Do you process, transmit or store more than 10,000 financial transactions per year?
YesNo, less than 10,000
Do you use and keep up to date firewalls and anti-virus protection for all systems?
YesNo
Do you use third parties to complete audits of your system and security on a regular basis?
YesNO
Are all portable devices password protected? (mobile phones, laptops, tablets, etc)
YesNo
Do you have encryption requirements for all data including portable media?
YesNo
Do you have back-up and recovery procedures for business critical systems, data and info assets?
YesNo
Do you outsource any part of your network, including storage?
Yes, we use third party providers.No, all managed in house
Do you store sensitive information on web servers?
YesNo
Do you know of any loss payments, fines or penalties being made on your behalf?
YesNo
Are you aware of any matter which might give rise to a claim or loss under such insurance?
YesNo
Have you suffered any loss or claim but not limited to a regulatory, governmental or administrative action brought against you, or any investigation or information request concerning any handling of personal info?
YesNo
The applicant or any subsidiaries have any knowledge of any loss payments, fines or penalties being made on behalf of any applicant or any person proposed for coverage any cyber policy or similar insurance?
YesNo
Your quote request has been sent successfully, one of our brokers will contact you today! Close this notice.
Business Insurance Quote
Contact details:
Sections
Property & Contents
Yes, please quoteNo, thank you
Public & Products Liability
Yes, please quoteNo, thank you
Cyber Liability
Yes, please quoteNo, thank you
Theft & Money
Yes, please quoteNo, thank you
Computers & electronic equipment
Yes, please quoteNo, thank you
Business Interruption
Yes, please quoteNo, thank you
Machinery Breakdown
Yes, please quoteNo, thank you
Your quote request has been sent successfully, one of our brokers will contact you today! Close this notice.
Mandatory data breach notification laws within Australia came into effect on 22nd February, 2018 and with new regulations come new challenges for Australian business owners and employees surrounding information security and data breach response. Many organisations are facing regular scams and cyber attacks from criminals using sophisticated methods. Claims data reflects a majority of incidents stemming from a lack of employee security awareness within the business.
As of February 22nd organisations will be required to conduct an assessment of whether an eligible data breach occurred within 30 days of becoming aware that a suspected breach has occurred. If that organisation has evidence to believe that there has been an eligible breach, it must notify The Office of the Australian Information Commissioner as soon as they are able to do so.
Responding to an attack or breach can be extremely costly as business interruption expenses escalate quickly. The average time for an Australian SME organisation to resolve a data breach or attack is 23 days. Could your business continue trading without access to client information, websites, ordering or payment processing systems? We recommend performing a precautionary third party cyber risk review as soon as practicable.
Tips For Data Breach Response
The tips below are from a recent article by Reece Corbett-Wilkins, Associate at Norton Rose Fulbright from Insurance Law Tomorrow , which highlights five important steps to take before & after a data breach.
Develop and test internal response processes to ensure that potentially notifiable incidents are identified and reported to the legal / risk management function as early as possible. Valuable time can be lost in this initial phase.
Seek the assistance of external legal counsel and other service providers, where appropriate, to limit the potential exposure following an incident. External providers can advise organisations on whether remedial action can be taken to avoid the risk of harm from eventuating, which may remove the need to notify affected individuals and the Privacy Commissioner.
Although affected individuals and the Privacy Commissioner must be notified where required, organisations and agencies should not adopt a strategy of notifying all incidents as a matter of course. This is not the intention of the legislation and will cause notification fatigue. On the other hand, organisations and agencies should have a sound legal basis for not notifying, after having received external legal advice where appropriate.
Where an organisation or agency chooses to notify, the notification campaign should be well structured to monitor post notification liability risk from affected individuals, stakeholders and regulators. Organisations and agencies should manage their ongoing regulatory and claims risk post notification.
Notify insurers as soon as possible and obtain consent from insurers before taking any key steps or incurring costs. This will ensure that cover is not jeopardised due to late notification.
How will insurers respond?
