Do you process, transmit or store more than 10,000 financial transactions per year?
YesNo, less than 10,000
Do you use and keep up to date firewalls and anti-virus protection for all systems?
YesNo
Do you use third parties to complete audits of your system and security on a regular basis?
YesNO
Are all portable devices password protected? (mobile phones, laptops, tablets, etc)
YesNo
Do you have encryption requirements for all data including portable media?
YesNo
Do you have back-up and recovery procedures for business critical systems, data and info assets?
YesNo
Do you outsource any part of your network, including storage?
Yes, we use third party providers.No, all managed in house
Do you store sensitive information on web servers?
YesNo
Do you know of any loss payments, fines or penalties being made on your behalf?
YesNo
Are you aware of any matter which might give rise to a claim or loss under such insurance?
YesNo
Have you suffered any loss or claim but not limited to a regulatory, governmental or administrative action brought against you, or any investigation or information request concerning any handling of personal info?
YesNo
The applicant or any subsidiaries have any knowledge of any loss payments, fines or penalties being made on behalf of any applicant or any person proposed for coverage any cyber policy or similar insurance?
YesNo
Your quote request has been sent successfully, one of our brokers will contact you today! Close this notice.
Business Insurance Quote
Contact details:
Sections
Property & Contents
Yes, please quoteNo, thank you
Public & Products Liability
Yes, please quoteNo, thank you
Cyber Liability
Yes, please quoteNo, thank you
Theft & Money
Yes, please quoteNo, thank you
Computers & electronic equipment
Yes, please quoteNo, thank you
Business Interruption
Yes, please quoteNo, thank you
Machinery Breakdown
Yes, please quoteNo, thank you
Your quote request has been sent successfully, one of our brokers will contact you today! Close this notice.
More than 48% of small to medium victims paying up
Ransomware, like any sort of malware, can get into your organisation in many different ways: most often buried inside email attachments, via poisoned websites, through exploit kits, on infected USB devices and occasionally even as part of a self-spreading network worm.
Receiving spam emails is part and parcel of doing business for a large number of Australian and international businesses. Regularly our staff speak with staff who laugh “of course” when asked if they receive suspicious emails from unsolicited addresses. The overwhelming awareness is increasing but the seriousness is still lacking as some employees scoff at the sophistication of these emails. We’ve written previously about recent malicious emails making the rounds and their complexity which has caught many Australians off guard.
What is Ransomware?
Ransomware can encrypt the files on a computer (including network file shares and attached external storage devices), prevent you from accessing windows or stop certain apps from running, victims are then directed to a webpage with instructions on how to pay a ransom in bitcoin to unlock the files. The ransom has typically ranged from $500 – $3000 in bitcoin. Microsoft have seen some recent ransomware make you complete surveys which give micro payments to the criminal for each finished survey.
There are different types of ransomware. However, all of them will prevent you from using your PC normally, and they will all ask you to do something before you can use your PC. Usually, the attackers specifically research and target a victim (similar to whale-phishing or spear-phishing – and these in fact may be techniques used to gain access to the network). They can target any PC users, whether it’s a home computer, endpoints in an enterprise network, or servers used by a government agency or healthcare provider.
Protect your business with cyber insurance.
Ransomware By The Numbers
A recent survey in the U.S indicated that more than 50% of small to medium enterprise (SME) have experienced ransomware and of those, a staggering 48% have paid the ransom.
Reports in 2016 that more than $1 billion was taken in from ransomware alone with an even higher figure expected for 2017. “The $1 billion number isn’t at all unreasonable and might even be low,” confirmed Mark Nunnikhoven, vice president of cloud research at Trend Micro. The amount of money up for grabs is incredible and it is easy to see why potential cyber criminals are enticed and existing criminal groups have switched their methods.
The above figure was gathered by monitoring known criminal bitcoin wallets. More than $50 million was tracked for each of three wallets associated with the Locky ransomware, and a fourth one that processed close to $70 million. Cryptowall brought in close to $100 million before it was shut down this year. CryptXXX gathered in $73 million during the second half of 2016, and Cerber took in $54 million.
