Do you process, transmit or store more than 10,000 financial transactions per year?
YesNo, less than 10,000
Do you use and keep up to date firewalls and anti-virus protection for all systems?
YesNo
Do you use third parties to complete audits of your system and security on a regular basis?
YesNO
Are all portable devices password protected? (mobile phones, laptops, tablets, etc)
YesNo
Do you have encryption requirements for all data including portable media?
YesNo
Do you have back-up and recovery procedures for business critical systems, data and info assets?
YesNo
Do you outsource any part of your network, including storage?
Yes, we use third party providers.No, all managed in house
Do you store sensitive information on web servers?
YesNo
Do you know of any loss payments, fines or penalties being made on your behalf?
YesNo
Are you aware of any matter which might give rise to a claim or loss under such insurance?
YesNo
Have you suffered any loss or claim but not limited to a regulatory, governmental or administrative action brought against you, or any investigation or information request concerning any handling of personal info?
YesNo
The applicant or any subsidiaries have any knowledge of any loss payments, fines or penalties being made on behalf of any applicant or any person proposed for coverage any cyber policy or similar insurance?
YesNo
Your quote request has been sent successfully, one of our brokers will contact you today! Close this notice.
Business Insurance Quote
Contact details:
Sections
Property & Contents
Yes, please quoteNo, thank you
Public & Products Liability
Yes, please quoteNo, thank you
Cyber Liability
Yes, please quoteNo, thank you
Theft & Money
Yes, please quoteNo, thank you
Computers & electronic equipment
Yes, please quoteNo, thank you
Business Interruption
Yes, please quoteNo, thank you
Machinery Breakdown
Yes, please quoteNo, thank you
Your quote request has been sent successfully, one of our brokers will contact you today! Close this notice.
Criminal attacks on unsuspecting medical practices, hospitals and other areas of the healthcare industry have been happening for years in a digital format. Would-be criminals don’t need to physically walk into the practice and reach behind the counter for sensitive records. Now, thanks to many improvements in technology the vast majority of personal files are shared and kept in digital archives with little protection.
As the tech world surges forward we are seeing an unprecedented amount of data being collected, shared, analysed and stolen on a daily basis. These recent leaps in technology are creating extra points of entry for criminals and more concerns regarding patient privacy than ever before. Despite major media coverage and brazen high profile breaches on governments and global organisations, there is still an upward trend in the frequency and severity of privacy breaches. Some industry vendor reports are indicating these breaches are more likely to happen in the health care industry than any other.
Cyber Insurance Can Help Protect Your Business.
Why Is Healthcare Such A Target?
There are many reasons but some major points which make healthcare a prime target are:
The content of the data is sensitive and more valuable. For example, stolen healthcare data has been sold for 10 times that of credit card info
Time critical access. Usernames & passwords being simplified and left openly available for all staff to save time
The personal data is not easily reset like credit card information. Birth date, names and addresses are nearly impossible to change after a breach
Healthcare has adopted technology very rapidly without full understanding of the vulnerabilities
Medical device manufacturers failing to adequately secure the devices
Typically patient records are stored in large volumes and for many years
Too many people have acess to patient records
Unique Risks for Healthcare Organisations
Staggering amounts of Personally Identifiable Information and Protected Health Information collected, analysed and stored on systems
Sharing of health information with a variety of providers, including specialists
Mobile devices such as tablets and phones gaining much wider use
Employee education not up to date which leaves the organisation open to human error
Systems typically allow access points for hundreds of users including third party vendors
A heavy dependency on outsourced service providers
Many organisations have a chain of liability from providers, payors, third party administrators, technology or hardware firms, pharmacy benefit managers, outsourced network service providers and data storage firms
High Profile Breaches
Internationally many medical device manufacturers are being questioned over their failure to ensure the security of their products and instead transfer their responsibility to health care organizations. While these new devices can drastically increase efficiency and diagnoses, they are also creating vulnerabilities for the network they are connected to. Employee error remains the number one cause of exposure but device vulnerabilities are also at alarming rates.
Cyber insurance policies currently have a wide variation of cover and exclusions as the risk is still evolving. Some policies are asking for encryption across all portable devices, clearly defined regular backup and recovery procedures or independent audits and penetration testing conducted regularly. Over time we will see a clearer understanding and standard of cover.
Some unforeseen risks can arise after a cyber attack as a result of an office being forced to return to paper. The integrity of data and security of the health records; and identity theft of patients also being important risks to consider when reviewing insurance policies.
We recommend that medical industry staff understand the coverage they are getting and make sure ransomware and 3rd party costs are covered in their policy.