Cyber insurance providers in Australia have a panel of experts assembled to resolve your particular incident quickly and cost effectively. Assistance is available 24/7 as insurance providers understand the importance of immediately rectifying the issue and returning to business as usual. These experts consist of incident response IT investigators, forensic accountants, lawyers, public relations and crisis management consultants. Working with a team of specialists to manage the notification process helps reduce unnecessary downtime and expenses.
Dedicated claims specialists will be assigned and should regularly communicate with you to investigate and manage the situation from start to finish.
Many insurers and brokers can assist with data breach response plans however individual organisations should prepare and test a plan catering to their operational nuances. We recommend keeping a physical copy of your incident response plan on hand as past attacks have seen plans and procedures stored on the network become encrypted and inaccessible.
Cyber insurance has been thrown around a lot in recent media articles due to the constant cyber threats faced by Australian organisations but reports have shown that in the U.S. 60% of companies who suffer a cyber attack will go bankrupt within 6 months. This percentage is staggering, many predict that it will be a very similar situation when more data is available for the Australian market.
The 2018 Allianz risk barometer report from 1,911 risk experts across 80 countries indicates that business interruption and cyber incidents rank as the number 1 & 2 major threats to companies through 2018 and in the future.
Aside from technical solutions, awareness and a strong security culture are the most important factors when preventing cyber attacks. A majority of cyber insurance claims stem from relatively simple methods like email phishing rather than the complex attacks which are seen in films. Let’s review some cyber insurance claims and see how these organisations were impacted and the costs covered by cyber insurance.
Hardware Store
Company background: Australian hardware store with approximately 20 employees and annual revenue of $5 million.
Description of event: In a standard case of phishing, an employee at a hardware store ignored internal policies and procedures and opened a seemingly innocuous file attached to an email. The next day the hardware store’s stock order and cash registers started to malfunction and business trade was impaired as a result of the network failing.
Resolution: The hardware store incurred over $100,000 in forensic investigation and restoration services. They also had additional increased working costs of $20,000 and business income loss estimated at $50,000 from the impaired operations. Total costs associated with the event came to $170,000.
Professional Services Firm
Company background: A professional services firm with 25 employees and approximately $7 million in annual revenue.
Description of event: A rogue employee accessed the human resource platform of a professional service provider. The employee acquired and sold social security information on the black market before being apprehended by law enforcement. Thereafter, several cases of identity theft were perpetrated against the professional service provider’s employees.
Resolution: The professional service provider engaged a forensics investigator and outside compliance counsel. It also notified employees of the breach, established a call centre, and provided monitoring and restoration services to impacted employees. Total costs associated with the event $75,000
Bottom Line
As can be seen by the above cyber insurance claims and previous articles hereand here, Australian businesses are vulnerable to a wide variety of scams and attacks from both internal and external sources.
Cyber insurance is a cost effective way to mitigate the expenses faced by all businesses after an attack or data breach.
Contact Cyber Insurance Australia today for a review of your existing insurance policies and a competitive quote.
Subscribe and follow Cyber Insurance Australia on Linkedin & Facebook for regular updates and information.
Many professional groups and associations are beginning to advise their members of the upcoming regulation changes which are going to impact the way businesses approach data and security.
As of February 22 2018 the Privacy Amendment (Notifiable Data Breaches) Act 2017will commence for Australian organisations. The amendment to the privacy act has been long overdue and will require organisations covered by the Australian Privacy Act 1988(Privacy Act) to notify any individuals likely to be at risk of serious harm by a data breach.
Data breach notification laws have been in the US since 2002 and have slowly been adopted by most states since inception. Europe has also passed the General Data Protection Regulation(GDPR) which was designed to harmonize data privacy laws across Europe. The updated regulation will be enforced from 25 May 2018 at which time organisations in non-compliance will face heavy fines.
What is a Notifiable Data Breach?
A Notifiable Data Breach is a data breach that is likely to result in serious harm to any of the individuals to whom the information relates.
An eligible data breach arises when the following three criteria are satisfied:
there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds
this is likely to result in serious harm to one or more individuals and
the entity has not been able to prevent the likely risk of serious harm with remedial action
Examples of a data breach include when:
a device containing customers’ personal information is lost or stolen
a database containing personal information is hacked
personal information is mistakenly provided to the wrong person.
