The financial implications of cybercrime are significant. The average cost per cybercrime report has surpassed $39,000 for small businesses, $88,000 for medium-sized businesses, and exceeded $62,000 for large businesses—an alarming 14% increase on average.

“The Australian Cyber Security Centre reported receiving over 76,000 cybercrime reports between July 2021 and June 2022, equating to a cybercrime report every seven minutes.”

Even professional organisations with reasonably mature cybersecurity programs are not immune to cyber-attacks. In the past year, highly established organisations including Medibank, Optus, HWL Ebsworth and Woolworths have been caught up in substantial data breaches, and the list continues to grow daily. According to the Office of the Australian Information Commissioner Notifiable Data Breaches Report: July to December 2022, 497 notifications were issued, up 26% compared to the previous period.

It’s interesting to note that the sources of data breaches were predominantly 350 (70%) malicious or criminal attacks, 123 (25%) human errors, and 24 (5%) system faults.

1. Financial Protection: Cyber Insurance provides a financial safety net in the aftermath of a cyber incident. This ensures that the organisation can continue its operations and recover without facing crippling financial losses.

2. Risk Transfer: Cyber Insurance effectively transfers the financial risk associated with cyber threats to the insurer. This means that in the event of a cyber incident, the burden of financial responsibility is shared with the insurance company, relieving the organisation’s balance sheet.

4. Reputation Management: Beyond financial aspects, Cyber Insurance can contribute to effective reputation management. Boards understand that a tarnished reputation can have lasting repercussions. Having insurance in place to cover public relations and reputation management costs is invaluable.

5. Risk Mitigation: Boards can actively participate in risk mitigation strategies by leveraging Cyber Insurance. Insurers often provide guidance on cybersecurity best practices and risk.

Cyber & Data/Privacy Risk Management has quickly become the most prominent exposures, especially in the financial / AFSL space where data breaches are unfortunately common.

We refer to the case against RI Advice who were found to have breached their license obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage its cybersecurity risks.

“ASIC is strongly encouraging all entities to follow the advice of the Australian Cyber Security Centre and adopt an enhanced cybersecurity position to improve cyber resilience in light of the heightened cyber-threat environment.”

To become an attractive risk for insurers, organisations must demonstrate a mature and robust cyber risk management strategy. This includes implementing best practices, compliance frameworks, and ongoing monitoring to stay ahead of emerging threats. Having good governance, a well-defined cyber risk management plan, and adequate cyber insurance coverage are paramount. Organisations should establish policies, define roles and responsibilities, and ensure ongoing compliance with regulations. A comprehensive cyber risk management plan should be developed, regularly reviewed, and updated to adapt to changing threats . It is no longer the purview to say all security is managed by an IT Support Firm.

By embracing cyber cover must-haves and implementing robust cyber risk management strategies, organisations can strengthen their defenses and mitigate potential losses. Working with experts like KBI ensures access to tailored cyber insurance solutions and valuable guidance throughout the process. Don’t leave your business vulnerable to cyber threats—take action today to safeguard your digital future.

At KBI, our expert brokers understand the unique risks businesses face. We provide guidance, assist with the submission process, and offer a clear breakdown of available options when it comes to the insurance market.

Contact KBI today to discuss your insurance needs and secure a tailored program that safeguards your organisation.

• Remote Work Fueling Cyber Crime Threat
• Key Cyber Risks Businesses Are Facing Now
• Mitigating Your Cyber Risks & Cyber Related Business Interruptions
• Cyber Business Interruption – The Costs
• What Is Cyber Business Interruption Insurance?

• What Does Cyber BI Insurance Cover?
• How Is Cyber Business Interruption Loss Calculated?
• What might a Cyber Business Interruption Claim look like?
• Ensuring Your Policy Is Fit-For-Purpose
• Final Takeaways

In a survey by McAfee, two-thirds of responding companies experienced a cyber incident in 2019. The average reported cost for each company’s most expensive breach was over $500,000.