Overall though maybe the most important preventative measure at the moment is to educate employees. Current vulnerabilities, scams and prevention methods should be regularly circulated for employee knowledge. One email can breach the entire network, as a result we suggest getting employees to subscribe to the MailGuard blog and follow Cyber Insurance Australia on Linkedin & Facebook for regular updates and information.
The Internet of Things revolution has begun and businesses are jumping on board without hesitation, IoT meaning the increasing number of devices which have internet access for one purpose or another. Said to have started in 1991 when a group at the University of Cambridge Computer Labs began using a webcam to monitor the coffee pot levels using their networked camera instead of walking down the hall.
Connectivity in general is also nothing new, we know that the handheld powerhouse in our pockets is constantly sending and receiving data around the world. Recently we tested an anti spyware app called SpyAware which monitors how much data is collected and where it is being sent by other applications. Not surprising, seemingly innocent apps are sending data regularly to hundreds of locations around the world and the same is happening with other new “smart” devices.
Are we haphazardly racing to connect any and all parts of our lives while leaving our private data in the open for the sake of convenience? Absolutely. Watches, children’s toys, televisions, printers, fridges, cars, and just about every appliance in the home or office has seen new versions with network connectivity released. Experts have estimated we have well surpassed the global population with numbers of connected devices with no sign of slowing down.
It is becoming second nature to upgrade to tablets, phones, free customer wifi, smart TV’s and other great technologies. Organisations are taking large steps forward in operational efficiency thanks to the ingenuity of some of these devices but they are also potentially sacrificing staggering amounts of private data to get there.
While we recommend organisations take advantage of the internet of things for marketing, efficiency and business process overhaul. We also strongly recommend understanding the items and their vulnerabilities before adding them to your network.
Insurance
This is an interesting time for insurance providers as the risk for data and identity theft from the staggering abundance of connected devices is unprecedented. Experts have estimated we have well surpassed the global population with numbers of connected devices are are showing no signs of slowing down. Most major insurance providers are proactively researching IoT risks and are trying to pivot accordingly.
Currently many existing business insurance policies will cover basics like theft or accidental damage for items but these policies will not kick in if the device is hacked. Nor will those policies cover data theft or malicious damages caused as a result of the vulnerable device. Cyber insurance policies will round out this area of a risk management report but be sure to understand the policy fine print and the impact of any new devices. For example, some policies will require encryption to be used across all portable devices or risk having the claim denied.
“Things are moving quickly and the insurance industry is playing a bit of catch-up. We know these technologies exist. We already insure them. But what are the future implications? That’s what we need to get our heads around.” says Noel Condon, CEO of AIG
Steven Raynor, Executive General Manager Transformation at QBE Australia and New Zealand recently said in an interview with Insurance and Risk “Insurers will have the opportunity to model and engage in greater analysis and understanding of customers’ needs, as well as fact-based risk assessments about people’s assets.“This opens up the possibility of a whole new range of products and services, and will enable us to more proactively support customers in the management of their risk rather than simply indemnifying them against risks reactively,”
“Network outages could result in significant business interruptions and lead to large losses for businesses. Again, the importance of robust cyber security cannot be understated,” He adds.
Insurers will be looking at more personalised and in depth insurance packages in the future to better asses and quantify business risks. Understanding which devices are being used, encryption & password use for devices, employee education levels, information security procedures, third party vendors used, security audits and a number of other previously unasked questions.
Cyber Insurance Can Help Protect Your Business.
Here a few examples of media coverage for exploited connected devices.
We suggest discussing your current device vulnerabilities with information security staff, researching online and putting a cyber insurance policy in place as soon as possible.
The start of 2017 has seen a nearly constant media trail covering cyber attacks and discussing the risks involved with hacking for businesses small to large and critical infrastructure networks. Yahoo is still in damage control and desperately trying to stop the value of their current buyout with Verizon from slipping any further. Verizon is rumored to pull out of the monstrous takeover for mainly cyber security and reputation concerns.
Many business owners are beginning to recognize the risk and impacts coming their way as a result of media coverage and internal discussions but are still unsure of the specifics regarding cyber insurance. With many options available and a broad range of difference between some insurer details it is easy to take the cheapest stand alone policy or rely on a ‘cyber extension’ added onto another existing insurance policy. For example, adding a $200,000 sub-limit onto a directors & officers or management liability policy. While these options may suit some businesses at this stage, we recommend asking yourself the following questions to assess your companies cyber insurance policy requirements.
What was disclosed in the proposal?
