Product Fundamentals: Cyber Liability Insurance
What is Cyber Liability Insurance?
Cyber Incidents or Cyber Security Breaches are the “break and enter” of the 2020s. Unique to this crime is that it’s often difficult to judge the full impact of the breach until it’s too late. According to the Australian Cyber Security Centre, the average cost of cybercrime to a business in Australia is $276,000. The frequency of these breaches is also on the rise with 164 cyber crime reports made by Australians every day in 2020. That’s one every 9 minutes. Cyber Liability Insurance can help businesses manage the risk of these threats by covering losses arising from cyber related incidents and related claims.
The Australian Government is currently inviting submissions on a discussion paper focused on strengthening cyber security regulations which may include greater obligations on company directors and minimum standards for holding personal information. Importantly, it also includes amendments to legislation that would provide an avenue for victims of privacy breaches to bring claims for damages against businesses who have not taken reasonable steps to protect their personal information through implementing adequate cyber security practices.
Further to this, commercial contracts now often impose obligations on businesses to take out and maintain insurance for breaches of intellectual property and data loss. A cyber liability policy can provide comfort for today and tomorrow’s business climate and ensure you meet your contractual obligations.
Cyber liability insurers require policyholders to maintain a certain level of cyber maturity. Cyber security protections such as the implementation of multi-factor authentication, simulated phishing attacks and installation of the latest antivirus software are now mandated by many cyber insurers.
Company directors must turn their minds to mitigating against these risks to ensure their businesses are “cyber prepared”. This means a review of their network may be necessary, including its vulnerabilities, the impact to the business if the network is down and any response plans required i.e. policies, procedures and protocols.
In the current business climate particularly given the increased focus on remote work, cyber protection is increasingly important to the ongoing conduct of your business. The following measures should be considered:
- Review business continuity plans and procedures.
- Virtual private networks and firewalls should be up to date with the most recent security patches (see guidance for Windows and Apple products).
- Increase cyber security measures in anticipation of a higher demand on remote access technologies. Make sure these are tested.
- If you use a remote desktop client, ensure it is secure.
- Implement multi-factor authentication for remote access systems and resources (including cloud services).
- Maintain protection against denial of service (DoS) threats.
- Staff and stakeholders should be informed and educated in cyber security threats such as social engineering.
- Simulated phishing attacks on employees
- Staff working from home should have physical security measures in place. This minimises the risk that information may be accessed, used, modified or removed from the premises without authorisation.
Bellrock can oversee this assessment process with our specialist cyber partners to identify critical assets and vulnerabilities, undertake penetration testing and prepare a cyber maturity report to support a request for Cyber Liability Insurance.
What does Cyber Liability cover?
Cyber Liability Insurance provides cover for first party losses and third party claims as a result of a number of cyber-related incidents such as:
- Denial of Service (DoS) attack
- Malware/malicious code
- Computer virus
- Social engineering fraud
- Crisis Costs incurred immediately following a cyber incident for:
- Forensic computer specialists to investigate the cyber incident.
- Notifying parties whose data has been affected by the cyber incident.
- Legal advice to determine obligations under law and issue breach notices and reports to regulators.
- Public relation costs to minimise the reputational impact on the business as a result of a data breach.
- Costs to restore and replace your damaged computer hardware and programs.
- Loss of income as a result of the interruption or failure of your computer network that renders your business unable to operate.
- Social engineering fraud.
- Damages, legal costs and expenses to defend claims brought by third parties arising from a network breach, data breach or violation of their privacy.
- Penalties, fines and legal costs associated with a regulatory investigation or enquiry;
- Claims for defamation, breaches of copyright, intellectual property rights and plagiarism in the course of content published on a website or on social media.
Who requires the cover?
Cyber liability insurance is recommended to enterprise of all sizes.
There are onerous statutory obligations on organisations, such as health professionals and health service providers that store personal information and health information.
