Brought to you by:

Cyber attacks: time to accept the virtual reality

Changes to the Privacy Act that will force businesses to disclose privacy breaches look set to increase understanding of the risks posed by cyber attacks.

The proposed Privacy Amendment (Privacy Alerts) Bill – currently before the House of Representatives – will force governments and companies to notify affected people and relevant regulators when personal information is leaked accidentally or accessed by hackers.

Marsh NSW Manager of Financial and Professional Services Craig Claughton says experience abroad shows that when reporting becomes mandatory, more organisations buy cyber risk cover – “and we are on the doorstep of that occurring now”.

He says many organisations lack a full understanding of the risks posed by data insecurity and privacy breaches.

Cyber risks span the organisational spectrum, from small companies to the largest corporations, he told insuranceNEWS.com.au.

“The reality is that everyone has a database. Even if a company doesn’t collect or store third-party data, it will still have employee and client information on file.”

Research last year by the Federal Government’s Computer Emergency Response Team (CERT) and the Centre for Internet Safety at the University of Canberra showed more than 20% of 255 organisations were aware of a cyber incident in the previous year, with 20% experiencing more than 10.

The researchers say other respondents probably suffered attacks that went undetected.

Of those that acknowledged an incident, 17% lost confidential or proprietary information and 20% chose not to report it to law enforcers because they feared negative publicity – an option that may soon be unavailable.

Mr Claughton says the Privacy Act amendment should push companies to carefully review their cyber exposures.

“Traditional insurance policies were developed long before the evolution of cyber risks, so the types of exposures companies now face don’t fit neatly within existing definitions and exclusions of those policies.

“For instance, traditional business interruption cover only applies to damage or loss of tangible property from a physical peril and wouldn’t apply to data and electronic media.

“A crime policy is usually only applicable to the theft of money, security or tangible property – cover might not extend to loss of data.”

Mr Claughton says clients often ask why they have to buy another policy for cyber threats rather than adding it to a current policy.

But he says property policies were designed to cover particular risks and have been priced by insurers based on the portfolio’s historic performance.

“New covers can upset the performance of that portfolio.”

Even clients with policies covering a range of cyber risks find they need additional cover to plug gaps, because the threats are evolving so rapidly, he says.

The CERT research finds building resilience to cyber incidents “requires constant vigilance by IT security staff… to create and apply current and efficient risk treatments”.

Of the companies that suffered cyber incidents, 32% involved theft of a notebook, tablet or mobile device, 28% a virus or worm, 21% a Trojan or rootkit malware, 18% unauthorised access, 17% theft of confidential information and 16% a denial-of-service attack.

The research supports the view that no particular industry has substantially less or more risk. 

Of 11 sectors surveyed, the most attacks were on energy (17%), defence (15%), communications (12%), banking and finance (9%) and water (9%).

Mr Claughton says clients often ask about the risk of storing information in the cloud – data held by a third party away from the client’s premises and accessed online.

He says the law is quite clear that responsibility lies with whoever released the information, so a breach from a cloud computing system would rest with the owner of that system.

However, customers are likely to blame the company they gave their data to, so business managers will probably want to take responsibility for notifying them.

It is an issue that managers, and their advisers, must consider with the new legislation looming.