2 ABOUT US >> We are one of the largest insurance brokers in the world >> We have over 180 years of history and experience in insurance; we currently operate in over 400 offices in nearly 120 countries, with a global team of approximately 17,000 Associates serving clients in some 190 countries >> USD 32.2 billion of global premiums placed through worldwide markets SUBSIDIARY AFFILIATE CORRESPONDENT ANY COMPANY THAT STORES PERSONAL DATA, ARE RELIANT ON COMPUTER OR TELEPHONE NETWORKS, DIGITAL INFORMATION OR THE INTERNET FACES CYBER EXPOSURES
3 WHAT ARE CYBER RISKS? Today, using computers and logging on to public and private networks has become second nature in both our personal and business lives. We are all constantly producing and saving data, surfing the net, uploading content and sending and receiving traffic. It is difficult to recall how we were ever able to manage without such technologies and the benefits they bring. However, in creating this new digital world we have also created a by-product Cyber risks. Cyber risks are faced not just by e-commerce companies and those undertaking transactions over the internet, but also by companies that store personal data, are reliant on computer or telephone networks, holds digital information or uses the internet. In short, just about every business is faced with Cyber risks. The statistics are concerning: Approximately 14% of Australian businesses experienced computer security incidents in a given year 1 From cyber crime alone, estimates of losses to Australian businesses range from upwards of $595 million 1 Half of all companies that suffer data breaches from a cyber attack have fewer than 1,000 employees 2 In Australia alone in 2010 and 2011, 2.95 million cyber attacks have been detected, originating mainly from Canada, the US and China 2 Meanwhile, there is growing attention afforded to privacy rights, particularly after the media hacking scandals in the United Kingdom. For instance, the Commonwealth Government is currently inviting comment on the Australian Law Reform Commission s recommendation to introduce a statutory cause of action for serious invasions of privacy. We note that Australia already has significant privacy protections in place under the Privacy Act 1988 (Cth). Further, the Australian Privacy Commissioner has recently signalled a tough new approach to dealing with serious privacy breaches, indicating a preparedness to use its powers under the Privacy Act to direct how privacy complaints are resolved, and to publish its investigation reports. The Commissioner also foreshadowed the possibility of stronger powers being afforded to him, including the ability to impose civil penalties and accept enforceable undertakings. In light of the growing crime trends, and combined with an increased focus in Australia on individuals rights to privacy, it is timely to consider whether your business is adequately protected for its cyber risks. Some of the core Cyber exposures include: >> BREACH OF PRIVACY Anyone that stores personal identifiable information is exposed to data breaches. Data breaches may occur from a hack, a disgruntled employee or even a lost laptop. This is the most common form of loss incurred under a cyber liability insurance policy, and the quantum of the losses incurred can be significant. For example, the costs incurred by Sony when hackers gained access to 77 million of its customer s accounts, were estimated at over GBP109 million; excluding compensation claims by customers. 3 However, even absent criminal activity, data breaches can occur, resulting in the potential for significant costs to be incurred by organisations in the reporting and managing of such breaches, along with the potential for reputational damage.