Commercial contracts across almost all industries now impose obligations on parties regarding their holding, handling, maintaining and rights of ownership of intellectual property.
Financial Services Licensees have statutory obligations under s912A of the Corporations Act (General Obligations) (the Act) which include the requirement to have adequate risk management systems.
In May 2022 the Federal Court of Australia found that compliance with the Act requires licensees to implement cyber security and cyber resilience measures to avoid exposing its clients (and those of its Authorised Representatives) to an unacceptable level of risk. The Court also found that the licensee defendant contravened the Act in that it failed to do all things necessary to ensure that the financial services covered by its Licence were provided efficiently and fairly, by failing to ensure that adequate cyber security measures were in place and/or adequately implemented across its Authorised Representatives.
Policy limit and excess
The policy limit is ordinarily for all costs and covered losses in respect of any one cyber incident or claim that is notified during the policy period. The policy limit may be inclusive of legal costs that are incurred in the defence of a covered claim. Where the limit is stated as such, it means that the policy limit will be eroded by those legal costs and expenses. Where the policy limit is stated as “cost exclusive” it means that the insurer will pay in addition to the policy limit defence costs and expenses.
Cyber Liability policies have both excesses and waiting periods. The waiting period is the period of time required to wait before losses claimed under the business interruption section of the policy can be claimed – it is usually 8 or 12 hours.
What is not covered by the policy?
Some common exclusions include:
- Known facts, circumstances and prior claims The policy will not cover any matter, fact, circumstance or claim that has been notified, or otherwise should have been notified in a prior policy period. Please refer to our article on claims made insurance here.
- Retroactive date The policy will not cover any conduct giving rise to claims, where that conduct happened after the retroactive date. You must ensure that the retroactive date is at a time on or before the date in which you first started providing your services. Again here the claims made nature of the policy requires the policyholder to have high regard to the retroactive date. The retroactive date will be set in the schedule – if it is not there, the policy wording, in particular the endorsements, should be checked.
- Intentional acts Cover is excluded for conduct by the insured that is wilful, fraudulent or deliberately dishonest.
- Contractually assumed liability
- Bodily injury and property damage These exclusions limit the insurer’s liability to indemnify for a claim that arises from or is connection with bodily injury or property damage. The exclusion often does not apply for claims for mental harm following a third party claim following a data breach/loss.
- Infrastructure outage The policy will not cover any claim arising out of any outage to electricity, gas, water, telecommunications or other infrastructure.
Some claims examples include:
- A complaint is made by a patient to the Privacy Commissioner after a pharmacist suffers a cyber attack and health information is misused or lost. A cyber liability policy will provide cover for the costs of notifying the affected individuals and the legal costs of responding to the investigation by the Privacy Commissioner.
- A large construction contractor received a fraudulent invoice for payments under a contract. The invoice was sent by a hacker who used an email address near identical to that of the invoicing party. The invoice was paid and monies lost. The policyholder sought cover under the Social Engineering extension of its policy to recover the monies paid to the fraudster.
- A real estate business suffered a malicious software uploaded to its network causing files with credit card and personal information to be accessed. The company was advised to notify all affected individuals and engage a PR consultant to manage reputational damage from the incident. These costs were covered under the Reputational Expenses extension of the policy.
- A law firm received a cyber extortion threat and malware attack on its computer network rendering all computers unusable until the demand of 0.5 Bitcoin was paid. Even after payment was made the malware was not removed. The policy provided cover under the Cyber Extortion section for the 0.6 Bitcoin; under the Crisis Costs section for IT specialists to rebuild the computer network and under the Business Interruption section for loss of income during the downtime.
Information needed to obtain a Cyber Liability quotation
- Employee Cyber Training Schedule and Reports.
- Incident Response Plan.
- Business Continuity Plan.
For personalised advice regarding Cyber Liability Insurance and to obtain a quote, please contact us via the form below.