Since 2019, the rise of remote work has only fuelled the fire. According to the Australian Cyber Security Center, cybercrime reports rose 13% in FY2020-21. Head of the Australian Cyber Security Center, Ms Abigail Bradshaw CSC, commented:

A recent Open VPN poll supports this statement. Among respondents, 73% of VP and C-Suite level IT managers believed that remote workers pose a greater cyber-security threat than on-site workers.

Companies need to accept that they are constantly exposed to the very real and increasing threat of cybercrime, and that cybercriminals are proactively and constantly trying to find ways to attack unprepared victims.

In 2022, cybercriminals are more vicious and dexterous than ever before. And, as businesses trade static workstations for a more ‘fluid office’ the threat of cyber-attacks has increased exponentially. Today, even organisations with advanced security and firewall technology are at the mercy of cybercriminals.

Key cyber risks include:

1. Inadequate passwords:
It does not matter how secure your organisation’s secure infrastructure set-up is – humans are creatures of habit and their actions are easy to interpret. Weak passwords are an easy target for hackers. Passwords your staff should avoid include:

• Passwords based on easily traceable personal data (birth dates, anniversaries etc.)
• Passwords used on other platforms
• Feeble passwords for example digit/letter combinations.

2. Phishing assaults
Phishing is an older attack method – but, according to a 2021 report by CISCO Umbrella, it still accounts for almost 90% of all data breaches. In a Phishing attack, the user receives communication (usually an email) that appears to be from a source they trust. The email requests personal data like passwords or security question answers, which the email’s real sender can use to access sensitive information.

Like password-related hacks, phishing attacks take advantage of human error. What makes phishing so effective is that through the social distribution of links and files, victims often inadvertently propagate malicious content.

3. Malware
Malware, or ‘malicious software’, is arguably the most widespread form of cyber security threat. Malware causes systems to behave strangely. This includes preventing access to programs, deleting files, syphoning information to other sources, and infecting connected systems.

4. Trojan viruses
Trojan Viruses are a form of malware. They disguise themselves as legitimate, helpful software. But under the surface, they are harmful. A common ploy is to send a warning to a user saying that it detected malware in their system. They offer to scan your device, but the ‘scan’ it carries out is actually the transfer of malware.

5. Crytopjacking
A definitive sign of the times – Cryptojacking is the act of hijacking a computerised device and syphoning computing power from the machine without the official user’s knowledge. The additional power is usually used to mine cryptocurrency.

• Extortion
  When an organisation’s system is seized by threat actors, and money is extorted in exchange for the release of system functionality.

• Double-Extortion
  When cybercriminals deprive companies of data in addition to encrypting it, allowing them to dictate greater ransom demands.

• Ransomware-For-Hire
  There are syndicates-for-hire that will attack large enterprises for a big payout from a third party. These are well-organised crime rings with global networks, capable of attacking large enterprises.

• Supply Chain Attacks
  2021 saw a stark surge in attacks on tech companies. Experts believe it’s due to the appeal of attacking software code, and then launching an attack on the company’s vendors and customers, creating a chain reaction of malicious attacks, often with the intent to collect multiple ransoms.

The risks associated with these threats are different for individuals and businesses.

Password breaches: The scale of a password breach is generally larger for a business than an individual. An organisation-wide breach can compromise the classified data, personal information or even bank accounts of thousands of clients.

Phishing: The impact of phishing depends on what information is accessed by the hacker. Individuals tend to be targeted for identity theft, while businesses tend to be targeted for bank account access.

Malware: Malware can result in the total loss of company data, or company client lists with costs running into the millions.

Ransomware: Ransomware attacks are by far the costliest. And unfortunately, they are becoming increasingly more frequent. According to Coverware, in the first quarter of 2021, there was a 43% increase in the demands from cybercriminals, averaging an extortion cost of $220k. This cost is exclusive of productivity loss, loss of system and network access, data loss, damage to brand reputation, client loss and loss of revenue. Extortion costs aside, the IT manpower and hours required to solve these onslaughts, is enormous. They can easily take weeks, if not months, to resolve and run into millions of dollars.