Smaller ransomware families brought in another $150 million, and the FBI has reported $209 million in ransomware payments during the first three months of 2016. In addition to this $800 million or so in known payments, there are many other Bitcoin wallets that are unknown to researchers and uncounted, pushing the estimated total to $1 billion for all of 2016.
A Mimecast survey in 2016 found that 34 percent of Australian executives consider ransomware to be a ‘high threat’ – well ahead of the 25 percent in the US and 18 percent in South Africa.
Time frames for ransom payments can range from as short as 48 hours to as long as 1 week.
Over 4,000 ransomware attacks occurred daily since January 1,2016 which is a 300% increase on the 1,000 daily attacks recorded in 2015 according to the US Department of Justice.
Preemptive Protection
Employee Education
Employee error is the number one reason for the majority of data breaches and cyber intrusion events. Having a good information security culture for all staff is beginning to take hold as directors are being shown that this isn’t simply an IT issue.
Data Protection Services
Arranging a solid data protection solution is a terrific fail-safe. As important as employee education is, the same goes for the information security procedure in place on a daily basis. There is a myriad of data protection solutions on the market today from numerous vendors for all aspects of the digital side of business. Have your business audited today!
Applying patches and other software fixes as soon as they become available is one of the best ways to keep criminals away from your sensitive information. Software manufacturers regularly update versions to include newly found software vulnerabilities that attackers could otherwise exploit. While staying up to date will not stop all attacks, it can make the process more difficult and potentially discourage attackers from accessing to your system.
Most recent versions of popular software can be configured to download and automatically update, giving you a great start toward keeping your business secure online.
Protect your business with cyber insurance.
The majority of businesses we have spoken with unfortunately only took precautions as a reactive measure following a breach. Staying ahead of the curve and taking steps to put comprehensive cyber security measures in place before it’s too late is still the strongest option.
More resources and information about what a typical attack looks like and it’s life cycle can be found here.
Australia is currently on the receiving end of an estimated 10 million cyber attacks per year according to professional services firm, Deloitte. With such a large dragnet across Australian businesses it is inevitable that there will be some eye opening data breaches in the coming year and widespread change to company security procedures. We previously wrote about some of the largest data breaches and exposures of 2016 which indicated approximately 2.2 billion personal records were revealed to have been compromised from 2015 – 2016.
The proposed bill which has been passed by the lower house but is still yet to be introduced in the senate will make it a requirement to notify the Australian Information Commissioner and affected individuals if their privacy has been breached. With the exception of eHealth data breaches falling under the My Health Records Act 2012, mandatory data breach notification does not exist yet in Australia. The former Labor government’s Privacy Amendment (Privacy Alerts) Bill 2013 received bipartisan support to introduce such a scheme, but did not pass the parliament before the 2013 election.
Most government agencies, businesses with an annual turnover in excess of $3 million, as well as a number of smaller organisations, such as those handling sensitive health data are all currently subject to Privacy Act obligations.
Official summary of the bill below:
“Privacy Amendment (Notifiable Data Breaches) Bill 2016 implements recommendations of the Parliamentary Joint Committee on Intelligence and Security’s Advisory report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 and the Australian Law Reform Commission’s report For Your Information: Australian Privacy Law and Practice by amending the Privacy Act 1988 to require agencies, organisations and certain other entities to provide notice to the Australian Information Commissioner and affected individuals of an eligible data breach.”
Help protect your business with cyber insurance.
Mandatory Breach Notification Laws Abroad
Today, approximately 90 countries have data protection laws or relevant court rulings – ranging from Angola and Argentina to Venezuela and Zimbabwe but many of those countries still don’t require breached organizations to notify either authorities or the individuals whose personal information was exposed in the event of a breach.
At the time of writing, 47 states, three U.S territories and Washington D.C. have adopted breach notification laws of varying requirements for organisations. In the past any attempts to replace them with a standard federal law have struggled due in part because some changes would have weakened some states current security approach.
