Commissioner, ASIC and APRA have each published guides on data breaches and cyber risk that contain a wealth of information about the risks posed to organisations and steps that may be taken to manage risk
- consider customer and consumer liaison policies in the event that a cyber-attack or data breach occurs, including whether and how to notify customers and clients if their personal data has been compromised
- consider possible risk transfer strategies, including obtaining cyber liability insurance.