24 Jun Common Misconceptions about Cyber Exposures
Common Misconceptions about Cyber Exposures
Cyber Insurance is designed to address the exposures businesses face when using the internet, email, websites, computer programs and in particular from storing private information about their clients and staff.
We often hear that businesses do not consider cyber insurance because they “don’t think they have an exposure”, or because “it won’t happen to them”. Dual Australia have put together some talking points in relation to those common misconceptions.
I don’t hold valuable data
Valuable data isn’t limited to intellectual property. It can be as simple as your employees’, suppliers’, and even your own personal details such as full name, date of birth, drivers licence number, Tax File Numbers and bank account details.
Most businesses will hold this information about their employees or suppliers as a minimum, meaning they are at a higher risk of being targeted for a cyber-attack.
If a cyber-attack were to occur and this valuable data is stolen it may be used by an attacker to commit identity fraud (such as taking out a loan in someone else’s name) or as the basis for a social engineering or phishing attack.
When this happens, an Insured may have to notify the Office of the Australian Information Commissioner (OAIC) as well as the individuals affected by the attack, that this information has been stolen. In this instance, an Insured may need to refer all affected individuals to a Credit Monitoring Facility. This will alert the individual when a line of credit has been requested to be opened in their name. An Insured may also incur legal fees to identify whether the attack meets the definition of a breach of privacy legislation based on the type of information ex-filtrated. Panel lawyers may also represent the Insured in claims made by affected individuals brought against them as a result of the breach. Additionally, the Insured may be liable to receive a fine from the Information Commissioner.
I don’t transact online
A business may not have a website, however, most businesses use a computer, a local network, or a server to hold electronic files and records.
A business may also do their banking online, or manage their invoicing, both of which may include sending and receiving personal or sensitive information. An Insured may also receive supplier invoices via email which can be easily accessed in the case of a system breach or cyber-attack.
According to a recent report from the OAIC, 35% of data breaches are the result of human error. For example, an employee may unknowingly forward an email containing malicious software. They may also accidentally send valuable and sensitive data to an unintended recipient.
The OAIC also notes that 59% of data breaches are malicious (criminal) via phishing, hacking, or deliberate malware attacks which only require an internet connection for a hacker to access an inadequately protected system.
Our data is safe in the Cloud
Did you know that a business is legally responsible for the information that is stored in their cloud, even if a hacker accesses the cloud via a third party?
A common example of this is a business’ outsourced IT provider. As a result of this a business may incur notification costs (to both the OAIC and the affected individuals), remediation costs and legal costs.
Data stored in the cloud can be accessed, copied, stolen or altered just as easily as data stored on a computer or a server. Once a breach occurs, the information in the cloud is still classified as ‘breached’ even though there may be multiple soft copy backups that mirror the information stored in the cloud. Even though the sensitive information has not been lost, it has been accessed by an unauthorized party, and is still subject to the relevant privacy legislation.
Depending on where a cloud provider is located, varying laws from different jurisdictions around the world may apply to the information held. In this instance, lawyers will need to identify which countries’ laws apply to which breach, and what breaches of that law have occurred. It doesn’t take many competing jurisdictions for this to add up to a very expensive exercise. Depending on the law that applies to the potential breach, there may also be significant fines and penalties against the Insured as a result.
Our IT employee / IT consultant will take care of it
Does your IT employee or IT consultant work 24/7? Most Cyber Insurance policies offer 24/7 emergency Incident Response services.
Does your IT employee or IT consultant then have the necessary IT forensic skills and qualifications to investigate this type of incident? A Cyber Incident Response Team is usually made up of individuals who have the experience and global expertise in these fields to help mitigate further loss, mediate complicated situations, and provide the best advice on what action to take next.
Our IT system cannot be breached
No system can be 100% safe.
The world’s most secure systems have been breached – i.e. FBI, Commonwealth Bank of Australia, Facebook and Sony. As these large corporations, who have the budget for high tech cyber security, are able to be hacked, then it is more than likely that a hacker will be able to hack an SME company. Criminals see these SME companies as quick and easy money given the low security measures in place.
Given the need for security, software developers are constantly issuing ‘patches’ to help reduce the number of hacks, however these may not necessarily help in all cases.
The OAIC has advised that 5% of breaches have resulted from a system error. This includes mobile phones, tablets or laptops being misplaced or lost in public places and in the event that these devices aren’t encrypted, they can be easily hacked. Should this happen, an Insured may be required to notify the OAIC and affected individuals, which can involve significant legal costs which may not be budgeted for due to the belief they are adequately protected against cyber and privacy breaches.
Don’t wait until it’s too late – click here to obtain a Cyber Insurance quote online in a matter of minutes.
If you have any further questions regarding Cyber Insurance and how it can protect your business, contact CRM Brokers on 1300 880 494.
Partnership with Stay Smart Online
CRM Brokers are proud partners of Stay Smart Online, an Australian Government initiative designed to help everyone understand the risks and simple steps we can take to protect our personal and financial information online.
Stay Smart Online also provide a free Alert Service to explain recent online threats and how they can be managed. Small business users are provided with easy to understand online safety and security information and solutions to help protect their online safety a privacy. Sign Up to the Alert Service: https://www.staysmartonline.gov.au/alert-service
This article provides information rather than financial product or other advice. The content of this article, including any information contained in it, has been prepared without taking into account your objectives, financial situation or needs. You should consider the appropriateness of the information, taking these matters into account, before you act on any information. In particular, you should review the product disclosure statement for any product that the information relates to it before acquiring the product.
Information is current as at the date the article is written as specified within it but is subject to change. CRM Brokers make no representation as to the accuracy or completeness of the information. Various third parties have contributed to the production of this content. All information is subject to copyright and may not be reproduced without the prior written consent of CRM Brokers.