The below chart shows cybercrime statistics for the 20/21 financial year. It is a good indication of how prevalent cybercrime is in Australia at the moment.

An attack related outage can cost your business thousands in lost profits and unexpected expenses. In a survey by McAfee, in 2019 the average length of a responding business’s longest cybercrime-related interruption was 18-hours. For more than 33% of respondents, attack-related system downtime cost between $100,000 and $500,000.

In 2017 the LA Times reported that a NotPetya worm attack interrupted business at Danish shipping company Maersk for two weeks at a cost of $200-$300 million.

According to Computer Weekly, a 2020 cyber-attack left Avon representatives in several countries unable to place orders. Parts of the Avon UK system remained down more than a week after the incident.

• Staff training: Security Awareness and Cyber Training can greatly reduce the vulnerabilities companies face, by creating awareness and helping staff carefully navigate possible pitfalls.
• Enforce cybersecurity policies: Organisations must implement strict policies and set a standard of behaviour when it comes to the safe use of cyber-based company assets. Cloud-based governance infrastructure can help to monitor and maintain sovereignty over the use and exchange of data.
• Inspect encrypted traffic: Encrypted channels are now commonly used by cybercriminals. Adopt cloud-native, proxy-based applications that can inspect, decode, detect, and prevent threats in all HTTPS streams, for each user.

• Up-to-date software: Apply software Patch Management, which ensures that all critical security updates are deployed to the endpoints within the network in a timely manner to address new vulnerabilities and fix them as they are discovered.
• Migrate to the cloud: Move your company’s operations to the Cloud to gain stricter control over network access and avoid locally stored assets. The cloud also makes limiting and granting access very simple.
• Develop a response plan: Prepare for the worst with the right business insurances. Speak to your IT service provider about a data backup and disaster recovery plan and build your response strategy into your overall business continuity program.
• Understand the cover your business needs: Whilst it is imperative to establish what your company’s risk status is, having a clear understanding of the different types of insurances is just as important to make the right choices. For example, having a Cyber Insurance policy is essential to provide Emergency Incident Response, Liability and Financial Loss cover after an attack, while Cyber Business Interruption Insurance exists as a breach response to make up for the income that could not be earned during the restoration period after an attack.

• Cover for stolen funds & lost data
• Costs to respond to and defend legal actions related to privacy or security breaches
• Costs related to restoring and re-protecting your computer systems
• Incident response costs and access to 24/7 emergency response teams
• Costs associated with investigating and notifying a data breach

In some — but not all — cases, your cyber policy may include business interruption cover, which is arguably one of its most important coverage sections. Similar to traditional loss events like fire or flood, having insurance to restore operations following a cyber event is only useful if the business is able to survive through the restoration period.

If your Cyber policy does not include cyber BI cover, it is strongly recommended that you either add it to your existing policy or seek an alternative policy with more comprehensive coverages.

Unfortunately, organising Cyber BI cover is not simple. As a new and evolving form of insurance, cover terms can differ from insurer to insurer, and understanding what is best for your businesses can be confusing.

➤ Loss of income
Covers the difference between your net profit and the net profit you would have earned without business interruption.

➤ Operating expenses
Covers ordinary operational expenses that you must continue to incur through the outage, such as rent and payroll.

➤ Additional expenses
Covers expenses incurred for the express purpose of reducing an outage-related income loss. For example, hiring a tech expert to put a workaround in place or paying customer service staff overtime to process sales by phone.

➤ Forensic expenses
Covers costs associated with investigating the source of business interruption.

➤ Contingent business interruption (also called dependent business interruption.)
Extends cover to situations where an attack on another company’s systems results in interruption to your business. The policy will usually require you to have a direct relationship with the company in question and would not extend to computer system failures among your customer base.

