“In recent years, the number of organisations taking up cyber insurance in Australia has been increasing. .. In the first half of 2021, there was a 23 per cent increase in the uptake of cyber insurance in Australia, .. an increase in the loss ratios for the product.[and] insurers withdrawing from the market, limiting capacity, or introducing co-insurance requirements [and] making cyber insurance difficult to obtain.”
— Insurance Council of Australia “Cyber Insurance: Protecting our way of life, in a digital world” March 2022
Data security is one of the more unexpected compliance risks to have emerged in that last ten years. Despite ASIC’s continuing focus on cyber-security and licensees’ obligation to appropriately secure client data, it wasn’t until Australian Securities and Investments Commission v RI Advice Group Pty Ltd , that Licensees woke up the immediate, and ancillary, threat posed by data breaches and compromised networks. However, despite the growing awareness of cyber risk, there’s still a perception that it’s a low risk for most advice businesses and one adequately covered by Professional indemnity Insurance.
Both conclusions are wrong.
Instead of labouring the point, of focusing your attention on s912A, we’ve invited Greg Hansen, Director of Professional Risks at Austbrokers Countrywide, to share his experience and insights.
Have you seen an increase in phishing and malicious cyber attacks?
Yes – Cyber Insurance is the fastest growing insurance product that we are offering and it is also the fastest growing area of claims being experienced by our clients. You only need to open the newspaper and every day there is an example of a company that has been hit by a cyber attack. The most common claims we see include cyber hackers locking the company out of their IT systems (so no access to anything including email) and asking for a ransom to be paid before you will be allow access to your systems again.
The latest one was a hospital and they were offline for a month with doctors back to paper files having no access to patients medical records!
Common claims also include phishing and broader social engineering fraud where a hacker pretends to be someone else and tricks you into making a payment in the wrong direction. We have seen a huge increase in the sophistication used by hackers to steal money and/or data. Once inside your IT system and able to monitor your email they can be very hard to detect. Hackers can pull out emails, change information (change bank details on legitimate invoices from suppliers for example) which can be very hard for the end user to identify. The hackers are very good at impersonating others and manipulating payments. An example of something that would be very difficult to identify or control is if a hacker gets inside your IT/email system and starts corresponding with your customer base (pretending to be you). We have seen claims where the hacker was invoicing clients pretending to be the CAR of an AFSL Holder without the CAR or AFSL Holder aware of clients getting these emails.
ICA 2022 “Cyber Insurance” report
Are you able to share a recent case with us?
How was the business attacked? Was there any downtime for that business? Did the business have to contact their clients? If so, how did their clients react?
I often advise businesses that purchasing a cyber insurance policy is the second step.
The first step is acknowledging that prevention is better than a cure!
I usually ask the AFSL Holder if they have obtained an independent report from a cyber security firm on the adequacy of their IT security and infrastructure. A good first step before spending money on insurance protection is to get an independent review done.
Has someone reviewed the systems you have in place, perhaps done some penetration testing and given you a report on minimum security upgrades the AFSL Holder should be looking at now?
Has Multi Factor Authentication (MFA) been implemented across all email and IT infrastructure (now a minimum requirement to even buy cyber insurance)?
is there adequate firewall and virus protection software in place ?
A good starting point is a cyber security firm auditing your systems or an IT contracting firm with experience in cyber security to look at your systems and provide you with some advice. Once you get this done and if in fact you have made some upgrades to your security it is then a great time to purchase cyber insurance with a good risk management case to present to the Insurer. In essence we can argue to the Insurer that the AFSL Holder treats cyber security seriously and here is the level of security that has been put in place. An independent review has been completed and here is a copy of the report / the upgrades we have made.
What are the most common mistakes a business makes after they have clicked on a phishing email?
The most common mistakes a business makes is they do not pay enough attention to cyber security or they simply have not had it reviewed and systems upgraded.
They have vulnerabilities in their IT systems which could have been easily upgraded and fixed if they had conducted a proper review/audit from an IT security firm or someone with the expertise to review their systems.
Do not rely on your current outsourced IT provider to be coming to you – go to them for a thorough review and some advice.
We often find that AFSL Holders invest a lot of time and energy on ensuring compliant advice and ensuring checks and balances around the advice and compliance, however, they do not put in anywhere near the same amount of vigour around one of their most important assets – their data and IT systems which is the engine running the business. It’s the data they hold which is often the vital asset that needs to be protected.
If you could encourage a business to make one small change today, what would it be?
The one small change is get a review done of your systems. It does not need to be a hugely expensive exercise.
Talk to your IT provider about a review of the security measures in place and what recommendations they can make in terms of improvements.
The next step is go and get a quote for cyber insurance. It is far more cost effective than buying PI insurance as an AFSL Holder.
When they look at Cyber insurance, what should people look out for?
I have attached a typical proposal form Cyber Insurer want completed to obtain a quote.
Cyber Insurance Proposal
The proposal form in itself is a good risk management guide as the type of questions being asked by the Insurers – if you are ticking yes to all of the questions they ask then you are likely to be classified as a better cyber risk. We still get quotes with AFSL Holders saying no to a number of areas.
The proposal form helps you see what insurer ask to pick out what they see as the best risks getting the lowest premiums. Like all insurance products the devil is in the detail.
For example, a cyber insurance policy that does not cover cyber crime (social engineering fraud/losing money to an online hacker) will attract a much lower premium compared to an insurance product that does provide cyber crime cover. The amount of crime cover being provided also impacts on the price (are you getting $50,000 crime cover or $500,000).
An Insurance broker competent in selling cyber insurance should be able to help you navigate through the coverage options.
Talk with GregGreg is a Director of Austbrokers Countrywide who specialises in the professional risks area, incorporating Directors & Officers Liability and Professional Indemnity insurance programs. He manages several Professional Indemnity schemes for National Associations and has extensive experience helping clients avoid pitfalls and understand the contractual liabilities which may to sit outside their insurance program.
Connect with him on LinkedIn or email him directly.