4 Two recent Australian incidents highlight this well: in 2008 Telstra Corporation Ltd was undertaking a mail out to a number of its customers. Unfortunately, it sent out 60,300 letters containing account information belonging to other customers. Telstra attributed this to a mail merge error. Telstra was subsequently investigated by the Privacy Commissioner, and of its own volition, took a number of positive actions, including notifying affected customers. Another example is the Vodafone breach, which media reports suggest involved losses to Vodafone of several hundred thousand dollars, even though the Privacy Commissioner eventually found that no personal information had been disclosed in breach of the National Privacy Principles, as had been alleged. This incident related to media reports and allegations that Vodafone had customers records publically available on its website. SOME OF THE LARGEST BREACHES THAT HAVE OCCURRED HAVE COST COMPANIES UPWARDS OF AUD 160M As can be seen above, breach of privacy is a key cyber risk, involving the potential for significant internal costs along with liability to third parties as a result of a data breach, which can be accidental or a result of cyber crime. >> NETWORK DOWNTIME Most companies are reliant on networks, whether it s the network that interconnects various company sites, enterprise private networks or the critical backbone network that deals with network performance management and network congestion. Network downtime can be caused not just by malicious hacks such as a Denial of Service (DoS) attack, but also by operational failures involving software and hardware failures, both of which can have a significant financial impact on a business. >> MULTIMEDIA RISKS Social media is now a key marketing strategy utilised by companies. However User Generated Content (UGC) and the posting of unlicensed content has caused a dramatic increase in online defamation claims and intellectual property infringement claims. The use of such sites requires additional infrastructure and maintenance resources, to ensure the appropriate defensive layers are in place to protect the company. Monitoring of chat rooms is not always possible and reliance on self regulation by the audience is a dangerous strategy. Also, prescreening is not possible on Facebook and Twitter and the minimum fallback must be relevant staff training. >> CYBER EXTORTION Cyber extortion is a crime involving an attack, or threat of attack, against a company, coupled with a demand for money to stop the attack. There are various types of Cyber extortion but originally DoS attacks were the most common method. More recently Cyber criminals have developed actual ransomware that can be used to encrypt the targets data. The attacker then demands money for the decryption key. The probability of prosecuting the criminals is low because criminal gangs usually operate from countries other than those of their target. Cyber extortion is big business and with criminals earning millions of pounds annually the majority of Cyber extortion episodes go unreported because victims do not want the publicity. 1 The Australian Business Assessment of Computer User Security: a national survey, Australian Institute of Criminology Research and Public Policy Series As advised by Chubb Insurance Company of Australia Ltd. 3
5 CYBER INCIDENTS/ CLAIMS SCENARIOS The table below looks at some of the most common types of Cyber claims and highlights the associated costs that companies could face as a result: INDUSTRY SCENARIO TYPE OF COSTS INCURRED COVER Retail A hacker accessed the retailer s network and stole 15 million customers personal details. The retailer incurred significant costs to deal with the breach including forensic costs, notification costs, fines and credit monitoring costs. Liability claims followed. Privacy/Network Security Liability/ Privacy event mitigation costs, fines. Hotel A hotel group s point of sale network was hacked into and 6 million customer s credit card details were taken. The hotel experienced high forensic costs to isolate the hack. Additional costs included mandatory notification costs and fines. The hotel offered all of the individuals 2 years credit monitoring service. They also received liability claims for damages from the banks. Privacy/Network Security Liability/ Privacy event mitigation costs, fines. Airline An airline received a Distributed Denial of Service (DDoS) attack bringing down their online sales platform for 48 hours. The airline experienced a significant loss of revenue during the network downtime plus increased costs of working. Non-physical business interruption. Media The media company utilised content on their website without obtaining the appropriate licences. They were successfully sued for over AUD 1.5M for copyright infringement. Multimedia Liability. Financial Services An employee of a financial services company left a laptop in a public place containing the personal financial details of its clients. Costs included the hire of a PR firm, notification to all of the customers affected, setup of an ID theft/credit alert service call centre and credit monitoring services. Privacy/Network Security Liability/ Privacy event mitigation costs. Gaming A hacker threatened to take down the private network of the gaming company unless they paid them AUD 8M. Investigation costs to identify the threat plus the extortion demand amount. Cyber Extortion.
