Protecting your business from cyber risks can be a risky exercice in itself, with a whole host of legal and financial dangers lurking in the fine print.
Cyber insurance: what is it, do I need it and what does it cost? Those are just some of the questions around cyber insurance, interest in which is being driven by two key factors.
Firstly, the proposed changes to privacy laws. The Privacy Amendment (Notifiable Data Breaches) Bill 2016 is currently before the Federal parliament. It provides for mandatory disclosure for certain breaches. Debate about this long-awaited and much-criticised amendment comes on the back of a high-profile data breach at the Red Cross Blood Service in October 2016, described as Australia’s largest security breach.
Australia has no effective equivalent to the USA’s comprehensive disclosure obligations imposed in the USA by the HIPAA, which requires mandatory and far-reaching disclosure for breaches in the health industry. The Red Cross Blood Service had no legal obligation to contact those affected. In communicating with those whose data was compromised, they followed what is little more than a recommendation by the Office of the Australian Information Commissioner (OAIC). However, they appear to have done a good job of communication, providing comprehensive details to those affected as soon as the issue was detected (including one Loop staffer!).
The Privacy Commissioner has the power to impose significant fines and to make other orders regarding apologies to the 550,000 blood donors whose medical and sexual records were made public, but unlike other jurisdictions, such penalties are rarely used in Australia, where self-regulation and education are preferred to penalty.
Perhaps this outcome provides some justification for the OAIC’s softly-softly approach to enforcement.
The second driver for legislative change is the relentless growth of hacking and serious data breaches in the past three years. These can be disruptive attacks, such as the DDoS attack on the Census that brought IBM so much trouble in 2016.
We don’t hear much about breaches in Australia due to our current legal frameworks and the tepid enforcement approach taken by the OAIC. It is far from clear whether this will change under the new legal regime. The bill is complex with plenty of woolly definitions and layers of overlapping exclusions and exceptions that will have clocks spinning at law firms for some time before companies are able to determine what they must do to comply.
What is clear is that, if enacted, the new data protection provisions will impose more significant obligations on companies and government agencies to disclose information about breaches to those affected. Consumers feel this is a good thing, but most large organisations and, indeed, government appear more concerned at the extra cost and administrative burden of having to disclose. Further, a lack of clarity about exactly what should be disclosed, when and to whom will doubtless add confusion for some time.
This leads us to cyber insurance, which is seen as a way to protect businesses and individual users from IT security risks. Different types of policies are currently available for large or small firms, as each have different levels of risk to protect against.
The pricing also differs. As an example, most ransomware attacks are focused on small and mid-sized firms (presumably because the success rate is higher). So getting compensation for resulting loss is increasingly of interest to smaller businesses. Smaller firms should ask themselves whether they would be better to invest the premiums in user-awareness training, newer technologies on the network perimeter and more sophisticated storage and backup regimes – particularly when examining the many exclusions and exceptions in the fine print of cyber insurance policies.
Most enterprises and large firms in Australia already have cyber insurance in place. These policies can be complex and there is often significant overlap with other policies. Many have substantial exclusion clauses designed to limit the circumstances in which the insurer will pay out. I suspect many executives and boards of directors do not fully understand the nature of the protection and the limitations of the policies they have purchased. They just feel more secure having bought one.
Common categories of risk identified in such policies include: data breach, multimedia, extortion and denial of service. The costs covered may include rectification of the vulnerable environment though incident response, the costs of disclosure, lawsuits and other consequential loss.
Liabilities that are covered are sometimes categorised as third-party or first-party costs and damages. Third-party liabilities are losses incurred by a company other than the company taking out the policy. An example would be a managed security service provider that suffers a breach causing loss or damage to the data of one of its customers. Another could be an IT reseller installing a device in a customer environment in such a way that it allows an attack to occur. The apparent shortcomings with the DDoS protection in the environment created for the Commonwealth Census is an example of such an exposure.
First-party liabilities are those incurred directly by the insured company; for example, when a company is hacked and data is stolen. In such a case there may be different types of damage, such as the cost of replacing or recovering the data compromised, notifying those affected or of repairing the environment or the data. Sometimes even the damage to the reputation of the company. The Target breach in December 2013 in the USA was a good example of dramatic financial and brand damage resulting from an intrusion.
Technology service providers such as consulting firms or systems integrators as well as companies acquiring technology for their own internal purposes are both potential purchasers of cyber insurance.
Buyers need to look carefully at the risks they wish to protect and the insurance products that are available to provide cover.
Top buying tips
1. Carefully consider the risks the business wishes to protect against. Are they first-party or third-party liabilities or maybe both?
2. What level of cover is needed for the business activities being performed or the services being provided?
3. Investigate available policies. This is usually done with help from an insurance broker. But brokers have a vested interested in selling insurance.
Most companies already have various policies in place, so it is probably better to go to the incumbent broker or insurer for advice.
