More and more the headlines are filled with names of companies that have been hacked and the reality is that this crime is no longer limited to governments and banks. Even loyalty programs and small businesses are finding that they can be a target, and whilst the technology age has brought with it so many benefits there are risks involved.
Stories of stolen personal information (including customer credit cards), stolen laptops containing client information, or a disgruntled employee downloading confidential records before leaving the company are becoming more common. There are also risks arising from internal errors or failure to follow information handling policies that cause accidental loss or disclosure. In fact, recent information collected by insurers has indicated that it is more than likely a staff member inadvertently allowed access that resulted in a cyber attack – for example, not logging off properly, not following guidelines on passwords, or just opening a link on a strange email without thinking. Statistics show in 2013, 1 in 392 emails contained a phishing attack* – cyber risks are now a people issue, not just a technology issue.
When it comes to a data security or privacy breach, it isn’t a matter of if it will happen, it is a matter of when, and what the consequences will be. Last year alone there was an increase of 500% of Ransomware attacks across the globe with 552 million identities stolen – numbers too high to comprehend*.
All businesses collecting and/or dealing with personal information in Australia should review their privacy procedures to ensure compliance and put in place risk management measures to make sure the financial impact of such a breach does not impact on the organisation.
There are protocols your company can implement to reduce and manage the exposure to your business. Though not an exhaustive list of protocols that could be considered the following, if implemented, would assist in risk reduction.
Have an Incident Response Plan – if you have a clear and concise plan you will be able to take fast action to contain a breach and minimise the financial and reputational damage to your company.
Appoint a Security Information Officer – network and data security is no longer only the sole responsibility of the IT department. There should be an officer responsible for data protection and this person should coordinate the organisation’s procedures and response.
Encrypt Data – with all employees accessing network via many different types of mobile devices (from mobiles to laptops) a breach can occur from simply losing a phone. If the device is lost or stolen, the data cannot be used which will mitigate the potential exposure.
Have a Network Security Policy – A current and enforced network security policy should outline the organisational rules for appropriate use of an organisation’s computer resources. The policy should include strong password protocols, website access and usage restrictions and appropriate email usage.
Effect appropriate insurance – explanation below.
Cyber Insurance Policies to protect your business from the consequences of these type of attacks are becoming much more common and are providing more protection to companies that may have otherwise had to incur the cost of the damage themselves.
Insurance is now available to protect you against these risks and provides cover for:
Third party coverage for:
First party coverage for Privacy breach costs including:
Scenario 1:
Profile: | Large travel business |
---|---|
background | The Insured experienced three separate data breaches over a three-year period in which hackers gained access to the Company's computer system. Over 250,000 individuals' credit card information and passport details were compromised |
Policy response | Privacy Protection, Breach Costs |
outcome | $1,750,000 paid for the forensic and legal costs in defending the investigation brought by the regulator and the cost of notifying the affected individuals including providing credit monitoring services. |
Scenario 2:
profile: | Online Retailer |
---|---|
Background: | The Insured's website was defaced and included a link to a competing retailer's website when hackers gained access to personal information of their customers and overtook their website. |
policy response: | Cyber Business Interruption, Hacker Damage, Privacy Protection, Breach Costs |
Outcome: | $800,000 was paid for loss of income, cost of notifying the affected individuals including providing credit monitoring services. |
Gow-Gates specialises in this type of risk placement, so if you believe that this issue is relevant to your business, please feel free to contact Rebecca Fleming, Account Manager of our Travel Industry Division at Gow-Gates Insurance Brokers on (02) 8267 9919 or rfleming@gowates.com.au to discuss your circumstances or to obtain a quotation.
Gow-Gates Insurance Brokers advises that persons should not act on the material contained in this article as the items are of a general nature only and may be misinterpreted. We therefore recommend that advice be sought before acting in these areas.
* Statistics provided by Chubb Insurance Company of Australia Limited