What is cyber protection insurance?
Cyber protection insurance is an insurance offering designed to help protect your business from the financial impact of a data breach or computer hacking.
In February 2017, the Australian government established a mandatory nationwide data breach notification scheme under the Privacy Amendment (Notifiable Data Breaches) Bill 2016. It means if you become aware of a security breach that could result in unauthorised access or distribution of personal information, you are legally required to report it within 30 days. You are also required to notify those affected.
For businesses who have websites or electronic records – that is, most businesses – you need to be aware of cyber vulnerabilities. Attacks on cyber systems can threaten your intellectual property, customer information, and reputation of your business and leave you with significant financial repercussions.
The following scenarios are based on events that have occurred – consider the risk to your business if one of these were to happen to you, and weigh up whether you have adequate insurance in place.
Coverage triggers: Cyber Extortion, Incident Response Expenses, Data Asset Loss, Privacy Liability, Business Interruption, Recovery Costs
A law firm was the victim of a hacking attempt, and while the extent of the data acquired was unable to be determined, the hackers may have had access to client information, including one client’s acquisition target, patented technology, venture capital prospectus documents and a large number of class action client lists with sensitive personal information.
The firm hired a forensic technician who established that malware had been planted during the hacking, and subsequently, the firm received a call demanding $10 million to prevent the information being sold or otherwise distributed online.
More than $1 million was spent on the forensic investigation, negotiating the extortion attempt, ransom payments, client notification, credit monitoring and restoration services. Losses to the business totalled more than $500,000.
Total costs associated with the event: $1.5 million.
Intermediary stealing personal information leading to Negligence and Invasion of Privacy
Coverage triggers: Negligence and Invasion of Privacy, Incident Response Expenses, Data Asset Loss, Privacy Liability
A manufacturing business provided leasing services of copy machines over two years. Employees at the company the equipment was leased to made copies of private proprietary client information, including personally identifiable information such as pension account details, drivers licenses, and other personal documentation.
The machine was returned to the leasing company via an intermediary company. A rogue employee at the intermediary company accessed the machine’s data and was able to extract the personal information stored on the equipment.
The manufacturer of the equipment incurred $50,000 in expenses retaining a forensic investigator, alongside notification, identity monitoring, restoration services and independent counsel fees. It also incurred approximately $75,000 in legal defence costs.
Total costs associated with the event: $125,000
Coverage triggers: Incident Response Expenses, Data Asset Loss, Privacy Liability, Business Interruption, Recovery Costs, Regulatory Fines, Potential Payment Card Loss.
An executive for a telecommunications company had their laptop stolen from a vehicle. The laptop contained confidential customer and employee information, in addition to financial records. Despite encryption, the passwords used throughout the device were weak, and the information was compromised.
Total costs associated with the event: $330,000.