Failure to notify could result in fines of $360,000 for individuals and $1.8 million for organisations according to the OAIC.
What is the Notifiable Data Breaches Scheme?
The NDB scheme requires organisations covered by the Australian Privacy Act 1988(Privacy Act) to notify any individuals likely to be at risk of serious harm by a data breach. Failure to notify could result in fines of $360,000 for individuals and $1.8 million for organisations according to the OAIC.
Investigating whether a notifiable data breach has occurred involves deciding whether, from the perspective of a reasonable person, the data breach would be likely to result in serious harm to an individual whose personal information was part of the data breach. For the NDB scheme a ‘reasonable person’ means a person in the entity’s position (rather than the position of an individual whose personal information was part of the data breach or any other person), who is properly informed, based on information immediately available or following reasonable inquiries or an assessment of the data breach.
This notice must include recommendations about the steps that individuals should take in response to the data breach. The Australian Information Commissioner must also be notified. Organisations will need to be prepared to conduct quick assessments of suspected data breaches to determine if they are likely to result in serious harm.
Not all data breaches are notifiable — the NDB scheme only requires organisations to notify when there is a data breach that is likely to result in serious harm to any individual to whom the information relates. For example, if an entity acts quickly to remediate a data breach, and as a result of this action the data breach is not likely to result in serious harm, there is no requirement to notify any individuals or the OAIC. There are also exceptions to notifying in certain circumstances.
What happens if your IT services provider or other third party with access to your network suffers an attack or data breach which allows your data to be exposed?
The legislation says that if more than one entity holds the same personal records, a breach at one could constitute a breach at the other. However it also considers that both organisations have complied with their notifiable data breach scheme obligations if only one notifies. Organisations are also allowed to decide amongst themselves which will be responsible for the reporting.
For more information about assessing a suspected data breach, please visit the OAIC Assessing a breach page.
or
For more information about notifying individuals about a breach, please visit the OAIC notifying individuals page.
Cyber Insurance
How does cyber insurance fit into the upcoming notifiable data breach changes? Cyber insurance policies are designed to assist a business or organisation with incident mitigation following an attack or breach using various resources and financial compensation. The majority of cyber insurers provide 24/7 incident response hotlines to assist businesses as soon as the incident is discovered with specialist vendors available for overall damage control.
Benefits of a cyber insurance policy include;
Access to the insurers response team
Assistance investigating and resolving data security
Privacy commissioner investigation costs
Cover for civil regulatory fines & penalties
The insurer can advise on the obligation to notify and draft the notification
Legal & public relations support
Customer notification and credit monitoring costs cover
Cover for impacts to profits & increased costs of working
Points to think about before 22 February 2018;
Review existing insurance policies for cyber exclusions and limits of cover
Arrange and test a business continuity plan which specifically addresses a cyber attack or breach
Draft a data breach notification plan
Review contract management and ensure that due diligence is done on contractors’ policies, particularly in the areas of IT security and personal information storage and collection
Only collect and store personal information if it is necessary
Test and ensure information security procedures for effectiveness
Contact Cyber Insurance Australia today for a free review of your existing insurance policies or to get a competitive quote.
Subscribe and follow Cyber Insurance Australia on Linkedin & Facebook for regular updates and information.
Cyber risk management is a hot topic for businesses across all industries, many high profile breaches have been in the media from financial institutions, healthcare organisations, law firms and IT companies. The construction industry is no different and definitely on the radar for cyber criminals.
In a piece written for VirginiaBusiness.com, Collin J. Hite, leader of the Insurance Recovery Group and the Data Privacy and Security practice at Hirschler Fleischer says, “The situation is getting so bad that businesses, large and small, finally are realizing that the question is not if they will get breached, but when. The construction industry is not immune from data breaches.”
Difficulties facing the construction industry
For many construction industry decision makers there is a mistaken belief that their organisations are not at risk because their business does not deal with the general public, have an online presence or handle large amounts of credit card information. While some may not consider construction to be a target, cyber criminals can see the vulnerabilities. Construction firms have access to large amounts of information such as confidential employee information, intellectual property, project plans and drawings, financial data and accounts, contractor details, etc.