Some things worth noting are:

• Cover will not include delayed sales
  Not all revenue lost during a system failure is lost forever. If a system failure means that a customer comes back later to purchase, this is not considered an income loss.

• If there is no loss in revenue, you will not be able to claim for operational expenses.
  If your business generates a normal revenue during the outage, insurers expect you to cover your normal expenses. (If you incurred extra operational expenses to prevent revenue loss, you can usually claim these as additional expenses.)

• The length of time for which your insurer measures interruption loss will depend on your policy.
  Your policy may have a waiting period, a retention period, or limit cover to the period between when the outage occurs, and your systems are restored.

• Your policy may not cover at all if the interruption is too short
  Many policies will only consider a claim related to an outage over a set length. In our experience, the waiting period can be as small as 3 hours and as large as 72.

Example 1.

Situation:
Your website is hit with a distributed denial of service (DDoS) attack. The service DDoS attack takes your site offline for 24 hours. The next day your lines are so busy that many of your customers get sick of waiting and go elsewhere.

Your Policy:
You have Cyber BI cover with a 12 hour waiting period. You are not covered during the waiting period or for the first $5000 loss after. Cover extends until systems are restored.

Result:
The amount you are able to claim in this case is very limited. Your policy’s aggressive retention terms and short indemnity period, mean that you can only claim for 12 hours out of your 24 hour outage. And, you can not claim for residual losses over the next few days.

Situation:
Your employee opens a personal email on their work computer. Her private email account does not have the same security protections as the work email account. Her computer is infected by a ransomware virus that spreads across your network. The virus encrypts all files, and thieves demand a ransom for the encryption key. It takes two weeks to break the encryption and fully restore your systems. As a result of the outage, a major supplier triggers the cancellation clause in an exclusive supply contract.

Your Policy:
You have business interruption cover with a 12-hour wait period. There is no retention period or dollar retention. Cover applies under the policy for 30 days after systems are restored.

Result:
You will be able to claim for losses during the entirety of the outage. You will also be able to claim residual losses for the next 30 days. However, if it takes more than 30 days to replace the contract you lost, there will be some out of pocket loss.

• Make sure you know all the options available on the market
• Explain the differences between cover types — including how they might affect a claim
• Provide targeted advice based on your business requirements
• Speak to insurers on your behalf to ensure optimal policy terms
• Support you in the event of a claim

•  The rise of remote work is making businesses more vulnerable to cyber-attacks.
• A broker can give you a clear picture of the cover available, explain each cover option to you, and help you make sure that the policy you end up with is the best one for your needs.
• Businesses should be aware of the key risks they are facing.
• Businesses should mitigate risk wherever possible.
• Cyber insurance, including Cyber BI cover, is crucial for businesses in 2022.
• Choosing a cyber policy is difficult because policies vary significantly from insurer to insurer.
• To get your Cyber BI cover right, KBI recommends engaging a specialist broker.

Should you need more information on Cyber Security, please contact the CT Group team on 1300 434 237 or email solutions@ctgroup.com.au

• Is cover limited to cyber events? What about general IT outages?

➤ In most cases, cover is limited to a privacy or security breach. But, there are some situations where extended coverage is available for other outages.

• What period will my Cyber BI policy cover lost profit and additional expenses for?

➤ Your insurer will only be responsible for covering lost profit and additional expenses for the period agreed on in your policy. This period differs significantly from insurer to insurer, and the option you pick can drastically affect your position in the event of a claim.

Some typical timeframe based limitations include:

• A waiting period before a claim is eligible: Your policy may exclude cover for interruptions that do not last longer than a specified number of hours (or sometimes days.)
• A waiting period before losses are eligible: Your policy may exclude all cover for losses that take place in the waiting period and only calculate loss from the time the waiting period ends.
• Cover ends when systems are restored: Your policy may consider a business interruption to be over as soon as systems are restored. If your policy limits cover this way, it will prevent you from claiming for residual effects of an outage—for example, the revenue lost in the days following an outage due to disgruntled customers.
• Cover ends a set number of days after your system is restored: Some policies cover losses for a period of time after systems are restored. This allows you to claim for the residual effects of a business interruption. Still, there is no guarantee that cover will last long enough to support you until you return to normal income levels.
• Cover until income is restored: Some policies include cover for the entire period of income loss. This is the most comprehensive option available but usually also the most expensive.

