AustLII Home | Databases | WorldLII | Search | Feedback

Precedent (Australian Lawyers Alliance)

You are here:  AustLII >> Databases >> Precedent (Australian Lawyers Alliance) >> 2016 >> [2016] PrecedentAULA 12

Database Search | Name Search | Recent Articles | Noteup | LawCite | Author Info | Download | Help

Finnane, Ciaran; Maurushat, Alana --- "Managing cybersecurity risks: cyber insurance" [2016] PrecedentAULA 12; (2016) 132 Precedent 46

MANAGING CYBERSECURITY RISKS: CYBER INSURANCE

By Ciaran Finnane and Dr Alana Maurushat

Cybersecurity focuses on protecting computers, networks, programs and data from unintended or unauthorised access, change or destruction.[1] More than 94 per cent of Australian businesses have access to the internet; this is increasing year on year, thus making cybersecurity more important than ever.[2]

A major concern among businesses at the moment is the challenge that cyber risks present.[3] Some companies are reporting that there are over 20 serious cyber attacks every day.[4] There are many recent high-profile incidents where businesses' information systems have been compromised, leading to sensitive data been accessed. Cybersecurity is important, as no organisation, no matter how skilled, is immune from the risks and associated costs of tackling cyber threats.

This article, although not covering all the current risks extensively, aims to cover some risks in the current threat landscape, the costs associated with data breaches, and the use of cyber insurance as a method of mitigating cyber incidents.

SECURITY THREATS AND RISK LANDSCAPE

Organisations face a number of cyber threats and risks when their security is breached (see Table 1).

Table 1: Cybersecurity threats

Term
Definition
Denial of service attacks
An attack that prevents or impairs the authorised use of information system resources or services.
Unauthorised access to data and networks for corporate espionage, fraud, blackmail
Any access that violates the stated security policy.
Discovery of vulnerability
A characteristic or specific weakness that renders an organisation or asset (such as information or an information system) open to exploitation by a given threat or susceptible to a given hazard.
Interference with data and networks (intrusion)
An unauthorised act of bypassing the security mechanisms of a network or information system.
Data breaches
The unauthorised movement or disclosure of sensitive information to a party, usually outside the organisation, that is not authorised to have or see the information.

Source: Department of Homeland Security, A Glossary of Common Cybersecurity Terminology, National Initiative for Cybersecurity Careers and Studies < https://niccs.us-cert.gov/glossary>.

Responding to cyber threats

An organisation hit with a cyber attack may react in a number of ways. Mitigation of damage is the key priority for most organisations when under threat. The most important component in damage limitation is protecting assets not already compromised, such as data that has not yet been stolen.[5] This could require the stopping of the denial service attack as soon as possible through various means: technical measures, paying a bribe, or launching a counter denial of service attack. Damage control may also mean ensuring that there is little to no media attention to the matter, or that any media coverage is as well managed as possible. Mitigating against damage is one facet in the aftermath of an attack.

Of these threats, data breaches is one of the most prevalent. High-profile data breaches locally and abroad highlight the high costs and damage caused by breaches of personal information covered under the Privacy Act 1988 (Cth). The recent 2015 Australian KMart and David Jones breaches whereby customer data was compromised drew attention to the fact that an attacker can be in a network for hundreds of days before a breach is detected. In the incidents above the affected organisations were quick to mitigate against damages and further breaches of customer data.[6] They called in an expert forensics investigation team and notified The Office of the Australian Information Commissioner and Australian Federal Police to assist with the investigation.[7] In the United States, large data breaches are reported weekly, with 2015 marking what some hail as the largest data breach in U.S. history whereby a JPMorgan breach in 2014 was revealed in 2015 to include other banks and security investment accounts totaling over 100 million breaches.[8] While the damage and money stolen have yet to be fully quantified, this is clearly a breach at a magnitude previously unseen. The Office of Australian Information Commissioner (OAIC) recommends that all entities have a data breach response plan. The OAIC recommends a four-step plan: (1) Contain the breach and conduct a preliminary assessment; (2) Evaluate the risk associated with the breach; (3) Notification; and (4) Prevent future breaches.[9] Having a data breach plan is one method of mitigating against damages and costs. Having a data breach response plan may also reduce cyber insurance premiums.