Most businesses are familiar with insurance proposal forms or applications. How a business discloses their operations has great impact on the insurance policies written based on these details. The duty of disclosure states that any misrepresentations, omissions or incorrect statements in the application are grounds for withdrawal of the policy or a claim being declined. Organisations being left to weather the storm due to incorrectly disclosed activities is nothing new and has been argued by insurance providers on countless occasions.
Questions regarding turnover, staff numbers, products, assets, etc are all standard and easily answered but cyber insurance proposal forms have been asking questions surrounding data retention, internal security protocols, penetration tests and audits, privacy policies and more which have been raising eyebrows lately. Some proposal forms are asking which third party vendors are being used (cloud, email & network service management) and if their security procedures are in line with industry security compliance requirements.
Taking the time to discuss the proposal requirements with a counsel of staff and broker will no doubt help to ensure accurate information has been disclosed for your industry specific business situation.
Is this the right broker?
Having a broker with a keen interest in cyber security and your industry is key, we recently discussed the importance of having a cyber-savvy broker, here.
Arranging the most appropriate policy depends on accurate information from your staff and the best advice from your broker. Your adviser should be aware of industry specific litigation precedents as cyber insurance policies are still relatively new in court precedents and terms vary between insurance providers. Knowing the market differences in policy coverage from providers and how to negotiate tailored terms for your unique business needs is also important to keep in mind when assessing your broker. This will help to reduce gaps in cover which would be costly at claim time.
In the event of a claim, you want to be confident your business will be taken care of promptly and professionally. The majority of policies have approved third party vendors which will be used should a claim incident arise but knowing the best attorneys, security analysts, forensic investigators and other response providers is something your broker should be aware of and strive to recommend.
Protect your business with Cyber Insurance Australia.
What are the gaps in coverage?
For most business insurance policies there are certain industry specific clauses and endorsements which if not reviewed can cause large gaps in policy cover, cyber insurance is no different. Understanding and regularly disclosing the risks your business faces will help your adviser make the best amendments and decision for cover.
Some insurers are offering a cyber liability sub section of cover which can easily be added onto a preexisting management liability or directors and officers policy. These additional sections usually have very restricted policy ‘triggers’ and a lower limit of liability than is in line with the national cyber attack average cost of around $276,323. As a result Cyber Insurance Australia recommends arranging a stand alone cyber insurance policy with a sufficient limit of indemnity. That may be the average cost but some organisations claim costs have certainly eclipsed this figure as can be seen in recent claim examples, here.
First party costs are a standard part of these polices however third-party costs can be excluded. There have been a number of data breach class action law suits against organisations not just from disgruntled members of the public who have had information leaked, there have been a handful of B2B client’s whose own business livelihood relies on services offered by the first party organisation. In this example, Amazon’s widely used web servers were effected by a large storm which in turn caused a business disruption to a number of high profile clients such as Westpac, Dominos, Menulog and Foxtel Go. Under a traditional business interruption policy this disruption would not be covered leaving businesses to cover their own expenses.
Having your broker understand how your business operates in the digital world is necessary for accurate cover, the 2016 US case against P.F. Changs illustrates the importance of a greater level of industry knowledge required from insurers and brokers. The restaurant chain requested cover for PCI-DSS assessments but were not able to prove that request was correctly covered in their cyber insurance policy. As a result, Changs was not covered for over $2 million in fees, assessments and included the costs of notifying consumers, replacing cards and reimbursing fraudulent charges. These costs could have been avoided by a carefully worded amendment to the policy terms in line with the clients operations.
It is important to note that crime policies can potentially answer the call from a cyber event but these policies may not cover the complex and unknown details associated with cyber attacks. For example, human error is still the number 1 cause for malware attacks. In a recent US court of appeals decision, the court agreed with the insurer’s denial of cover due to the exposure being human failure to investigate and not a direct result of the malicious email. The decision sets a dangerous precedent for Australian businesses relying on existing policies to cover themselves.
Cyber Insurance Australia recommends reviewing policies annually to cover new business activities and threats as even the best policies should be reviewed regularly.
What will activate the cyber insurance policy?
Nightmare stories of insurance companies declining to cover something which the business owner thought was part of their policy is nothing new. The first question usually asked to your broker or adviser is always “are we covered?”. Understanding when and why your insurance policy will kick in and what is left uncovered is important and should always be discussed with your broker. We recommend having a meeting between your information security staff and your potential broker regarding industry specific risks and business operations to confirm any possible gaps in cover.
With the recent mandatory data breach notification bill being passed, one of the important questions is weather the policy has cover for suspected breaches and associated investigations or strictly confirmed breaches. Investigating a potential breach and reporting to the appropriate government body can be costly and time consuming. Due to the new breach law it is best practice to investigate any suspected breach at length as the bill states any business caught not to be reporting a breach can be fined between $360,000 and $1.7 million.