• Do businesses have to cover a portion of their own losses?

➤ Many policies expect the insured to cover a portion of losses. This can be called the retention, excess, deductible, or waiting period, and it might be defined as losses within a period of time, a dollar amount, or both. Like most things in Cyber BI insurance, retention details vary significantly from policy to policy.

Common Cyber BI retention terms include:

• No cover for losses and expenses incurred during the waiting period
• No cover for the first $X of losses and expenses
• No cover for the first X hours of interruption
• No cover for losses and expenses incurred in the waiting period and for the first $X of losses and costs incurred following

• What retention period and cover timeframe is right for me?

There is no one-size-fits-all rule. The type of cover that is right for you will depend on many factors, including your operations, your operating costs, your cash flow, the complexity of your systems, and your core vulnerabilities. In our opinion, the best option is always to consult an expert broker.

Even among companies in the same industry, needs can vary:

Take a 24-hour outage for an online store. Some stores are confident that customers will come back the next day, while others are not. Some stores will lose a single order per customer, while others will lose months of subscription or follow-up purchase income.

The Morrison Government is taking action to disrupt, pursue and prosecute cybercriminals. Our tough new laws will target this online criminality, and hit cybercrooks where it hurts most – their bank balances.

A 2021 IDC survey suggested that 43% of Australian businesses would “probably pay” a “widespread ransomware attack” that “significantly hampers” operations, even if insurance was not in place

ii. There are other effective ways that insurers can encourage businesses to take cyber protection seriously.

Several other ideas mentioned in the CSCRC’s report encourage businesses to step up their cyber policies without removing insurance protection. Examples include requiring businesses to meet a minimum cyber security standard before having insurance, offering insurance premium incentives for solid security practices and providing free risk assessment tools.

The Ransomware Action Plan makes it clear that the Australian government does not condone ransomware payment. But it does not go as far as making payment illegal.

For many businesses paying a ransom demand is the only realistic option available. This includes organisations who fail to recover their systems in other ways, who are at risk of bankruptcy unless they take immediate action, and who experience attacks on systems critical to the immediate personal safety of their staff or customers.

• The Australian Government is taking action against ransomware attacks.
• The CSCRC has suggested that their plan include major changes to cyber security insurance.
• The CSCRC recommendation for a ban on ransomware payment cover has met with objections but may still be implemented.

• In any case, we advise businesses to step up their cyber security practices, talk to their broker about insurance cover & make a solid plan for ransomware attacks.

To talk to a broker, or find out more about cyber insurance, visit our cyber insurance page.

• Q3/Q4 had 446 reported breaches — down 16% from Q1/Q2.
• Malicious or criminal attacks caused 65% of reported breaches. Of these, 66% were cyber incidents.
• Human error was the second-highest cause of data breaches. It accounted for 30% of breaches reported.
• Health service providers reported the highest number of breaches (19%), followed by the finance & superannuation industry (13%.)

• The overall reduction in breaches included a 34% drop in human-error breaches and a 5% drop in breaches caused by a malicious or criminal attack.
• However, two types of malicious or criminal attack related breaches are on the rise. Ransomware incidents increased by 24%, from 37 to 46. Breaches caused by social engineering or impersonation fraud increased slightly, from 34 to 35.
• Following the report, the OAIC issued a press release highlighting ransomware attacks and impersonation fraud as causes for concern.

• Protect themselves adequately from privacy threats.
• Have systems in place to quickly identify breaches.
• Have appropriate incident response plans.