While implementing a data breach response plan can assist in mitigating these costs, businesses are increasingly turning to cyber insurance as a means of deflecting the costs associated with cyber incidents.[10]

THE COST OF DATA BREACHES

Research suggests that the cost to an organisation of a data breach can be significant.[11] Successful attacks that breach systems can have significant financial and non-financial consequences for the affected business. The average financial cost for a business of a data breach in 2014 was $2.8 million, with roughly 30 per cent of these costs associated with legal, forensic, and investigation expenses.[12] A large part of the total cost, however, is the loss of business and reputation.[13] Successful attacks take an average of 23 days to resolve; with this period increasing to 50 days if it was an attack from within the business.[14] Aside from the financial and non-financial losses, the most alarming statistic is that over 60 per cent of businesses which experience a cyber attack such as those listed above, go out of business within six months.[15]

A NEED TO REDUCE THESE RISKS

These risks to business need to be reduced. Although there are many ways to reduce the risks, the threats will always be present and ever-evolving. Cyber risk ranked as the top risk in Australia by businesses in the PwC’s 2015 survey of 806 respondents, the Banana Skins Insurance Survey, moving up from 13th place in 2013.[16] While regulation remains the main concern globally, cyber risk rated 4th in 2015, moving up from 22nd place in 2013.[17] Cyber insurance is one way in which to manage and offset this risk.

WHAT IS CYBER INSURANCE?

Cyber insurance is generally taken out to protect businesses from risks associated with online activities;[18] the insurance can cover things such as business lost due to a system breach, or compensation for stolen data.[19] Traditional insurance policies cover tangible assets such as computers and related hardware; cyber insurance aims to cover intangible losses associated with a breach, such as network interruption, reputation loss, notification and monitoring costs.[20] Like any insurance policy, there are numerous inclusions and exclusions, depending on what level of cover is chosen.

The cyber insurance market is currently worth US$1.5 billion with the US accounting for approximately $1 billion, European countries $150 million, with the rest of the market shared between other countries.[21] The uptake of cyber insurance in the US has been far more rapid than in other countries around the world: 47 American states currently require businesses to notify customers and government of a data breach, which may explain why cyber insurance in the US is more prevalent.[22]

Businesses need to consider numerous issues when assessing whether cyber insurance is suitable for them, and what level of cover is required. Loss of reputation, monitoring and notification costs, and network interruptions associated with the breach all need to be considered.[23] It is also necessary to evaluate the type of data being held by the business and the consequence of losing such data.[24]

Insurable losses include both first-party losses and third-party losses. As Bailey explains:

‘First-party losses concern claims made by an insured for financial harm suffered directly by the insured organisation as a result of an insured occurrence whereas third-party losses concern claims made again an insured, by a third party, for losses related to an insured occurrence.’[25]

Table 2 highlights different types of insured losses.

Table 2: Insurance losses

Insured First-Party Losses
Insured Third-Party Losses
Property damage of tangible assets (servers, computers)
Damage to tangible (Eg, hardware) third-party property
Property damage of intangible assets (data, software)
Damage to intangible (Eg, software) third-party property
Theft of proprietary information or data
Denial of access or use, unauthorised copying of data
Business interruption
Insufficient measures to protect third party from consequences of malware
Damage to company assets from malware
Unauthorised use of confidential information
Incident management costs
Loss of expected goods and services
Replacement of damaged or destroyed goods such as software, hardware,
Failure to prevent unauthorised access, use or interference of data or networks
Fraudulent transfer of funds or data
Defense expenses for legal costs incurred

Source: Liam Bailey, ‘Mitigating Moral Hazard in Cyber-Risk Insurance’ (April 14, 2014) 3JL & Cyber Warfare 1 (2014).