Confirming if the policy is occurrence based or only applies upon discovery of a breach is on of the most important factors when reviewing cyber insurance cover. Yahoo and a range of high profile organisations have been victims of massive data breaches but even at such a large corporate level these breaches were only discovered a shocking years later when investigating a different suspected breach.
Protect your business with Cyber Insurance Australia.
When lodging a cyber insurance claim saved the day
This month we are taking a look at how a few medium to large Australian businesses responded and recovered from various cyber events and how their cyber insurance was able to assist. In the past 12 months the majority of all cyber attacks against Australian businesses were targeted at small to medium size businesses. Many owners have heard the buzzwords and have seen the major international incidents on the news but haven’t seen a relatable cyber insurance claim from Australian businesses.
Healthcare Provider
100 Employees
Unknown turnover
Incident
A healthcare provider misplaced multiple storage devices which contained sensitive information for over 1 million patients. The provider was unable to determine if the devices were lost, stolen or destroyed. Their lawyers advised the company to notify the affected individuals and assisted the company to address a regulatory investigation into the incident. This investigation saw the company fined for failing to adequately protect the information.
Outcome
The company was fined $75,000 which was covered. Legal costs were covered and totalled just over $1 million including costs in defending claims brought by affected individuals, costs associated with regulator enquiries, and for miscellaneous notification related work.
Total costs to the business were $5,000,000.
Logistics / Freight Forwarding & Warehousing
$30 million turnover
Incident
An Australian logistics, freight forwarding and warehousing organisation was the victim of multiple business interruptions causing their network to be down for a total of 21 days. Could your business survive for 21 days without your network and information?
A disgruntled ex subcontractor turned out to be the culprit and cause of the network outage. The ex subcontractor had vast knowledge of the companies network and when the contractor was released from employment sought malicious revenge. The network was hacked multiple times causing unforeseen business disruption for 21 days.
A forensic IT provider was appointed to identify their main cause and complete restoration of the entire network.
Outcome
$280,000 which was made up of $110,000 in defence costs and $170,000 for forensic IT expenses and lost income.
Third-Party Administrator
500 Employees
$65 million turnover
Incident
A covert organisation hacked an administrator’s network just before a major holiday weekend to steal personally identifiable information. Over 25,000 names and numbers for customer credit cards and personal details for 250 staff members were compromised. Malicious software was also found on an administrators laptop which caused the entire firm to cease business for 72 hours.
The insured client’s customers were unable to access the network for business purposes and sustained malware related impacts to their own systems. The Administrator was sued for impaired network access and conduit related injuries.
Outcome
The administrator incurred costs above $250,000 for forensic investigations, notification and monitoring measures, system restoration and legal advice. The business also calculated more than $2,000,000 in lost business income and extra expense associated with the system outage.
An additional $300,000 in defence costs were incurred and more than $5,000,000 in damages where paid to customers who were unable to access the administrator’s network.
The total cost to the business came to more than $7.55 million.
Cyber Insurance Could Save Your Business
B2B manufacturer
50 Employees
$10 million turnover
Incident
A materials manufacturer leased a copying machine for a 24 month contract through a third-party intermediary. During the lease agreement the manufacturer made copies of proprietary client information and its own employee data.
After the lease had expired the manufacturer returned the copier via the third-party intermediary. During transit back to the leasing company a rogue employee of the third-party intermediary accessed the machine’s data. The proprietary information was stolen and then sold by the employee.
Outcome
The manufacturer was hit with $75,000 for forensic investigation, notification, identity monitoring , restoration services and independent counsel fees. The company also incurred around $100,000 in legal defence costs and $275,000 in indemnity associated with the theft and sale of proprietary client information.
Total costs to the business were over $450,000
Retailer
35 Employees
$20 million turnover
Incident
A major retailer took a new marketing strategy and decided to email promotions to their current clients. The insured company intended to attach a promotional flyer but instead attached a spreadsheet which contained a list of customer names, addresses and credit card information.
The lawyers for the retailer advised them to notify all affected customers and offered credit monitoring support after the fallout. Several of the affected customers brought civil proceedings against the retailer.
Outcome
The retailer lodged their cyber insurance claim which covered the credit monitoring and customer notification costs which totalled $150,000 with legal fees and settlements adding another $250,000.
Total cost to the business was approximately $400,000
Cyber Insurance Could Save Your Business.
Conclusion
From most reports it is only a matter of time rather than a matter of being secure or not. We will continue to publish more cyber insurance claim examples each month.
Thanks to Chubb and LUAW for their claims examples.