This expectation extends to the threat of ransomware attacks and impersonation fraud. The Australian Information Commissioner and Privacy Commissioner Angelene Falk says:

We expect entities to have appropriate internal practices, procedures and systems in place to assess and respond to data breaches involving ransomware.

Entities should continually review and enhance their security posture to minimise the growing risk of impersonation fraud.

• Multi-factor authentication.
• Automatic account holder notification for failed logins and personal information updates.
• Appropriate audit and access logs.
• An appropriate incident response plan.
• Possible early-stage forensic analysis from a cyber security expert following a ransomware attack.

This is part of the reason that KBI’s lead cyber insurance broker Tyler Speers recommends pairing robust privacy protection measures with an equally robust cyber insurance policy:

Given the growing risk of ransomware and impersonation fraud, Speers recommends that all businesses who hold personal data seek cyber insurance. He also suggests that businesses with an existing policy have a proactive conversation about risks and cover requirements with their broker.

• Ransomware and impersonation fraud is a growing threat
• Businesses should look to improve privacy protection measures and have a plan in place for cyber attacks.
• Businesses should speak to their broker about the financial risks associated with a cyber attack and the possibility of transferring those risks to insurance.

2. Multi-Factor Authentication for Devices and Applications

3. Automatic Updates and Patching

4. Daily Backups

6. Device Security

7. Lost or Stolen Personal Device Procedure

8. Social Media Security Policies

We’ve all seen them – an email asking you to pay an invoice or change bank details from an apparent client or trusted individual. These schemes (phishing) are getting much better all the time, so it’s important to put procedures in place to mitigate against these losses, even when it’s near impossible to identify the fraudulent emails from the legitimate ones.

A call-back procedure is when you verify requests to pay an invoice for the first time or alter bank details by calling a trusted person at that company.

Step 1
You have received an email/call to pay a new invoice or set-up/update payment information. This includes setting up a new supplier/vendor/other or making any changes to their payment details.

Step 2
Verify the request before taking any action by calling a trusted representative of the company directly to confirm that the request or the payment information is accurate and came from them.

It is simple to get started and most systems have this functionality already – you’re probably already doing it for a lot of them. The standard way of doing this is by making it so you need both a password and SMS code to login to an account or system.

• Combination of passwords and other authentication methods for devices and applications (i.e. SMS codes, keycard, facial/fingerprint recognition).

Australian Government – Implementing Multi-Factor Authentication

Software updates are more than the glamorous changes to the operating system on your phone – software companies (Microsoft, Apple) use “automatic updates” as bug fixes and security patching to ensure security is up to date and any errors or holes are fixed as soon as possible. By turning on this feature, your devices and applications will automatically update to keep your device/network secure.

Australian Government – Step by Step Guide: Turning on Automatic Updates

• Monitor privacy settings for frequently used applications (i.e. social media)
• Automatic screen lock so a device is not accidentally left open and easily accessible.
• Unique passwords that are updated regularly.

• Antivirus software that is kept up to date (don’t ignore those update reminders!)
• Avoid free wireless networks for business devices or applications. This includes using your personal device for work applications (i.e. email while travelling) because free wireless networks are an easy way for cybercriminals to hack into your systems.

• Wiping data from a stolen device. Most devices have this function already – if a device is stolen, it is reported and then all data is wiped from the device. This may seem like drastic measures, but if you have backed everything up then you won’t actually lose much – but it prevents someone else from accessing your data.

• Ensure the device is backed up so the data is not lost with the device.
• Ensure any ‘find my device’ function or the ability to encrypt the device are activated, as these measures can provide additional security in the event of it being lost or stolen. It can also help get the actual device back

• Limited number of authorised users have access to company social media accounts;
• System in place to immediately revoke user access if they are no longer at your company;
• Outline what can and cannot be posted on company social media accounts;

• Outline the process for responding to complaints or inappropriate comments;
• Process for regaining control of hijacked company social media accounts, which can be facilitated with the help of your IT provider;

This article from the Australian Government provides some useful tips for social media security policies:

Australian Government – Security Tips for Social Media

However, it is important to remember that your home computer likely does not have the same level of cyber security in place as your work equivalent. Savvy businesses will always have some form of cyber security measures in place to protect important files and to keep criminals out.