In the US, cyber insurance has gained serious momentum after a decade of underwriting thousands of polices. According to Rand Cyber Insurance expert, Sasha Romanovsky:

‘Carriers are able to better assess a company’s risk of loss, and more accurately price policies. Frequency and severity of loss data, together with improved analytics allows carriers to price policies that more accurately reflect an insured’s expected loss.’[26]

The argument that the industry is at its infancy or that there is a lack of data to adequately assist insurance companies is increasingly a weak argument.

A CASE STUDY – SONY[27]

On 8 December 2014, Sony informed its employees that personally identifiable information about them and their dependants may have been obtained by unauthorised individuals as a result of a ‘brazen cyber-attack’; the information accessed included names, address, social security numbers and financial information.[28] On 7 December 2014, C-SPAN reported that the hackers stole 47,000 unique social security numbers from the Sony Pictures Entertainment computer network.[29] Although personal data may have been stolen, early news reports focused mainly on celebrity gossip and embarrassing details about Hollywood and film industry business affairs gleaned by the media from electronic files, including private email messages, released by the computer criminals. The leak revealed multiple details of behind-the-scenes politics on Columbia Pictures' Spider Man film series, including emails between head of Sony pictures, Amy Pascal, and others to various heads of Marvel Studios.[30] In addition to the emails, a copy of the script for the recent James Bond film, Spectre, which was released in late 2015, was obtained.[31] As a result of the breach, later in December 2014, former Sony Pictures Entertainment employees filed four lawsuits against the company for not protecting their data released in the hack, which included social security numbers and medical information.[32] In January 2015, details were revealed of the Motion Picture Association of America's lobbying of the US International Trade Commission to require US ISPs to monitor these types of infringements either at the internet transit level or consumer level internet service.

While some experts estimate that the Sony hack cost the company $100 million, Sony CEO Michael Lynton is reported as stating, “I would say the cost is far less than anything anybody is imagining and certainly shouldn't be anything that is disruptive to our budget”, and was “well within the bounds of insurance”.[33]

A CASE STUDY – ASHLEY MADISON

There are many high-profile cases where a business’s data has been breached, with many millions of customers affected. A recent example is the Ashley Madison incident in which millions of customer records were breached and then compiled in a publicly available database for anyone to search. The Ashley Madison incident was global news for quite a while, with two affected customers reportedly taking their own lives when their identities were released.[34] The Ashley Madison incident is still unfolding and represents a large data breach.

A CASE STUDY – AN ANONYMOUS AUSTRALIAN COMPANY

However, data breaches occur across the spectrum of companies; another example, known to the authors, is of a small professional firm. The firm discovered that malware had infected its small network of 22 computers, including 2 virtual servers and associated hardware. The firm had antivirus software installed on all computers and definitions were up to date. When the malware was first discovered, the firm notified its information technology providers and insurers who attempted to remove the virus, without success. The malware allowed the system to be breached, but it was unknown at the time as to whether any data was stolen, or the extent of the company’s vulnerability to future attacks. The only way to eradicate the malware was to wipe all the computers and restore data from a back up. The firm lost three days of business due to the downtime and had to spend money for an audit to ensure that their systems hadn’t been breached further. Because the firm had a cyber insurance policy, the insurance company deployed its response team, which minimised any reputational damage and harm to the business. Although this was a relatively small incident, it demonstrates the effect that a cyber attack can have on a company, and the importance of having procedures in place to minimise and reduce the effects of the attack. The insurers paid out a total US$35,265 to cover the incident.[35] Without the cyber insurance policy, restoration of the affected systems may have taken much longer.

