CYBER CRIME INSURANCE BASICS

What is cyber crime? Cyber crime encompasses almost any criminal activity that can be perpetrated via the internet and computers.

Cyber crimes include cyber-stalking, industrial espionage and information theft, fraud, extortion, identity theft, phishing scams and cyber terrorism. Cyber criminals use malware and viruses, computer and network hacking, denial of service attacks and fraudulent online scams to perpetrate their crimes. They find it relatively easy to access computers and networks inadequately protected by virus software or passwords. They will also directly steal laptops, computers and mobile devices and take advantage of computers that are left unattended.

Cyber crime costs Australian businesses $4.5 billion annually, yet it remains one of the least insured policy areas. Insurance & Risk Professional delves into a high-risk world that’s up until now being largely ignored by brokers and your clients.

Earlier this year, Julia Gillard launched Australia’s first national cyber security strategy and announced the establishment of the Australian Cyber Security Centre.

Australia, the PM said, is “an attractive target for a range of malicious cyber actors” thanks to threats from politically-motivated hackers, as well as criminal networks in nation states.

It highlights a very serious – and potentially expensive – issue that all Australian businesses are facing right now.

Yet many are doing very little about the potential damage that can be caused by cyber crime.

In fact it’s been highlighted by several within the insurance industry as one of the few high-risk areas that is largely ignored by industries and brokers.

Matthew Clarke, Australasian PI Manager, Financial Lines, Chartis, describes cyber crime as “the most talked about, least sold insurance policy in the market”.

He said research from ‘Unisys Security Index – Australia, 2011’ revealed that 85% of Australians would stop dealing with an organisation if their data was breached.

But the PR problems caused by a breach are really just the tip of the iceberg.

According to a 2011 study commissioned by Symantec, the problem of cyber crime currently costs Australian businesses around $4.5 billion annually in cash and productivity losses. The average cost of a data breach in Australia, Clarke quotes from Symantec’s 2011 Cost of Data Breach Study, is $2.16 million.

In November last year, computer hackers from a Romanian syndicate allegedly accessed the IT systems of 100 small Australian retail outlets and stole credit card details of over 500,000 customers.

Losses from the single incident – the biggest theft of credit card data in Australia so far – added up to around $30 million. The probe to bring down the gang involved law enforcement officers from agencies in 13 countries. The Australian Federal Police now considers cyber crime one of its major areas of investigation.

“The internet is an affordable and effective place for small businesses to sell and promote their goods and services,” says research analyst Alice Hutchings in a paper produced for the Australian Institute of Criminology. “However, the internet also provides opportunities for fraudulent behaviour and unauthorised access to business and client data. Attacks on the computer system of a business can have immediate and ongoing effects, such as targeting customers for identity crimes or infecting website visitors with malicious software. It is contended that small businesses in Australia have been slow to implement security technology and policies that may protect their information systems, making them vulnerable to current and future threats.”

But it’s not just the organised crime gangs that create such a threat. Beazley’s cyber expert Paul Bantick, who leads the Technology, Media and Business Services team, says that last year six out of the world’s top ten insured cyber breaches came from staff “doing something silly, such as losing a laptop, misplacing a back-up tape, rogue employees etc”.

Bantick mentions several case studies to illustrate the point. One involved a financial services firm that gave a data back-up tape to a delivery service to take to a secure location. The delivery person’s car was broken into and the tape stolen before it could be delivered. Another involved a hospital that, during a move to new premises, lost a filing cabinet containing confidential patient information. Finally, another breach involved a bank employee regularly stealing customer data and selling it onwards.

“The result of a breach is enormous cost in terms of legal fees, forensics to find out what happened and the impact, notifications to all potential individuals and clients that could have been affected, the offering of a product such as Data Alert to minimise the damage to affected individuals, the need for call centres to handle queries and complaints and, of course, a PR company to manage media,” Bantick says. “The USA is four to five years ahead of Australia because in America legislation was introduced long ago around what must happen after a breach. The result has been an increase in Beazley’s cyber premiums from zero to approximately $100 million in four years. Australia is quickly realising it must go the same way as the PR damage and crisis management resulting from a breach is the same anywhere in the world and the service levels required are just as complex and vital. Delivering a breach response to insureds is more key than the insurance of liabilities in many cases .”