4. Understand the exceptions in the policy. Create a list of the circumstances when the insurer will not pay out. This involves a careful look at the policy document.
5. Understand the cost of the insurance. Can this be passed on as part of the cost of doing business? For example, consulting firms are finding that the costs of professional indemnity insurance are becoming a significant part of the cost of business as premiums increase.
6. Weigh up whether the costs of the policy offset the risks being covered, particularly if it is heavily conditional. In other words, is internal staff education and self-insuring a better option?
7. If dealing with IT suppliers such as vendors or resellers, should companies ask questions about the type of cyber insurance those partner firms have in place? This is a common practice in relation to some forms of insurance. Consulting firms and integrators are regularly asked to confirm the amount and nature of professional liability insurance they have in place. It is now increasingly common to see tenders asking questions about cyber insurance cover.
8. Consider if the policy covers new risks as well as existing or known risks. To use a medical example, it’s the difference between being covered for a pre-existing condition and a new ailment.
9. Investigate whether policy costs can be reduced if certain security controls and technologies are in place. A bit like the insurer that provides a discount if you keep your car in a garage or have an alarm on your house and deadlocks on the windows.
10. Determine if there is overlap with professional indemnity or other liability insurance that is already in place or is being considered.
Avoid the overlap
Care needs to be taken to avoid paying for the same cover twice. There is often overlap between professional indemnity insurance or other liability cover and cyber insurance policies. Aside from wasting money, having double cover for the same risks may result in invalidating one or both of the policies unless fully disclosed at the outset. Insurers are historically uncomfortable having a second firm or policy protecting against the same risks.
Exclusion clauses are the big issue in many cyber insurance policies. Because the risks that are being protected against are often difficult to predict and are in new and inherently complex areas, insurers go to some lengths to exclude risks.
Obtaining protection against fire or flood is straightforward. Companies and insurers understand these risks. In contrast, global security teams at both Verizon and Symantec agree that in 2015, 317 million new malware threats were released into the wild. That’s close to one million new forms of malware released every day of the year. Will a particular policy of insurance cover zero-day attacks? In other words, a new type of attack not previously seen and, as such, not referred to in any cyber insurance policy.
Intel Security’s ‘Grand Theft Data’ report concluded that 43 percent of data loss results from internal actors, of which 50 percent was intentional and 50 percent accidental (the Red Cross breach was in the accidental category). Firms considering cyber insurance need to understand how the policy they are looking at deals with breaches that result from employees or contractors. Are they covered or excluded? If excluded, then based on the Intel stats, this could exclude a large group of potential breaches from being covered.
Another tricky question: does cyber insurance cover pre-existing breaches the organisation doesn’t know about? Mandiant’s M-Trends report in found that in 2015 the average time for a company to detect an advanced persistent threat on a corporate network was 146 days. This period has reduced in recent years as breach detection improves, but it is still a long time.
For potential purchasers of cyber insurance, this means they may be making declarations to the insurance company that there are no breaches in their networks when in fact a bad actor has ben sitting inside for months. This raises questions: should they have known about the breach, could they have done more to discover it, what is their security posture and do they need to get a vulnerability assessment done before taking out the insurance? These can be difficult questions to answer.
Insurance law imposes heavy obligations on both insurer and insured to make full disclosure. The legal principle of “utmost good faith” applies. It is possible that a pre-existing intrusion, which the organisation was not aware of but should have been, may lead to a denial of cover.
What are the circumstances in which the insurer will refuse to pay out? The exclusion clauses are often far-reaching and difficult to understand. In many, the costs of the insurance are significant but the circumstances in which the insurer will pay out are narrow. Some of the most common exclusions and exemptions are:
Failure by the company to ensure employees and contractors are aware of security issues and the risks their behaviours can create for company and customer data.
Failure by the company to maintain an adequate regime to ensure basic security controls are current and are consistent with best practice.
Failure to disclose pre-existing risks that have been revealed in vulnerability assessments or penetration testing exercises but have not been fully or effectively rectified.
Cyber insurance policies have been around for more than decade but only recently has the threat landscape and the volume and sophistication of threats and threat vectors increased so dramatically that these policies are now being considered more widely.
Many cyber insurance policies are so heavily conditional that they are not a great investment. In many cases, they do not cope well with the rapidly changing nature of security threats and with the speed at which new attacks can be developed and released by bad actors. Many large companies feel obliged to obtain the cover, but it remains to be seen if they are getting real value.
Many suppliers of IT-related services and resellers of IT products in Australia are small firms. The value to these companies of the available cyber insurance products is questionable. This may change once we can determine the impact of the new data protection laws, should they be enacted.
Far-reaching disclosure obligations and tough enforcement regimes in other jurisdictions have certainly driven sales of cyber insurance. To date, Australia has had neither a tough data protection regime nor a tough enforcement approach, so the interest in such policies on both sides of the insurance contract has to date been lukewarm. It’s a case of watch this space.