Is your business likely to be threatened by cyber risk? Absolutely. If you’ve got an internet connection you’re at risk of an attack or incident that could potentially close you down or inflict financial damage. Small businesses aren’t exempt: over a third of global cyber attacks target companies with less than 250 employees. Every business needs cyber protection. That's where cyber liability insurance comes in.
Cyber liability insurance protects your enterprise from the financial impact of losing or compromising your own or other people’s information. This can take the form of personal or business data stored in your records.
Personal information includes date of birth, home address, tax file numbers, passport, driver’s licence, credit card or bank account details, medical or academic records.
Your business partners, suppliers, clients or customers’ business information is similar, including ABN or ACN numbers and financial details, the information that appears on their invoices/accounts receivable and trade secrets or intellectual property.
If your business is hit by a cyber breach the people or companies whose data has been compromised could sue you, and if you fail to notify the Office of the Australian Information Commissioner (OAIC) you could face penalties. By law businesses, government agencies and not-for-profits with an annual turnover of more than $3 million must report incidents that involve other people’s data.
Smaller businesses that lose sensitive information, such as medical records, must also comply with notification requirements. And all businesses are under an ethical obligation to inform the people whose data has been affected, including, of course, your own employees.
Are you putting yourself at risk?
Loss of data can occur as a result of a targeted cyber attack or human error factors such as losing paperwork, a memory stick or a device, failing to have adequate security on a device that’s used for both personal and business purposes or if your network provider’s system is compromised.
Worryingly many Australian businesses are unprepared for dealing with a cyber incident and this is especially true for small to medium sized enterprises (SMEs). Almost half the SME respondents in a recent survey by insurance company Chubb were unaware of their obligations under the Notifiable Data Breaches Scheme, only 40% thought that their revenue or sales would suffer and only 27% had cyber insurance.
Globally cyber threats are rated as the number one risk businesses face, according to the 2020 World Economic Forum Global Risk Report. Added to that cyber attacks are becoming increasing sophisticated, prevalent and, in the case of ransomware demands, significantly more costly.
“Barely a day goes by without some form of cyber breach making the news. It is key that all businesses understand the cyber exposures they face and how best to mitigate against the threat of breaches that could be costly from both a financial and reputational perspective.”
Robyn Adcock, Gallagher Cyber/Tech Practice Leader
Impacts that affect your business internally can also be expensive, especially if an attack closes your systems down. You would suffer loss of income, you would probably need to hire an expert to save or retrieve your important data and you might need to engage damage control services to help limit loss of customers and reputation.
Interruption to normal operations represents a loss to any business because you have to maintain your running costs, and small businesses are particularly vulnerable because they typically have less resources to call on and may in fact be servicing loans.
Externally if the people or companies whose information has been compromised bring legal actions for damages or negligence against you you’ll have to pay the legal costs of answering the claim and any damages imposed, which could be crippling.
Most cyber insurance policies cover the costs of impacts to both your own business and external parties. Cyber insurance may be available as part of a business pack and exclude some risks or liabilities under its terms. A dedicated standalone cyber insurance policy is likely to be more comprehensive, offer higher caps on payouts and include provisions specific to containing and remediating a breach, and the costs involved.
Gallagher provides insurance, risk management and benefits consulting services for clients in response to both known and unknown risk exposures. When providing analysis and recommendations regarding potential insurance coverage, potential claims and/or operational strategy in response to national emergencies (including health crises), we do so from an insurance and/or risk management perspective, and offer broad information about risk mitigation, loss control strategy and potential claim exposures. We have prepared this commentary and other news alerts for general information purposes only and the material is not intended to be, nor should it be interpreted as, legal or client-specific risk management advice. General insurance descriptions contained herein do not include complete insurance policy definitions, terms and/or conditions, and should not be relied on for coverage interpretation. The information may not include current governmental or insurance developments, is provided without knowledge of the individual recipient’s industry or specific business or coverage circumstances, and in no way reflects or promises to provide insurance coverage outcomes that only insurance carriers’ control.
Insurance brokerage and related services to be provided by Arthur J. Gallagher & Co (Aus) Limited (ABN 34 005 543 920). Australian Financial Services License (AFSL) No. 238312