Cyber Security
a bespoke, accurately priced cyber policy that can cover an organisations specific cyber risks. Finally, with respect to submissions to underwriters, organisations should consider the cost of cyber/IT risk mitigation and the potential reduction in premium this may bring. Conducting a review of an organisations areas of risk, strengths and weaknesses around cyber security and implementing changes could significantly reduce a cyber insurance policy premium and assist in broadening cover. This should be a discussion held with a specialist cyber insurance broker. Service team offerings (third parties) As touched upon in Part 1, a common and unique aspect of cyber insurance policies, is the unique combination within a policy of a (potential) promise to pay, coupled with Crisis Management Service Team offering. These service teams are structured in a “panel offering” by insurers. This comprises a selected group of Lawyers, IT Specialists, Media Relations Specialist, Credit Monitoring Specialists, designed to assist an organisation from the moment a breach, or suspected breach occurs within an organisation. Traditionally this Service Team is accessed through a dedicated 24/7 dedicated incident response “hotline”. These hotlines can be monitored by Loss Adjusters, Internal Claims Teams and even Lawyers depending on the insurance provider. As per wordings, service team offerings differ between insurers. Suitability of service teams also need to be considered with limits of liability and alternative wordings. As per the above point made with respect to discrepancies in wordings, organisations will want to partner with the most suited service team. This again comes down to an assessment on the most likely area of exposure/concern to an organisation i.e. business interruption loss or privacy breach. It is easy to use a healthcare organisation as an example again, in which the main area of concern/exposure may be a privacy breach. Such a healthcare organisation may want to consider a claims team where a Lawyer – as opposed to a loss adjuster – is the first claims contact, given initial discussions with a lawyer will give an organisation legal privilege should a thirdparty claim develop. An alternative organisation whose main concern is business interruption loss (a factory or transport organisation for example) are likely to be more suited to a loss adjuster being the claim first point of contact. It is also understandable that organisations may have alignments/partnerships with third party cyber security providers. Certain underwriters will welcome consideration in placing such a provider on their crisis management service team for specific clients. Mandatory Breach Notification laws Having been on the government’s agenda since 2015, many within the IT, Security, Legal and Insurance arenas have seen this as a long time coming. Under the proposed laws, organisations subject to the Privacy Act 1988 (Cth) would be required to notify the OAIC and affected individuals should
10 | Australian Security Magazine
a serious data breach occur. Most businesses are subject to Privacy Act obligations, specifically those with an annual turnover in excess of $3 million, as well as a number of smaller organisations, such as those handling sensitive data. This Bill increases the consequences of an already present and growing risk faced by all organisations and in the event of a breach, the affected company will face serious cost and reputation exposures. Significant pressure to protect personal and corporate data, as well as maintaining relationships and brand reputation will be felt by companies regardless of the Privacy Amendment. Mandatory notifications, however, amplify potential damages given: 1. Notified data breaches becoming instant public news. Not only will the person affected potentially disclose such a breach in forums such as social media or web pages but breaches will be reported in the mass media and recorded for perpetuity online. 2. Dedicated privacy and consumer rights organisations will keep comprehensive and permanent online records of reported privacy breaches. 3. Contractual counterparties will know about the breach and will be concerned about whether their confidential information has been exposed. 4. A potential increased risk from affected parties, or litigation funders on behalf of affected parties conducting class actions resulting from a breach of data. The Ponemon Institute indicates that without mandatory breach notification laws, companies face up to an 80% chance of losing nearly a quarter of its value in a single month following a significant breach crisis. These costs are only expected to increase once the above Bill comes into effect. The application of cyber insurance as an additional layer of protection, complementing the efforts of IT departments and other information security functions, is where the greatest value lies. This is particularly effective when the cost of additional information security controls does not reduce the risk enough to make the investment in such controls practical. Conclusion As the threat increases, so will the demand for cyber insurance. Discussion around the risk and potential insurance requires the whole of an organisations input and assistance from a specialised cyber insurance broker given: - - - - - -
The assessment involved in determining a suitable limit of liability. The intricacies and associated suitability of various wordings. The detail involved in submissions to underwriters. The risk to organisations and directors and officers. Preferences to Crisis Management Service Team offerings; and Developments in legislation and the potential impact on directors, officers and the organisation as a whole.
In the next issue, we look at specific, yet hypothetical, scenarios and how a policy may or may not respond.