However it occurs, cyber crime adds up to a very real and serious threat to Australian businesses. It’s one that relatively few brokers have the knowledge to brief their clients on. Those businesses, therefore, are operating without a level of protection that could well be essential in the current and future technological climate.

NEED TO KNOW

Professor Allan Manning, Managing Director of LMI Group, says brokers must fully understand the business risks to ensure they’re providing the right advice and cover. “This goes for all the risks of the business, not just cyber crime,” he says.

Brokers must also understand the measures that businesses have already put in place to minimise cyber risk. “Today’s cyber criminals are increasingly clever at gaining undetected access and maintaining an on-going, low-profile presence in a company’s IT environment,” he says.

“Too many organisations are leaving themselves vulnerable to cyber crime based on a false sense of security, in view of the software they have in place which they believe is protecting them. For example, many organisations focus heavily on foiling hackers and blocking pornography while potential and actual cyber crimes may be going undetected and unaddressed. This has generated significant risk exposure, including exposure to financial losses, regulatory issues, data breach liabilities, damage to brand and loss of client and public confidence.”

Some industries have far higher risk profiles than others. At the very top of the tree are businesses that collect confidential information on clients, such as those in the banking, finance and health fields. However, any business that sells products to clients or charges them for services, and does so by collecting credit card and bank details, is at risk. But some organisations are better prepared to face that risk than others.

Kelly Butler, Account Manager, Professional Risks FINEX at Willis Group, agrees that a thorough understanding of the organisation’s current levels of protection is vital to setting a suitable premium. “Look at all of the company’s preventative measures as well as their pre-planned response strategies to a hack or breach,” Butler says. “If a thorough, organisation-wide breach response plan is in place then this is a good demonstration to the insurer that a lower premium is justified.”

“Other good signs are high levels of data encryption, solid anti-virus programs, laptop and mobile security and monitoring, intrusion detection software, adequate and secure data back-up, utilisation of firewall technology and strong social media policies and management. Many well-publicised events have come from defamation and breach-of-IP issues via social media. Cyber policies can cover such issues.”

The application for a quotation for cyber cover, in fact, can be a fantastic cyber-health check for any organisation, Butler says. “As it stands the level of information needed when completing the proposal form requires an in-depth look at current systems, policy and procedures and tends to involve a variety of people throughout the business. Managers have often told me that the application process has led to some major changes within the business by helping them identify some security or procedural deficiencies,” she says.

THE FUTURE

Australia has become recognized as a soft target for cyber criminals, says Clarke. Our organisations are easier to infiltrate because of a past lack of privacy legislation and the lack of preparedness that this brings. But the Prime Minister’s recent announcements point to a major shift in policy and legislation towards a far more secure future. As a result, brokers and insurance clients are becoming far more knowledgeable about, and interested in, the field of cyber cover.

“Australia has dragged its heels, particularly in comparison with the USA,” Clarke says. “But there is now a drive in some broker groups to skill up in this space. Some brokers are now raising the topic with clients, and many clients are raising the topic with their brokers. The government’s concern is causing many of our clients to become interested in cyber issues.”

“I think the opportunities offered by this development, for those within the insurance industry, are twofold. First, it is about retention – if brokers aren’t talking about this to their clients then their competitors will be. Second, it is about new business – if you can specialise and become extremely knowledgeable and well-known in the area then you can claim that niche, that space, as your own. Cyber cover is a serious growth area and it’s not one that any business insurer can afford to ignore right now.”

CASE STUDIES

These case studies, from Kelly Butler at Willis Group, demonstrate the breadth of cyber issues.