Traditionally workers in the construction industry haven’t had to bat an eye lid regarding cyber security which has contributed to an overall lack of security awareness, training and skepticism towards cyber risks and insurance.
The Internet of Things is also presenting new challenges for the industry as terrific new equipment and methods are created with connectivity in mind. For example, internet connected field equipment which can be remotely controlled is hurriedly implemented for it’s efficiency but less forethought is given towards the security of these devices.
High Profile Incidents
Let’s take a look at some major cyber incidents which were targeted at various areas of the construction industry.
“The attackers got access to login credentials for Target’s computer network from one of their vendors, Fazio Mechanical. An employee fell victim to a phishing scam that allowed malware to be installed on the company’s computers. Fazio had access for electronic billing, project management, and contract submission and not because they were remotely monitoring and controlling any of the HVAC and refrigeration systems at any of their stores.”
“Multiple sources close to the investigation now tell this reporter(Brian Krebs) that those credentials were stolen in an email malware attack at Fazio that began at least two months before thieves started stealing card data from thousands of Target cash registers.” Krebs on Security.
German Steel Mill
The German Federal Office for Information Security (BSI) detailed in a report that attackers used booby-trapped emails to steal logins that gave them access to the mill’s control systems. This led to parts of the plant failing and meant a blast furnace could not be shut down as normal. The unscheduled shutdown of the furnace caused the damage, said the report.
In its report, BSI said the attackers were very skilled and used both targeted emails and social engineering techniques to infiltrate the plant. In particular, said BSI, the attackers used a “spear phishing” campaign aimed at particular individuals in the company to trick people into opening messages that sought and grabbed login names and passwords. The phishing helped the hackers extract information they used to gain access to the plant’s office network and then its production systems.
Once inside the steel mill’s network, the “technical capabilities” of the attackers were evident, said the BSI report, as they showed familiarity with both conventional IT security systems but also the specialised software used to oversee and administer the plant.
Turner Construction was the victim of a spear phishing scam in March when an employee sent tax information on current and former employees to a fraudulent email account. Hackers spoof the “From:” field in an email to make it appear to come from a trustworthy source, say from your CEO or CFO. Typical spear phishing scams include messages requesting personal information on employees such as names and addresses, Tax details, corporate banking account information, or login credentials.
In the case of Turner Construction, the information provided to the fraudulent email account included full names, Social Security numbers, states of employment and residence as well as tax withholding data for 2015. All employees who worked for the company in 2015 were affected by the data breach. Turner, which is headquartered in New York, is one of the largest construction management firms in the U.S. with offices in 24 states.
Cyber Insurance Can Help Protect Your Business
The cyber insurance market has already seen a surge in demand for stand alone cyber liability insurance policies as a direct result of the Notifiable data breach regulation which is set to begin from February 22nd 2018. A cyber insurance policy can protect against many potential incidents, including loss of data, cyber extortion, business interruption, identity fraud and malicious data damage.
A good policy will also cover defence costs and the cost of public relations experts, which is very important when considering reputational damage and loss of business which a data breach is shown to cause. A recent study showed that following a data breach or cyber attack, stock prices fall an average of 5%. Thirty-one percent of consumers impacted by a breach stated they discontinued their relationship with an organization that had been breached, and 65 percent lost trust in that organization.
Current scams and prevention methods should be regularly circulated for employee knowledge. There are a number of third parties offering a wide range of solutions such as All Secure IT Services which offer customised managed services for all IT needs or DDM Security Systems which offer email security and encryption solutions.
One email can breach the entire network and as a result we suggest getting employees to subscribe to and follow Cyber Insurance Australia on Linkedin & Facebook for regular updates or join the monthly newsletter at cyberinsuranceaustralia.com.au
Contact us on 1300 462 923 to discuss insurance options today.
Another month and another list of email scams being targeted at Australian business owners, let’s dive in and take a look at a few of the nefarious, clever and also simple ways criminals are attacking Aussies. September has been a big month despite major media coverage lacking after the previous Petya & Wannacry attacks.
