[BreachExchange] Does your organisation have cyber insurance?

Audrey McNeil audrey at riskbasedsecurity.com
Thu Jul 5 20:55:48 EDT 2018 

https://www.cso.com.au/article/643401/does-your-
organisation-cyber-insurance/

I am going to be bold here and speculate that the percentage of Australian
businesses that currently have cyber insurance is very low, as from the
many conversations that I have had over the last few months it has become
obvious that many businesses don’t see the urgency or need for cyber
insurance. Some just don’t understand what it really is for and why they
need to have it.

With that in mind, I have decided to create this article to try and help
readers of CSO and organisations from small businesses to enterprise
organisations understand why they need cyber insurance. Let’s start at the
beginning and outline a few statistics to indicate the cybersecurity
problem as it exists in Australia and then I will outline what benefits
cyber insurance can bring to your organisation. That way you can better
make a decision on what cyber insurance packages are best suited for your
organisation.

Without making this article a fear mongering exercise to terrify all
business owners and readers, let's just look at some events that have
occurred over the last year:

- Both Cadbury and TNT were both brought to a halt in June 2017 from a
ransomware infection, with TNT appearing to be have been the most severely
affected in Australia (at least from what has been made public anyway) with
their parent company FedEx providing an indicative loss of $374 million
from the incident. It was also indicated that several systems as of late
2017 were still not restored and could be permanently lost. They had also
indicated that operations had to be manually handled during the several
months following the recovery with some processes still being handled
manually due to some system never being fully restored.
- In October 2017, personal information of 5,000 Australian public servants
of the Department of Finance, the Australian Electoral Commission and
National Disability Insurance Agency were publicly accessible because of a
cloud services misconfiguration. There was also almost 50,000 private
sector employee’s personal information, which had been insecurely stored on
an Amazon cloud storage service (just one of several worldwide over the
last few months) and was easily accessible by anyone. This breach was
caused by a private contractor who works with both government agencies and
the private sector.
- On May 23rd 2018, PageUp a hiring/recruitment software solutions provider
detected some unusual activity on its IT systems and publicly announced on
the June 5th 2018 of a possible breach. PageUp released the statement as
required by the new data breach notification laws that had been introduced
in February 2018. Will PageUp ever recover from this breach? Possibly not
due to the damage that it has suffered to its reputation and likely
financial hardship it will face trying to rebuild that faith in its
customers.

These are just three of possibly hundreds of breaches that have occurred
over the last year in Australia and it is hard to get an exact figure due
to the mandatory notification laws only coming into effect in February. The
reality is that cybercrime is estimated to cost Australian businesses of
all sizes around $4.5 billion dollars every year with evidence that this
trend will only get worse as we become more and more reliant on data and
our electronic devices for both personal/business use, not to mention that
(almost) everything is interconnected via IOT.

So what can you do about reducing your organisation's risks?

Some of these items are as simple as ensuring that you have an adequate set
of policies/procedures in place, have your systems tested by a security
professional and train your staff to recognise phishing and scam emails.
All the above will help ensure that your systems are as secure as they can
be and you are prepared to respond to an incident quickly and effectively
when it happens - but what about the monetary costs involved with a breach?

The initial costs to a business from a security breach are easy to pin
point, for example:

- Time lost to the organisation from staff not being able to do their job,
to labour costs for IT/security specialists to come in and recover your
systems.
- Loss of income from not being able to access encrypted data for all
outstanding invoices in which you don’t have a physical printed copy. Some
organisations will still pay but you don’t know what they owe or if what
they are saying is true when they say they don’t have any outstanding
invoices at all.
- Cost of new equipment and tools/software required to remediate or prevent
a secondary incident occurring (it is always more expensive to secure
systems after a breach than before an incident occurs).

So that is the basics most people will be aware of but what about the
hidden costs:

- Loss of revenue due to the damage to your organisation's reputation.
- Your organisation could be the target of a lawsuit because of a loss of
sensitive data. This would mean you would have legal fees, possible
compensation payouts.
- The organisation could be fined for not meeting regulatory requirements
if this is something your organisation must adhere to.

The list can go on but as you can see there are many costs relating to a
breach that is not always obvious and it can help bring into focus the need
to look at cyber insurance for your organisation.

What does cyber insurance cover?

Although policies will vary between insurers, a typical cyber insurance
policy is designed to help you with both preventing breaches in the first
place and dealing with them if and when they occur.

Cyber insurance policies usually include the following:

- The cost of restoring or recreating electronic data following a breach or
leak
- Forensic services to investigate a breach
- PR coaching in the event a breach harms your business’s reputation
- Assistance guarding against data breaches, hacking and employee error
- Guidance on how to respond to a breach
- Funds to cover the adverse financial effects related to a breach
- Funds to cover any fines that might be payable following a breach

 Now you have the knowledge on why you should consider cyber insurance and
what the policy will generally cover. It is very important that you clearly
go through all of your options and understand any items that are covered
and situations/items that are not covered under the policy as all policies
are not equal. So do your organisation a favour and look into cyber
insurance, so that when a breach occurs your organisation has the support
it needs to survive. You will thank me later.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180705/cad8575e/attachment.html>

More information about the BreachExchange mailing list