Cyber Page for ACSM & AISA Cyber Security
PART II
Cyber Insurance: A Buyer’s Guide
P By Mark Luckin
art 1 of Cyber Insurance: A Buyers Guide gave us an introduction to the basics of Cyber Insurance. (covered in Issue 2) Part 2’s intention is to delve deeper into some of the more important aspects of tailoring coverage to organisations, service team offerings and submissions to underwriters. We further look into policy response and its importance with respect to the upcoming mandatory breach notification laws. Tailoring coverage and the limit of liability to organisations associated risks and exposures Whilst every organisation is exposed to cyber risk, the consequences vary across industry and business size. When considering implementing a cyber insurance policy as part of an overall cyber risk management strategy, organisations need to keep in mind the fact the policy provides both 1st and 3rd party protection and well as business interruption loss protection. Ultimately this translates into immediate and slow-burn costs and needs to be taken into account when considering the most appropriate limit of liability. Organisations should be encouraged to consider that beyond the immediate investigation costs, notification costs (see Mandatory Breach Notification Laws), business interruption costs, fraud costs, extortion costs and remediation
8 | Australian Security Magazine
costs, there is potential for consequential third-party litigation expenses, regulatory fines and penalties, customer loss and loss of revenue (“slow-burn costs”). Estimating the potential costs to an organisation of a breach by only considering immediate costs, could lead to a significantly inadequate limit of liability. If this approach is taken, an organisation may find itself with no protection available, for associated slow-burn costs. A proper assessment of the full potential impact of a breach/unauthorised access should be undertaken. With respect to coverage, whilst there are emerging structures that most cyber insurance policies adhere to, there are nuances in policy wordings that if not addressed could have substantial impact on an organisation should a claim/ potential claim occur. Two examples are outlined below: •
The definition of a computer system may vary between insurers to only include systems under the care, custody and control of the insured, or also those systems ownedby outsourced providers that store data on behalf of an organisation. This may have a significant impact should a breach of personally identifiable information (PII) occur through the third party as, under Australian Law the organisation may still be liable for the breach, despite the outsourcing. Organisations outsourcing storage of PII could potentially be uninsured, should the correct policy