Each day millions of malicious emails are sent to individuals and business owners with ever increasing sophistication. The scammers responsible for the below scams are part of well organised and funded criminal groups which put increasing amounts of effort into their activities.
Throughout September, Telstra has been impersonated multiple times from different scammers trying to leverage the telecommunication giants reputation and email billing system. As can be seen in the first image below, scammers have duplicated the Telstra email bill format, wording and branding from authentic bills in an attempt to increase legitimacy. Typically these scams advise that an outstanding amount is overdue and to follow the provided links for immediate payment. This scam however notifies many recipients that their account is actually in credit and is relying on the curiosity of victims to click without looking for suspicious warning signs.
The above email link initiates a malicious file download which is designed to steal sensitive information. In this instance scammers are using randomised account numbers, we recommend checking for warning signs such as sending address and a lack of personalisation. Official Telstra bills will have account holder information and personalisation.
A similar Telstra email scam made the rounds this month, not as sophisticated as the above duplicated email but just as malicious. As seen below, the email contains very few errors and ironically contains official links to other pages such as the Telstra email fraud page warning about exactly these emails.
Despite it’s lack of branding, many Australians were thrown by the well worded format and very close sending address to the official Telstra email bill address.
Xero
The below Xero email courtesy of Mailguard shows a very convincing Xero invoice which has been sent to Australian businesses. The email presents a PDF containing the invoice details in a very similar fashion to the official Xero emails. This scam relies on randomised amounts from random business names to intrigue recipients into checking the invoice.
The PDF is not an attachment but instead a link to download malware onto the recipients machine. The sending address appears to be legitimate at first glance but quickly you’ll notice the unusual ending of “@ post.xero.inc-r.com”, a good reminder to always check the sending address.
AusPost has been impersonated in the past but this particular scam uses Microsft OneDrive branding for the emails. The malware arrives as “AusPost Service Notification” with a randomised subject line similar to ‘AusPost Track – 123456789 -100-98765 Monday September’. Recipients are prompted to view the delivery details in OneDrive using the link provided.
Once clicked, the link takes recipients to a random web page where they are urged to download a .zip file containing malicious software designed to encrypt their information in exchange for a bitcoin ransom. According to the Australian Government, identical scam emails have also been seen impersonating the Australian Federal Police and e-Toll.
ASIC
Similar to previous ASIC scams we have written about in July, April and May. The government department was once again the victim of a large run of malicious emails from cyber criminals looking to impersonate the ASIC brand and reputation.
A sample email seen below shows how well duplicated this attempt is. The spelling and grammar has very few mistakes, they have used legitimate branding lifted from official documents and included links to the official privacy policy and ASIC help section. The two main red flags are the sending address , asic.transaction. no-reply@ ato.gov.autsl.com which according to Mailguard was registered 24 hours prior in China and the lack of individual personalisation.
Recipients are prompted to click a link to download their renewal notice. The link presents a suspicious .zip archive to download which contains malicious files designed to steal personal information. Look out for suspicious ASIC emails as they are a never ending target of impersonation by cyber criminals.
This was a small sample of the malicious emails which arrive in inboxes every day. Many scams operate in a similar fashion but use different brands for legitimacy, we will continue to report scams each month in an attempt to help raise awareness. Thanks to MailGuard for their regular blog updates on scam emails circulating in Australia.
In the event that your business is impacted by a cyber attack, data breach or email scam, cyber insurance is a cost effective way to mitigate the expenses, reputational damage and financial loss.
Subscribe to the newsletter and follow Cyber Insurance Australia on Linkedin & Facebook for regular updates and information.
Does your organisation rely on third parties and have you signed agreements with these parties?
Do you know what obligations have been assumed in these agreements?
Does the contract cover losses or damages that arise from a data breach or cyber event?
Does your current insurance coverage clearly cover requirements of these contracts?
These are important questions facing Australian businesses as a greater reliance on technology and third-party vendors continues to increase significantly.
As public awareness of cyber risks and attacks continues to increase, more decision makers are requesting contractual cyber insurance liabilities be specifically addressed similarly to public liability.
Why is cyber insurance appearing on contracts?