Over half of all employees across the globe are now working outside their main office for at least 2.5 days per week. Over 80% of employees asked said they would always choose a job with remote working opportunities over one that had none. 85% claim that productivity has increased due to the flexibility provided by remote working. However, despite all this, almost half of businesses are concerned about data security in relation to remote working.

However, it would be a mistake to treat your home computer any differently from the one you use within the office setting.

You probably do not risk entering unknown third-party sites, especially when warned against doing so by your antivirus system. You should be taking these same exact steps when working from home. Remember, it isn’t just your personal system you are putting at risk, but the company servers too.

If they successfully find a route in via your connection, they may be able to access all kinds of sensitive information, causing as much damage as they like in the process.

Here is our 10-point guide for simple steps to set up your own policy:

2. Don’t use the same password for work and personal accounts

3. Set up Two-Factor Authentication (i.e. password and phone number)

4. Use antivirus software

5. Install patches and updates (i.e. automatic updates)

6. Partake in training on identifying phishing email scams

7. Regularly back up your data

8. Make sure that all communication is encrypted

9. Make sure that your Wi-Fi router is secure

10. Use a Virtual Private Network (VPN) connection

** This claims example has been provided by Chubb Insurance Company of Australia Limited **

This type of scenario triggers multiple Insuring Clauses under a typical Cyber Liability Insurance policy, including privacy fines and investigations.

Several of the affected individuals began legal proceedings against the retailer. The notification costs and credit monitoring costs totalled $50,000, and the amount to settle the legal proceedings with the retailer’s customers combined with the associated legal costs and expenses totalled $100,000.

** This claims example has been provided by Chubb Insurance Company of Australia Limited **

** These claims examples have been provided by AIG Australia Limited, Chubb Insurance Company of Australia Limited, and Insurance Australia Group Limited **

This coverage is also often misunderstood and lumped under the term “Cyber Crime” – this is incorrect. Cyber Crime is a very broad term that can include sections that are almost always automatically covered, such as Cyber Extortion. Social Engineering has recently been defined more adequately as Funds Transfer Fraud, which is the fraudulent transfer or theft of funds caused by instructions made by a person purporting to be an authorized employee, outsourced provider or customer of yours. This also covers off the definition of “phishing”, which would be included in this section.

• Electromagnetic Discharge
  The existence, emission or discharge of any electromagnetic field, radiation or magnetism that allegedly or actually affects the health, safety or condition of any person or environment, or that affects the value, marketability, condition or use of any property.

• Power Failure or Core Internet Infrastructure Failure
  Excludes claims caused by power outage, or any other failure to a system, infrastructure, or network where you have no direct control.

• Product IP & Patent Infringement
  Excludes acts that cause the infringement or misuse (among other things) to any patent or patent right.

• Unsolicited Communications and Data Collection
  This excludes claims for unsolicited emails, phone calls, or other correspondence which breaches the applicable legislation. This can sometimes be written back into the policy through the Privacy and Cyber Security coverage section if it occurred due to a network compromise.

** The above are general examples only; each insurance policy is different and standard exclusions may apply. Please read your PDS and contact your insurance advisor to review your specific policy. **

• Contractual Liability
  Unless this has been specifically added to the policy, coverage is excluded for any obligation you have entered into under a written contract. However, this exclusion does not usually apply to liability you would have in the absence of a contract.

• Insured versus Insured Claims
  There are many variations to this exclusion, but the main purpose is to not cover a dispute between insureds and/or the company.

• Prior & Pending Exclusion
  States that the policy will not cover any pending or prior litigation involving the Company that has begun before the Prior & Pending date of the policy.

• Sanctions Exclusion
  Excludes claims where cover, payment, service, benefit and/or any business or activity would violate any applicable trade or economic sanctions, law or regulation.