6 WILLIS FINEX CYBER COVER Willis FINEX, in conjunction with key Cyber insurers has developed a market leading Cyber Insurance solution: >> PRIVACY PROTECTION 1. Liability to third parties for damages and claims expenses as a result of a privacy breach. 2. Legal costs in defending regulatory proceedings for privacy breaches. 3. Liability for fines imposed as a result of privacy breaches (case by case basis). 4. Notification expenses to notify victims of privacy breaches. 5. Forensic costs to contain a breach and carry out the necessary forensic audits following a breach. 6. PR expenses to help limit the reputational impact following a breach. 7. Credit monitoring costs to monitor the victim s credit history for fraudulent activity. PLUS other Cyber liability coverages including: 8. Network Security Liability: third party liability for damages and expenses as a result of your system security failures causing harm to third party systems. 9. Negligent transmission of a virus: for damages to customers computer systems and data. 10. Intellectual property infringement, defamation or breach of privacy due to or website content. >> LOSS OF DIGITAL ASSETS INCLUDING NON-PHYSICAL BUSINESS INTERRUPTION 1. Data/electronic information loss: The costs to restore data that has been lost or corrupted. 2. Indemnification for loss of revenue following unplanned system outage and increased cost of working arising from an unauthorised access to your systems or a cyber attack. 3. Cyber theft: your loss arising from your funds being transferred as a result of hacking, or your customers or other third parties being induced to transfer funds as a result of your systems being hacked. 4. Cyber extortion: covers expenses and the extortion demand amount related to a threat to commit a computer attack. Our e-solution experts can further develop and tailor the coverages so that it is aligned with your specific risk profile. What about your Crime insurance cover? It is important to note that most businesses crime insurance arrangements are not sufficient to cover the scope of exposures insured under a Cyber policy. Specifically, a Crime policy will not generally cover the following exposures: 1. Liability for damages and legal expenses for third party claims such as the breach of privacy cover which is a major feature of the cyber liability policy. 2. Intangible property most Crime policies typically only cover direct loss of money or other defined securities. Loss arising from theft of intellectual property would therefore not usually be covered. 3. Electronic fraud or theft committed by (or in collusion with) an Employee. 4. Business interruption or extortion coverage.
7 WHY WILLIS FINEX CYBER PRACTICE? Willis has placed and designed Executive and Professional Risk policies since these coverages incepted almost 100 years ago. Building on this tradition, the FINEX division of Willis Australia is dedicated to helping clients protect key assets and reduce exposure. With expert Associates from complementary disciplines working together in Willis FINEX, we are able to maximise the value we deliver to our clients. Taking advantage of the synergies in our team, our FINEX Associates can marshal all of Willis global capacity and resources to provide seamless delivery of insurance solutions. FINEX Australia offers specific industry insight and placement experience to fully identify exposures to then design bespoke market solutions. From risk identification and insurance analysis to strategic claims management, Willis provides the experience, thought leadership and market savvy to help make Professional, Financial and Executive risks truly manageable. By developing an in-depth understanding of our clients business, we anticipate future needs and are well placed to work with clients in close partnership. If you are concerned about Cyber risk, contact us and arrange an initial consultation. NSW Alex Atkinson VIC Kelly Butler WA John Barr SA Kathryn Pinyon QLD Roger Smith
8 Willis Australia 179 Elizabeth St Sydney NSW, 2000 AUSTRALIA Tel: Willis Australia Limited, ABN: AFSL: /12 - ver. 1.0
Data breach notification guide: A guide to handling personal information security breaches August 2014 The Office of the Australian Information Commissioner (OAIC) was established on 1 November 2010 by
Cyber and Data Security Risks and the Real Estate Industry by: Joe Fobert Real Estate and Retail Industry Practice Leader Real Estate Practice Group, AIG Property Casualty M. Leeann Irvin Director Issue
CLOUD COMPUTING: IS YOUR COMPANY WEIGHING BOTH BENEFITS & RISKS? Toby Merrill CLOUD COMPUTING: IS YOUR COMPANY WEIGHING BOTH BENEFITS & RISKS? Toby Merrill Toby Merrill, Thomas Kang April 2014 Cloud computing
C o m m i t t e e o f S p o n s o r i n g O r g a n i z a t i o n s o f t h e T r e a d w a y C o m m i s s i o n G o v e r n a n c e a n d I n t e r n a l C o n t r o l C O S O I N T H E C Y B E R A G
Data Breach Response Guide By Experian Data Breach Resolution 2013-2014 Edition Trust the Power of Experience. 2013 ConsumerInfo.com, Inc. Table of Contents Introduction 3... Data Breach Preparedness 4...