Many Australian organisations are beginning to see contractual cyber insurance requirements across a wide variety of industries as cyber risk awareness increases. One way for organisations to protect themselves from financial loss, the expense of regulatory fines, penalties and reputation damage in the event of a data breach is to require contractors and vendors, with access to customer and employee personally identifiable information, to carry a cyber insurance policy.
Currently it’s common practice for vendors to provide proof of certain types and amounts of insurance cover and in some cases having their business named as an additional insured on vendor insurance policies. The types of losses, damages, and costs that arise from a data breach are often not covered by the standard insurance policy requirements listed in typical vendor contracts. Businesses without contractual cyber insurance requirements may leave themselves exposed to unexpected and uninsured losses.
Costs which can follow a breach
Many surveys have indicated that executives are unaware of the full scope of direct & indirect costs which can arise from a cyber attack or data breach.
Direct costs can include:
Forensic IT expenses to determine the cause of the breach and extent of data loss
Business interruption and increased working costs to keep the business operating as usual
Breach notification and response costs
Legal fees
Public relations expenses
Providing credit monitoring and identity theft restoration services
Indirect costs can include:
Loss of income
Goodwill and reputational damage
Should you require vendors to have cyber insurance?
We believe so, businesses currently require their vendors or contractors to indemnify them for public liability, professional indemnity and other current lines of insurance while completing the work. The same consideration should be shown for personally identifiable & sensitive data which could be compromised while the work is undertaken. Serious harm can be caused to an individual or business as a result of a data breach, anything from financial loss, emotional or reputational damage and even physical damage has been shown to occur.
All third parties who have access to customer or employee personally identifiable information should be having a conversation about sharing or transferring the risk of loss through cyber insurance if there is a data breach. Cyber insurance policies, among other things, typically cover the cost for computer and data loss restoration, notification costs, credit monitoring, and liability to third parties from your failure to handle, manage, store, and control personally identifiable information belonging to others.
The majority of Australian businesses collect and store data about their clients which in most cases is managed by an IT managed services group. According to a May 2016 Ponemon Institute report, 75% of the Australian IT and security professionals surveyed stated that the risk of a third party’s breach is a serious concern and increasing within their organizations.
Current Government View
Regulators in Australia have increased their efforts to bring cyber risks to the attention of organisations with both the Office of the Australian Information Commissioner (OAIC) and the Australian Investments and Security Commission (ASIC) providing regularly updated information and resources.
“While in its infancy in Australia, the rapidly growing cyber insurance market may help enforce improved cyber security performance.” “Although some organisations may be implementing international cyber security standards that all organisations can achieve, others are not doing so. In our interconnected world, a solid baseline of cyber security practice is critical to achieving confidence online.” — Australian Government Cyber Security Strategy
The Australian government has recently established a Notifiable Data Breaches scheme to address the growing concern around data breaches and privacy. Full details can be found here – OAIC
The passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017established a Notifiable Data Breaches (NDB) scheme in Australia. The NDB scheme requires organisations covered by the Australian Privacy Act 1988(Privacy Act) to notify any individuals likely to be at risk of serious harm by a data breach. This notice must include recommendations about the steps that individuals should take in response to the data breach. The Office of the Australian Information Commissioner (OAIC) must also be notified.
Organisations will need to be prepared to conduct quick assessments of suspected data breaches to determine if they are likely to result in serious harm.
If the Privacy Act 1988 (Privacy Act) applies to your business, you will need to be aware of the risks of a failure to secure data where that failure results in a breach of the Privacy Act. The Privacy Act requires entities to take reasonable steps to protect personal information such as customer details. Significant penalties may apply to you if they are responsible for a breach of the Privacy Act. These include fines of up to $360,000 for individuals and $1.8 million for corporations as well as the potential for a compensation order being awarded.
At Cyber Insurance Australia we believe the Privacy Amendment will continue to drive contractual cyber insurance requirements in the future as more organisations are made aware of their costly responsibilities towards data security.
We will continue to update this page with further developments as the landscape changes for Australian businesses.
Contact us to discuss upcoming changes which may impact your business.
Subscribe and follow Cyber Insurance Australia on Linkedin & Facebook for regular updates and information.
