.png)
Cyber crime and liability
If you’re thinking a cyber attack won’t happen to you, you might want to think again. No system is automatically immune.
More than 75 per cent of all legitimate or ‘secure’ websites have unpatched vulnerabilities. Fifteen per cent of legitimate websites have vulnerabilities deemed ‘critical’, which means it takes minimal effort for cybercriminals to gain access.
The Australian government’s Cyber Security Strategy estimates cybercrime costs the country A$17 billion (US$13 billion) annually.
SCARY FIGURES
Global cybersecurity company Symantec reports 2015 saw over one million web each and every day, including a record-setting total of nine “‘mega-breaches’ — defined as those in which more than 10 million records were compromised or stolen.
In that year alone, the total reported number of exposed identities jumped 23 per cent to 429 million, with the average number per breach up 21 per cent to 1.3 million.
Also in 2015, Symantec discovered more than 430 million new unique pieces of malware, up 36 per cent from the year before.
Its report into cybercrime also reveals more and more companies, representing an increase of 85 per cent, are choosing not to disclose the full extent of the breaches they have experienced.
A conservative estimate, which includes unreported breaches, pushes the real number of records lost to more than half a billion. That’s a lot of confidential data.
And as more devices are connected, more vulnerabilities will be exploited.
SMALL BUSINESS NOT IMMUNE
‘In the last five years, we have observed a steady increase in attacks targeting businesses with less than 250 employees, with 43 per cent of all attacks targeted at small businesses in 2015, proving that companies of all sizes are at risk,’ Symantec notes.
‘It’s not just Fortune 500 companies and nation-states at risk of having IP stolen — even the local laundry service is a target.’
In one example, an organisation of 35 employees was the victim of a cyber attack by a competitor.
The competitor hid in their network for two years stealing customer and pricing information, giving them a significant advantage.
Attacks against businesses and nations hit the headlines with such regularity that we’ve become numb to the sheer volume and acceleration of cyber threats.
And most threat reports only scratch the surface of the threat landscape.
For insurers, there are two key takeaways. Firstly, we need to follow our own advice and get properly covered. The second is to think about the opportunity for diversification.
CYBER LIABILITY ON THE TABLE
Berkshire Hathaway Specialty Insurance (BHSI) launched its first cyber liability offering for Australia in July last year.
Head of Executive & Professional Lines, Matthew Clarke has been helping build the Australian Cyber liability market for the last five years by raising awareness of the risks faced by businesses.
Clarke, who has more than 15 years of experience underwriting and broking Financial Lines business across Asia Pacific, assisted in the development of BHSI’s new cyber liability offering which was led by product manager for cyber liability, Emma Osgood.
‘Emma’s experience and keen interest in this space was the catalyst for building the offering that BHSI has today,’ Clarke says.
‘We spent a lot of time reviewing existing forms [of insurance] and talking to brokers and lawyers locally and in the US to understand where current cyber liability offerings weren’t working.
‘We were also focused on the key drivers for buying the product.’
FRUSTRATION IN THE MARKET
Clarke says he and Osgood discovered a lot of frustration in the market with the lack of clarity in cyber offerings.
‘Many customers in Australia were buying the policies for the incident response services provided in cyber offerings,’ he explains.
The BHSI policy addresses these concerns by ensuring that its wording is clear and has simple triggers such as ‘actual or suspected breach’.
‘Not only does this provide clarity but it ensures that our customers get access to the policy as quickly as possible, which in turn allows our incident response team to provide the fastest possible response to a breach,’ Clarke says.
Clarke adds cyber risk is unique in the challenges that it presents to insurers.
‘We have limited historical claims information to draw upon, and the number and type of threats that can trigger the policy multiplies daily,’ he says.
‘The challenge for us as an insurer is providing an offering that addresses the concerns of our customers at a competitive price in a rapidly evolving market.’
WHAT THE POLICY COVERS
The current BHSI policy provides cover for third party liabilities and first party costs and expenses that customers incur in dealing with a data breach, including:
· data rectification costs
· extortion costs
· business interruption costs
· regulatory costs (including associated fines and penalties)
· emergency response costs
· liability to third parties.
‘The market is still in the early stages of development,’ Clarke says.
‘Our estimates are that the current market for cyber liability in Australia is around $30 million and I think this would represent less than five per cent of businesses in Australia.
‘In the future, I expect that cyber liability will be purchased by most businesses in the country as is the case for property and casualty insurance.’
IMPACT CAN’T BE PREDICTED
For those at the end of a cyber attack, this is little consolation.
‘The threat of a cyber attack and the cost of that attack is different for each company,’ Clarke says.
‘Some companies may face the threat from disgruntled employees while others may hold large amounts of commercially sensitive information highly sought after by competitors or even other countries.
‘The cost of an attack will be largely determined by how well prepared the company is for an attack,’ he adds.
‘Having a business continuity plan incorporating cyber-related attacks that is regularly tested and updated will ensure the cost of an attack is minimised.’
Acknowledgement to ANZIIF.com
