Cyber-crime has become a priority issue for modern businesses. The Australian Cyber Security Centre (ACSC) concluded in its August 2017 Threat Report:
“The ACSC has observed two distinct trends when it comes to the level of sophistication employed by adversaries and cybercriminals. At one end of the spectrum, increasingly sophisticated exploits are being developed and deployed against well‑protected networks, particularly government networks. This reflects investment in new tools and techniques to keep pace with our efforts to protect networks. On the other end, the ACSC continues to observe many adversaries, particularly criminals, compromising networks using publicly known vulnerabilities that have known mitigations. Too many of the incidents the ACSC responds to could have been prevented had organisations employed established and relatively straightforward cyber security measures.”1
Reports to the Australian Cybercrime Online Reporting Network (ACORN) indicate losses of over $20 million due to business email compromise alone, an increase of over 230% in one year.2
In response to the heightened risk and incidence of cyber-crime and other cyber security threats, cyber insurance is being taken-up by an increasing number of Australian business entities. But not everyone is electing to be covered.
The ASX100 Cyber Health Check Report (June 2017) indicated that the prevalence of cyber-crime insurance among the top ASX100 companies was low with only 38% having taken out cyber cover. Interestingly, although an additional 16% of companies stated they were implementing a policy in the following 12 months, 36% of companies revealed they had considered cyber insurance and decided not to implement a policy.3 The take-up of cyber insurance is even lower in the middle market, with unofficial statistics indicating that 85%-90% of SMEs are opting not to cover themselves.
Cyber insurance premiums may be considered prohibitive in some situations particularly when businesses do not have adequate internal practices or systems that are responsive to the evolution of cybercrime.
Cyber insurance has evolved over the last 20 years. Errors and omissions (E&O) insurance typically used to cover the risk of unauthorised access to a customer system or the destruction of data. Standalone cyber-related insurance products have since been developed to cover:
- data breaches (including the financial consequences of lost or misappropriated customer or employee data);
- investigation and fines following data security breaches;
- the cost of restoring, recollecting or recreating data after a leak or breach;
- damages and defence costs incurred in connection with a breach of a third party’s intellectual property rights, or negligence in connection with electronic content;
- ransom payments to third parties required to end an extortion threat; and
- losses and mitigation costs arising from an Outsource Service Provider (OSP) failure.
A recent example of cyber-crime and which should make organisations think carefully about the need for cyber insurance is ‘island hopping’ a tactic increasingly being used by cyber criminals to leverage from weaknesses within a supply chain by infiltrating the IT systems of suppliers and third parties eventually leading the criminals to the target company. This lateral movement between networks and colonisation of systems can have a ripple effect impacting multiple organisations and exposing the entire supply chain to third party risk. According to a recent report from Carbon Black, more than a third (36%) of today’s attackers now use the victim primarily for island hopping.4
A recent data breach of Australian HR tech platform ‘PageUp’ illustrates the emerging area of cyber liability. PageUp publicly announced on 6 June 2018 that a data breach had occurred. Details about the extent of access, the time and destination of the data are scarce (probably due to the threat of class action litigation) but there has been speculation that the type of data may have included address and contact details, emergency contact details, superannuation details, diversity information, as well as passport and driver license numbers of thousands of workers employed by some of Australia’s largest corporations. The data captured could potentially be used to create false identities or sold into the black market. Key clients including Australia Post, Coles and Telstra responded by shutting down their job portals, some of whom have now severed ties with PageUp. PageUp has declined to disclose if it was insured against cyber-attack.
Not only has this incident created a public relations nightmare for PageUp who was at the time of the attack preparing an Initial Public Offering, but it has served as a warning to other businesses who believe they may be immune as a cyber-target.
This situation presents several challenges for businesses especially for those organisations who are trying to protect themselves from breaches with affiliates who are often smaller companies with immature cyber frameworks.
While organisations continue to evaluate the cost-benefit of cyber insurance, there are a number of proactive steps that can be taken to manage infiltration of trusted suppliers and third parties:
- identify alternate processes in the event of an unexpected data breach which may preclude your organisation from accessing or utilising the systems of suppliers or third parties;
- review and where necessary, negotiate Service Level Agreements to include the mandate of greater security controls such as those provided in guidance by the Australian Cyber Security Centre (ACSC);
- look to include audit rights in contractual arrangements; and
- proactively engage with key service providers and create a culture of cyber safety and awareness within your supply chain.