• Bodily Injury/Property Damage
  The policy will not respond to a Bodily Injury & Property Damage claim as this exposure is typically covered by a Public Liability policy. This exclusion usually has a write back (gives coverage back) for Defence Costs, Employment Related Wrongful Acts and Security Claims.

• Retroactive Date Exclusion
  This excludes any wrongful act committed or alleged to have been committed prior to the inception of the policy. This is a way for insurers to exclude past acts and make the policy only forward looking.

** The above are general examples only; each insurance policy is different and standard exclusions may apply. Please read your PDS and contact your insurance advisor to review your specific policy. **

• Incident response costs and 24/7 emergency hotline – the people you call when a cyber incident has occurred;
• Notifying third parties about the data breach, including mandatory notification (i.e. mandatory for companies with a turnover of $3M+) and voluntary notification to clients, service providers or otherwise;
• Performing computer forensics to determine the existence, cause, and scope of a network compromise or data breach;
• Public relations costs associated with mitigating any reputational harm; and
• Providing credit or identity monitoring and identity protection for those individuals whose personal data was or may have been breached as a result of a network compromise or data breach.

• Loss, theft or failure to reasonably protect personal data or confidential business information;
• Violation of privacy laws or data breach reporting requirements;
• Failure to implement adequate privacy or network security practices;

• Negligence resulting in a failure to prevent a network compromise that results in:

1. Damage or loss of use to a third-parties computer system or data; and
2. Transmission of malware or a denial of service attack to a third party;

• Failure to comply with your privacy policy and/or privacy notice.

• Libel, slander or any other defamation or harm to a third party;
• Copyright infringement, intellectual property rights infringement, plagiarism or misappropriation of property rights;

• Misstatement or misrepresentation under the terms of the Competition and Consumer Act;
• Infliction of emotional distress or mental anguish; among others

There will be certain steps the IT team (yours or the one nominated by the emergency response team) will take to restore your system’s security and resolve the breach; this can include:

• Removing access to internal systems or changing passwords if a user’s account details have been compromised;
• Taking parts of or your entire system offline;
• Implementing temporary firewalls;
• Blocking traffic to your website; or
• Transferring important files to a secure location.

This can be a complicated process, which is why it’s important to have access to the specialists who can handle the situation appropriately and mitigate the problem before it potentially gets too severe.

• A plan to restore systems to normal operation
• A process of continual monitoring to confirm that the affected systems are functioning normally
• A plan (if applicable) to remediate vulnerabilities to prevent similar incidents.

This is something your IT team should be able to assist with.

• Communicating with Clients & Service Providers:

This depends on the impact of the cyber incident – sometimes the event doesn’t warrant communication with these parties, in which case it is usually best practice to skip this step. Alternatively, communicating with these parties can be mandatory in certain scenarios and/or vital to your business. It is important to identify which of these options apply to your business, which is where your emergency response/crisis management team can assist.

If you are going to communicate with these parties, we recommend you wait until you have enough information to pass on a complete message to help avoid miscommunications and misunderstandings.

• What happened and why did it happen?
• What systems/services are affected?
• What steps are being taken to resolve the situation?
• Is it possible to say when the situation will be resolved?
• What are external stakeholders expected to do?
• Who can external stakeholders contact if they have questions/concerns?

Depending on the size of the cyber event and your business, it may be worth appointing a public relations firm to assist with the communication step.

• Communicating with Regulators:

Certain rules & regulations around mandatory notification of privacy breaches may apply to your company. We recommend you know when to notify before any breach occurs, as you could face fines & penalties if you don’t notify within a specified time period.

• Don’t rely on digital make printed copies of your response plan, including important contacts (emergency response, IT provider, insurance broker);

• Prepare your employees on what to do if a cyber incident occurs knowing what to do and acting quickly is integral to preventing or reducing a loss;

• Give team members specific roles and responsibilities to respond to a cyber incident;

• Educate employees on how to identify a cyber event.