The fallout—your losses from a cyber breach04 October 2016
Businesses, large and small, continue to be the primary targets of cyber attacks in Australia and, as a result, frequently face breaches that can lead to substantial losses. In July 2016, Trend Micro reported that Australia had the second highest level of ransomware attacks (attacks designed to lock users out of computer systems until a ransom is paid) during the period of April to May 2016— second only to Japan.
On a global level, recent attacks on the medical and medico-insurance industries highlight the cost of such cyber breaches as noted online in SC Magazine. A breach of a large US health insurance company's system led to nearly 10 million medical records being offered for sale online at a price of 750 bitcoins (an uncontrolled online currency, which approximately equates to AUD$652,000). Once such information is obtained it opens up the opportunity for identity theft.
In an article published in Insurance Matters Issue 9, we looked at preventing cyber risks by posing the question: are you ready for the breach? Many breaches—and the associated losses—can be prevented through the implementation of simple security controls. For example, the controls implemented by Ottawa Hospital meant that when it suffered a cyber breach in March 2016, no patient information was affected, no ransom had to be paid and its IT department was able to resolve the issue internally.
We now look at some first party losses that arise from such cyber breaches and that may be payable by insurers under cyber insurance policies. In particular, we focus on the following first party losses:
- extortion costs
- business interruption, and
- response costs to rectify harm.
Extortion costs are any amounts paid to cybercriminals to prevent the sale of stolen data or, alternatively, to decrypt and regain access by users who have been locked out of a computer system.
Ransomware-style breaches are effective in forcing victims to make payments— creating financial incentives for cyber criminals. An article on the Wired website notes that in 2014 the FBI reported the cyber virus "CryptoLocker" led to $27 million in payouts in just six months. The same article reported that in February to March 2016, three hospitals suffered cyber breaches. The Hollywood Presbyterian Medical Centre in Los Angeles had key computer systems taken offline for more than a week until it paid a ransom of USD$17,000. The Methodist Hospital in Kentucky was also the victim of a breach, which prevented access to patient files over a four-day period (although administrators were able to recover the systems from backups). Similarly, MedStar Health suffered a breach that meant employees were unable to access emails or a database of patient records for a period of 24 to 48 hours.
Some insurance policies cover the cost of paying the extortion, if the insurer agrees to the payment. It doesn't prevent breaches occurring but it can be the simplest way to unlock a system and mitigate loss.
If emails, databases, records and other key computer systems are inaccessible or offline, it can interrupt or impair a company's revenue and lead to losses.
As everyday devices and systems become more interconnected, and communicate more in real-time (otherwise known as the "Internet of Things"), the potential for business interruption following a cyber breach increases. Forbes estimates that by 2020, there will be over 26 billion connected devices. While that makes corporate systems more efficient and more effective, it also increases the risk of significant business interruption losses if a breach does occur. For example, not being able to access a payment system due to ransomware may not only impact business operations but may also result in the loss of customers and revenue.
The type of business interruption cover offered and the period of business interruption covered varies significantly between policies. It is also worth being aware that while interruptions can have a significant impact on a business's reputation, unless it is reflected in the business interruption claim, the cost of loss of reputation or reduction in share price will not be covered under a cyber insurance policy.
Response costs to rectify harm
Response costs to rectify harm may also arise from cyber breaches. Some of these costs are directly related to IT, with the first step after a breach usually being the appointment of IT specialists to determine the extent of the damage, to prevent a repeat of the breach and to conduct a forensic investigation. Such investigations are necessary where cyber breaches may have led to the theft of personal data, such as medical records or credit card information.
Other IT-related costs include repairing and restoring systems that have been compromised because of a breach and recreating data that has either been deleted or encrypted (and made inaccessible). If the personal data you hold is compromised, response costs can include the cost of notifying customers of the breach, credit monitoring for affected customers and engaging external public relations/communications experts.
As companies become more interconnected and reliant on technology, the likelihood of cyber breaches increase. As a result, companies should seek appropriate cover through their insurance broker.
Companies should also ensure their cyber insurance policy covers first party losses as well as third party losses. There are many types of first party losses in addition to the three losses we have covered. Consider all potential losses before deciding on the best insurance policy for your business.