Fraud Control in Australian Government Entities Better Practice Guide March 2011 This Better Practice Guide was prepared by the Australian National Audit Office and KPMG. ISBN No. 0 642 81180 6 Commonwealth
United States Government Accountability Office Report to Congressional Requesters April 2014 INFORMATION SECURITY Agencies Need to Improve Cyber Incident Response Practices GAO-14-354 April 2014 INFORMATION
Net Losses: Estimating the Global Cost of Cybercrime Economic impact of cybercrime II Center for Strategic and International Studies June 2014 Contents Estimating global loss from incomplete data 04 Regional
Standards for Internal Control in New York State Government October 2007 Thomas P. DiNapoli State Comptroller A MESSAGE FROM STATE COMPTROLLER THOMAS P. DINAPOLI My Fellow Public Servants: For over twenty
A practical guide to risk assessment* How principles-based risk assessment enables organizations to take the right risks *connectedthinking pwc 0ii A practical guide to risk assessment Table of contents
Technical Book 2015 Information Systems Committee CYBER RISKS A guide to risk assessment and insurance solutions In partnership with About the AMRAE Risk Management has considerably evolved over the last
2008 by Bundesamt für Sicherheit in der Informationstechnik (BSI) Godesberger Allee 185-189, 53175 Bonn Contents Contents 1 Introduction 1.1 Version History 1.2 Objective 1.3 Target group 1.4 Application
JUNE 2011 Email Attacks: This Time It s Personal Executive Summary...2 The Business of Cybercrime: The Role of Email...2 Reduction in Mass Attacks...2 Attack Classifications...3 Mass Attacks...3 Targeted
MANAGEMENT S DISCUSSION AND ANALYSIS Dated: July 9, This Management's Discussion and Analysis ("MD&A") for the three months ended (second quarter of fiscal ) provides detailed information on the operating
Your Current Account Terms NatWest Personal & Private Current Account Terms Personal & Private Current Account Fees & Interest Rates Helping you get the most from your Personal & Private NatWest Current
The Growing Global Threat of Economic and Cyber Crime The National Fraud Center, Inc. A member of the Lexis-Nexis Risk Solutions Group In conjunction with The Economic Crime Investigation Institute Utica
Financial management of not-for-profit organisations November 2009 This guide was prepared by Jan Barned, financial management trainer, with the assistance of CPA Australia. CPA Australia wishes to acknowledge
Target 2014 Annual Report Welcome to our 2014 Annual Report. To explore the key stories of the past year and find out more about what s in store for the year ahead, please visit our online annual report
Responding to a Data Breach Communications Guidelines for Merchants Responding to a Data Breach Communications Guidelines for Merchants It all comes down to one word: TRUST. How merchants respond to data
CONSULTATION PAPER P019-2014 SEPTEMBER 2014 GUIDELINES ON OUTSOURCING PREFACE 1 MAS first issued the Guidelines on Outsourcing ( the Guidelines ) in 2004 1 to promote sound risk management practices for
EQT Valu-Trac Equity Income Generation Fund Product Disclosure Statement ARSN 098 764 080 APIR MMC0110AU Issue Date 09 June 2014 This Product Disclosure Statement ( PDS ) has been prepared and issued by
Data protection Subject access code of practice Dealing with requests from individuals for personal information Contents 3 Contents 1. About this code of practice 4 Purpose of the code 4 Who should use
Fraud risk management A guide to good practice Acknowledgements This guide is based on the first edition of Fraud Risk Management: A Guide to Good Practice. The first edition was prepared by a Fraud and
Financial Conduct Authority The FCA s approach to advancing its objectives July 2013 Glossary helping to explain financial terms As with many industries, the financial marketplace uses terminology that
Financial Conduct Authority How the Financial Conduct Authority will investigate and report on regulatory failure April 2013 Contents Introduction 3 1. Context 4 2. What is a regulatory failure? 5 3 Event