The European Union’s General Data Protection Regulation, which will go into effect May 2018, includes multiple privacy provisions, including mandatory breach notification. The EU regulation is expected to serve as a model for other countries as global awareness spreads.
India has also weighed in to the global discussion with privacy practitioners stating they may not be ready for mandatory breach notifications as it lacks the strict regulatory enforcement and the country is still making amendments to it’s Right to Privacy Bill 2014. The EU’s GDPR will be especially relevant to the Indian IT industry as it caters to U.S.-based enterprises and processes personal data of EU, Australian and New Zealand citizens.
“It will also significantly increase compliance costs for service providers – which are already higher when serving EU-based clients, as compared with markets like USA,” “However, GDPR also may remove any misgivings about the Indian industry and data security standards in India, says Mumbai-based Sunder Krishnan, chief risk officer, Reliance Life Insurance Company Ltd.
Legal Problems
Some warn that when the bill is passed there will be very similar problems facing businesses as is seen currently in the United States. Data breaches frequently lead to identity theft and financial losses, the victims of which may qualify for a lawsuit. On the other hand, organisations which don’t report their breaches face a range of penalties including fines of $340,000 for individuals and up to $1.7 million for companies.
Social media has also increased the pressure being put onto businesses as we are seeing unprecedented public customer service complaints causing reputation and public relations nightmares. Expect to see disgruntled customers rallying together using social media after future data breaches.
Class action lawsuits are being enabled by the online connectivity of claimants and are costing organisations millions. Below are a few high profile data breach settlements from Classaction.com
Home Depot (affected 50 million cardholders): $19.5 million settlement
Sony (PlayStation network breach): $15 million
Target: $10 million
Sony (employee information breach): $8 million
Stanford University Hospital and Clinics: $4.1 million
AvMed Inc.: $3.1 million
Vendini: $3 million
Ashley Madison: $1.6 million
LinkedIn: $1.25 million
Companies much prefer settling cases out of court to going to trial. But that is especially true for data breach lawsuits, because there is almost no court precedent for these kinds of cases.
Companies like Home Depot and Sony have no idea what would happen if they went to trial to fight a data breach suit, which is a scary prospect.
Insuring Against the Risk
Many Australian insurance providers have already put policies in place to respond and cover expenses from a data breach. We recently wrote in detail about where cyber insurance steps in, which can be found here. Expenses which are typically covered are;
Forensic Investigation
A forensic IT investigation is necessary to determine what occurred, how to repair the damage and how to prevent the same type of breach. Investigation may involve services from a third party security firm or law enforcement.
Business Interruption
The business may be unable to continue trading and suffer interruption costs due to network security failure or attack, programming errors or human errors. Loss of profits and costs incurred to continue business as usual are typically covered under a cyber insurance policy.
Legal & Public Relations
Cyber Insurance policies will cover legal defence costs due to a privacy breach, fines and penalties, reputational damage and public relations expenses to assist an organisations public image after a breach.
Extortion & Blackmail Costs
Policies will cover ransomware & extortion costs from criminal organisations and disgruntled employees for the release or protection of private information.
Moving Forward
Mandatory breach notification is the best step forward but it also relies heavily on organisations actually discovering they have been exposed. In recent reports, numerous websites such as Linkedin, Myspace and of course, Yahoo have suffered very high profile breaches which occurred up to 4 years ago and were only discovered years later.
Many large industry groups including Google, Yahoo, Facebook and Microsoft are stating that the existing voluntary breach notification scheme is effective and doesn’t require change. Despite their support and mixed reception from the private sector, security experts and business leaders from various industries are getting behind the bill and arguing it’s benefits.
The OAIC annual reports from 2014 – 2015 & 2015 – 2016 are unable to provide enough depth from voluntary reporting which indicates the need for mandatory laws to be passed. It is likely that the larger industry groups are protecting their interests and understand the ramifications of mandatory breach notification from their legal departments abroad.
Help protect your business with cyber insurance.
It looks inevitable that the bill will be passed and the public understanding of what is happening to their personal information will continue to increase.
Arranging an insurance policy, educating employees and instituting solid security processes will be key to mitigating this risk.