AUSTRALIAN CYBER INSURANCE MARKET

Some people have argued that the cyber insurance market is immature, with insufficient data to perform effective actuarial analysis of the risk. Others have refuted this claim, citing that (at least in the US), the cyber insurance market is now over a decade old with advanced threat analytics, cyber attack incidents, thousands of data breaches publicised and analysed, the introduction of new security and privacy laws and the correlating lawsuits for data breaches and security incidents.[36]

There are two hurdles in Australia preventing companies from venturing into cyber insurance. The first, is that Australian insurance companies may genuinely not have enough data about Australian cyber incidents. The second is that there is no legal duty in Australia to report data breaches, and therefore the publication of detailed cyber incidents and threat analysis is newer to the Australian landscape – we have traditionally had fewer statistics. In many other jurisdictions, data breach notification is compulsory, with heavy fines for failure to notify appropriate authorities and customers of the breach.[37]

CONCLUSION

Even the best-designed systems are vulnerable to attacks, and businesses need to assess and take steps to minimise the risk.[38] Minimising the risk of an attack is not just about spending money on information technology security, it is also about implementing appropriate procedures and making the culture of a business security-aware.[39] The type of attacks will continue to evolve, and the number of businesses affected will rise. The Australian government is introducing mandatory data breach notifications for businesses, which may trigger an increase in the uptake of cyber insurance.[40]

Dr Alana Maurushat is Senior Lecturer, The Faculty of Law, UNSW; Senior Research Fellow, The Australian Cybersecurity Centre, UNSW; Key Researcher CRC Data to Decisions; and Co-Director of the Cyberspace Law and Policy Community. EMAIL a.maurushat@unsw.edu.au.

Ciaran Finnane is a research intern with the Cyberspace Law and Policy Community, UNSW. EMAIL ciaran@finnane.com.au.


[1] University of Maryland University College, Cyber Security Primer <http://www.umuc.edu/cybersecurity/about/cybersecurity-basics.cfm> .

[2] Australian Bureau of Statistics, Business Use of Information Technology, 2013-14 (16 July 2015) <http://www.abs.gov.au/ausstats/abs@.nsf/mf/8129.0> .

[3] Price Waterhouse Coopers, CSFI/PwC Insurance Banana Skins Australia 2015.

[4] Ibid.

[5] Alana Maurushat, ‘Hack Counter-Attack: Its Uses and the Need for Legislation’ (December 2012) 6 (12) E-Finance & Payments: Law & Policy.

[6] Liam Tung, ‘After Kmart, David Jones Confirms Hack Too: Unpatched IBM WebSphere to Blame?’ (October 2, 2015) http://www.cso.com.au/article/585904/after-kmart-david-jones-confirms-hack-too-un-patched-ibm-websphere-blame/.

[7] Marc Moncrief, ‘Kmart Online Customers’ Information Hacked in Security Breach’ (October 1, 2015) Sydney Morning Herald, http://www.smh.com.au/business/retail/kmart-online-customers-information-hacked-in-security-breach-20150930-gjyoxe.html.

[8] Jason Abbruzese, ‘Biggest-ever US Data Breach Hits 100 million People with Bank Accounts’, (November 11, 2015), http://mashable.com/2015/11/10/bank-data-breach-100-million/#f6P6_lAlmOqG.

[9] OAIC Data Breach Response Plan, https://www.oaic.gov.au/about-us/corporate-information/key-documents/data-breach-response-plan.

[10] See note 3 above.

[11] Ponemon Institute, 2015 Cost of Data Breach Study: Australia, shows that the average organisational cost for a data breach has reached $2.82 million or $144 per lost or stolen record of personal information; see www-03.ibm.com/security/data-breach/, p1.

[12] Ibid.

[13] Department of Communications and the Arts, Australian Government, Stay Smart Online ‘Small Business Guide’, Stay Smart Online < https://www.communications.gov.au/sites/g/files/net301/f/SSO per cent20Small per cent20Business per cent20Guide.pdf>.

