Cyber Insurance: A Buyer’s Guide – Part 1
I By Mark Luckin Associate LLB, BLS
nternationally, cyber and privacy liability insurance has grown in popularity and market share, as insureds and insurers alike grapple with the mercurial risks associated with: - Interconnected business; - Human error; - Supply chain dependency; - A dramatic escalation of increasingly sophisticated intentional or unintentional cyber-attacks; and - A proliferation of data privacy laws and regulations. The Australian cyber insurance industry is quickly maturing, leading to risk managers, the C-Suite and the board faced with a plethora of options to insure their organisation’s internet-based and information technology risks. The lack of standard cyber insurance policies leads to confusion in understanding the protections a policy can offer. Let’s look at cyber insurance and demystify the terminology, products and offerings on today’s market.
Cover Basics Cyber insurance can be used to reduce the impact of a cyber-attack or data breach. A cyber policy provides cover in the event of your organisation suffering a data breach, being hacked, employee error, losses from business interruption, fines, penalties and even civil lawsuits resulting from privacy breaches. Such policies are unique, in that most provide a (potential) promise to pay, but also the provision of a dedicated team of industry relevant professionals to assist in the event of a claim.
52 | Australian Cyber Security Magazine
Good cyber insurances combine third party liability cover with first party costs and a service offering to assist organisations, both during and after they suffer a breach.
What is the Trigger? The “trigger” in a cyber insurance policy is an occurrence that defines the event that leads to coverage and/or the initial response of a policy. Cyber insurance is usually triggered by a network security failure, or the theft, loss or unauthorised disclosure of third party corporate confidential or personal information. Threats come in various guises, such as malicious attacks or hacking, but often arise from simple human error. Triggers differ between insurers. However, organisations should consider a policy with a broad definition of the trigger, such as “unauthorised access”. Simplified language assists in avoiding confusion, disputes and potentially significant exclusions. Common practice is for insurers to pinpoint specific risks to be covered. Given the evolving threat landscape, organisations should seek as broad as possible policy wording, so if a breach happens it doesn't matter where it happens from. Ultimately a good cyber insurance policy will be triggered in the event of: • An intentional or unintentional computer system unauthorised breach and downtime, resulting from a targeted or untargeted attack, or an accidental or intentional employee action; • External cyber security events including unauthorised breaches caused from Spear Phishing, Ransomware,