Retail – A hacker accessed a retailer’s network and stole the personal details of 15 million customers. The retailer incurred significant costs to deal with the breach including forensic costs, notification costs, fines and credit monitoring costs. Liability claims followed.

Hotel – A hotel group’s point of sale network was hacked and credit card details of six million customers were taken. The hotel experienced high forensic costs to isolate the hack. Additional expenses included mandatory notification costs and fines. The hotel offered all of the individuals two years of credit monitoring services. They also received liability claims for damages from banks.

Airline – An airline received a Distributed Denial of Service (DDoS) attack, bringing down their online sales platform for 48 hours. The airline experienced a significant loss of revenue during the network downtime plus serious costs in dealing with the issue.

Financial Services – An employee of a financial services company left a laptop, containing the personal financial details of its clients, in a public place. Costs included the hire of a PR firm, notification of all of the customers affected, setup of an ID theft/credit alert service call centre and credit monitoring services.

TIPS FOR PREVENTING CYBER ATTACKS

Passwords, email, social networking and out-of date software all provide opportunities for cybercriminals. To prevent attacks:

  1. Protect your computer with both a firewall and an anti-virus program. Keep your anti-virus program up-to-date and remember to renew your annual subscription.
  2. Back-up all important data. Viruses and malware can destroy vital information.
  3. Create a password of more than six characters with a combination of letters and numbers. Do not save the password on your computer or share it with others and change it regularly.
  4. Email is the most likely route for viruses and hackers. Do not open any email attachments from people you do not know.
  5. Use the privacy settings on social networking sites to prevent malicious access to your personal information.

POINTERS FROM THE US

In 2012 both Australia and the US passed new cybercrime legislation aimed at increasing the level of cooperation and accountability between countries in order to combat cyber crime and intellectual theft and to further bolster the Council of Europe Convention on Cyber Crime. The convention has 34 signatories including the US and Australia.

On August 2 2012, the US Senate passed the International Cybercrime Reporting and Cooperation Act which has muscular provisions to help improve the capacity of other countries to combat cyber crime. To do this the bill requires US agencies with oversight of cyber crime to report to Congress on the capacities of other countries including the effectiveness of their laws and the measures taken by their government to protect consumers from cyber crime.

Under the bill the US President will be able to give aid to other countries to give priority to improving the effectiveness and capacity of their legal and judicial systems and the capabilities of law enforcement agencies with respect to cyber crime. The aid will include providing foreign countries with the tools to improve critical infrastructure, telecommunications systems, financial industry, legal or judicial systems, or law enforcement capabilities of that country necessary to combat cybercrime.

Based upon the report to Congress the President must create an action plan that will assist the government of a given country to improve the capacity of the country to combat cybercrime. The President is then required to meet with the leaders of each country of “cyber concern” to formulate action plans to combat cybercrime. If a country fails to meet an action plan benchmark within one year, the US can opt to block any new financing or loans for the countries in question, restrict trade to the countries in question and restrict foreign assistance.

CYBER CRIME – THE TRUE COST

What is cyber crime really costing Australia and the rest of the world? Use these jaw-dropping stats if your clients need convincing of the need for cover against cyber crime.

In 2012 the cost of cyber crime global was $114 billion annually – $388 billion if you include downtime.

The annual global cost of cyber crime remediation is $1 trillion

In 2012 information theft accounted for 44% of total external costs, up 4% from 2011.

Disruption to business or lost productivity accounted for 30% of external costs, up 1% from 2011.

There are 556 million cyber crime victims per year, 1.5 million per day and 18 victims per second.

The total annual cost of cyber crime in Australia is $2 billion, the US $21 billion, Europe $16 billion and China $46 billion.

The average cost per victim of cyber crime is $197 (Norton)

Less than 50% of companies have a documented process for handling data breaches.

73% of (US) companies have not purchased network liability insurance.

Only 46% of worldwide companies have some form of cyber crime insurance.