Data breaches and cyber attacks are on the rise and most Australian companies remain unprepared. Cyber security risk is the highest ranking risk faced by businesses in 2015 and is the top agenda item for the Federal Government and ASIC.
Employee errors in the digital age can also lead to costly legal problems or data recovery issues, which businesses may not be covered for under traditional insurance policies.
Cyber risk affects all organisations, regardless of industry, sector or size. Here at IAS we have had first-hand experience with small-to-medium businesses that have been hacked and held to ransom, with their systems shut down or suffered data loss that severely hampered their operations. It cost one of our clients in excess of $20,000 to reformat the information they need to run their business.
Why cyber protection is critical for all businesses
Data breaches and cyber attacks are on the increase and the size of potential losses is vast. A threat report published this July by the Australian Cyber Security Centre (ACSC) noted that the number, type and sophistication of attacks continues to grow. The cyber threat to Australian organisations is undeniable and unrelenting. If an organisation is connected to the internet, it is vulnerable.
Compromise is expensive. It can include financial losses, damage to reputation, loss of intellectual property, and disruption of business. It’s not only malicious attacks that can prove costly, employee error can also be a huge risk, as evidenced by the following real life examples:
Technology Professional Services
An IT company that provides ATM processing services moved its data backup to an outside storage facility. During the process, an employee of the insured made an error that resulted in individuals being allowed to withdraw money from ATMs, regardless of their bank balances. The entity that owned the ATMs sued the insured to recover the losses.
A financial services company started a blog to convey information to clients and the public. The blog contained a logo/image that was similar to a design that had been copyrighted by another entity. Civil proceedings commenced and the plaintiff demanded in excess of $5 million in damages. Legal costs totaled $1.23 million and a settlement of $2 million was ordered.
Assessing your risk
Depending on the nature of your business and the severity of a cyber attack or data breach, the costs can be anywhere from tens of thousands of dollars, and extreme inconvenience, to losing your business entirely.
Most of our clients think that if they have great IT people that this will not happen to them. Unfortunately, it does not prevent such things as an employee opening up an email attachment from Australia Post or an ATO Notice, which turns out to be a virus that infiltrates your systems. This happened recently to one of our own clients at IAS, which is what prompted us to write this blog.
When traditional business insurance policies fall short
There are significant gaps in standard business policies that could have disastrous consequences for Australian businesses. Public and product liability, professional indemnity, commercial crime, directors’ and officers’ (D&O) liability, property damage, and business interruption insurance cover many losses – but not all.
Public and product liability insurance, for example, covers for compensation payments relating to personal injury or property damage. However, property damage is generally defined as damage to, or loss of, tangible items, which is unlikely to extend to computer software and other data. Some policies specifically exclude IT hazards.
Most businesses hold property damage and business interruption insurance, but these policies are not suited to covering cyber losses, because they typically require a physical damage trigger.
The increasing frequency of cyber attacks is causing insurers to scrutinise mitigation strategies and, in some cases, exclude cyber risk.
It is crucial for companies to closely consider their cyber-risk profiles and determine whether their existing policies are sufficient. In our experience for a small outlay of cost for cyber protection, this could save you many thousands in loss of income and rectification cost.
How IAS can help
IAS provides Cyber Insurance for small to medium sized businesses. This is not part of the usual business pack insurance but is a specialist contract, which covers you for:
- Hotline available 24/7 to advise on next steps in case of a cyber attack
- Loss of profit/revenue covered if you cannot operate your business
- Any ransom paid is covered and recoverable
- Third-party loss (for any clients) is covered
- Regulatory fines and penalties
- IT provider rectification costs covered.
To find out more about how Cyber Insurance can protect your business, call us on (02) 8268 2900.