[14] Ibid.

[15] Ibid.

[16] Price Waterhouse Coopers, CSFI/PwC Insurance Banana Skins Australia 2015.

[17] Ibid.

[18] Centre for Internet Security, Cyber Insurance Research Paper, 7 <http://www.canberra.edu.au/cis/storage/CIS%20Cyber%20Insurance_FINAL.pdf> .

[19] Ibid.

[20] Ibid, p8.

[21] Keith Kirkpatrick, ‘Cyber Policies on the Rise’ (2015) 58 Communications of the ACM (Association for Computing Machinery) p21.

[22] Ibid.

[23] Centre for Internet Security, Cyber Insurance Research Paper, 8 <http://www.canberra.edu.au/cis/storage/CIS%20Cyber%20Insurance_FINAL.pdf> .

[24] Ibid.

[25] Liam Bailey, ‘Mitigating Moral Hazard in Cyber-Risk Insurance’ (April 14, 2014) 3JL & Cyber Warfare 1 (2014). Full text of article without page referencing available at <http://papers.ssrn.com/sol3/papers.cfm&abstract_id=2424958.

[26] Sasha Romanosky, ‘Comments to the Department of Commerce on Incentives to Adopt Improved Cybersecurity Practices’ Docket Number 130206115-3115-01 https://www.ntia.doc.gov/files/ntia/romanosky_comments.pdf.

[27] Paper on file with author (draft). Adib Haque and Alana Maurushat, ‘Why Attribution Is Hard – the Sony Hack Analysed’.

[28] State of California Department of Justice Office of the Attorney General, ‘Sony Pictures Entertainment Notice Letter’ (8 December 2014).

[29] C-Span, ‘Hacking and Cybersecurity Threats’ (7 December 2014).

[30] Julie Makinen, ‘North Korea Decries US Allegations on Sony Hack; US Turns to China’ Los Angeles Times, 20 December 2014.

[31] Phil Helsel, ‘North Korea Insults Obama, Blames US for Internet Outages’, NBC News, 26 December 2014.

[32] Ralph Ellis, ‘Lawsuits Say Sony Pictures Should Have Expected Security Breach’, CNN, 20 December 2014.

[33] Mary Milliken, ‘For Sony Picture CEO, Cyberattack Won’t Set Studio Back’, Reuters, 8 January 2015 http://www.reuters.com/article/2015/01/09/us-northkorea-cyberattack-sony-idUSKBN0KI02420150109#2iLM0p9aTU3BBxUE.97.

[34] Chris Baraniuk, ‘Ashley Madison: “Suicides” over website hack’, BBC News, 24 August 2015 <http://www.bbc.com/news/technology-34044506> .

[35] Centre for Internet Security, Cyber Insurance Research Paper, 10 <http://www.canberra.edu.au/cis/storage/CIS%20Cyber%20Insurance_FINAL.pdf> .

[36] Sasha Romanovsky, ‘Comments to the Department of Commerce on Incentives to Adopt Improved Cybersecurity’ (April 2013) http://www.ntia.doc.gov/files/ntia/romanosky_comments.pdf.

[37] Alana Maurushat, ‘Data Breach Notification Law Across the World from California to Australia’ (2009) Privacy Law and Business International, Updated Report 2015 (forthcoming).

[38] Ibid.

[39] Ibid.

[40] Attorney General for Australia, ‘The Australian government has responded to the inquiry of the Parliamentary Joint Committee on Intelligence and Security (PJCIS) into the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014’ (Media Release, Recommendation 38) <http://www.attorneygeneral.gov.au/Mediareleases/Pages/2015/FirstQuarter/Government-Response-To-Committee-Report-On-The-Telecommunications-Interception-And-Access-Amendment-Data-Retention-Bill.aspx> .



AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.austlii.edu.au/au/journals/PrecedentAULA/2016/12.html