Insurance follows cyber crime on risk
True, most small businesses probably don't need coverage any more for their horse breaking a leg, but that is more than compensated by newfangled ways of striking trouble.
Cyber insurance is promising to be a new boomlet for insurers as companies become more aware of the dangers of being hacked and losing their data. But that is only the half of it - there is also the risk of being hacked and losing other people's data. Let your customers' personal information fall into the hands of the identity theft scumbags and you could have the lawyers knocking on your door, never mind the damage to your reputation of having failed your customers.
Mind you, there are plenty of low-tech ways to lose data as well. A certain sort of person will enjoy the irony of data security company AusCERT, which last year lost 8000 subscribers' personal information in the mail .
Cyber insurance is a step up from the already fairly common business insurance to cover loss of a business' own data for reasons ranging from a disgruntled employee making off with the files to fire damage and equipment failure.
Given the increasing importance of data to a business over physical assets, being aware of its importance is vital both to safeguard against its loss in the first place and then to cover the financial cost if it is destroyed.
The purveyors of cloud computing use the danger of data loss as part of their sales pitch. With everything else happening in a small business, it is not hard to forget to back up data just once or twice - which is when one of the subsets of Murphy's Law will strike. But if a business tries to avoid data loss by moving to the cloud, there then arises the question of the cloud's security.
Protection against the danger of losing other people's data is a relatively recent phenomenon. It took off in the US (the home of the most lawyers per head of population) after 2005 when laws were introduced to force companies to inform people if their private details had been compromised.
According to a recent Reuters report, American insurance companies are now writing more than $1 billion in annual premiums to cover that risk.
And the risk can be considerable. With almost as much irony as the AusCERT case, US insurance company WellPoint was fined $US1.7 million ($1.8 million) this month for having weak database security after exposing more than 600,000 personal records on line in 2009. WellPoint is a health insurance company, but it should still understand a thing or two about risk.
And where the US goes in such matters, the rest of the developed world, including Australia, tends to follow. The Europeans are on the same path and privacy legislation is a growth area here, too, with some high-profile failures already on record. There was the theft of some 77 million Sony PlayStation network users' data, including 280,000 Australian users. Telstra last year was ruled to be in breach of the Privacy Act after mishandling a database of 734,000 customers. And the Australian Privacy Commissioner rapped Vodafone over the knuckles for lax security after finding staff in its stores shared a single log-on and password that allowed access to plenty of customers' information.
Even in 2010-11, the Office of the Australian Information Commissioner (and who knew there even was one?) was being notified of a data issue each week and was investigating just as many that had not been made public.
It is bad enough to be hacked by criminals wanting to steal data for financial gain, but there is also simple data vandalism - hackers wrecking systems just because they can - and the growing incidence of cyber blackmail - hackers infiltrating a company's database and threatening to destroy it unless money is paid.
And if you are not scared about ever using a computer again, there is the often overlooked "big daddy" of cyber crime - the theft of intellectual property by a competitor or extortionist. That is one of the allegations made against China on a state basis - stealing not just government secrets but those of major suppliers and competitors.
Yet business today is data - enter your friendly local insurance company with the chance to sell another policy.
Frequently Asked Questions about this Article…
Cyber insurance is a type of policy that helps cover financial losses from losing digital data or having customer data compromised. The article explains it as a step up from traditional business insurance — covering not only a company’s own data loss (from employee theft, fire or equipment failure) but also the legal, reputational and remediation costs if customers’ personal information is exposed. As hacking, data theft, cyber blackmail and other online threats rise, cyber insurance is becoming more important.
Yes. The article describes cyber insurance as a promising ‘boomlet’ for insurers as companies become more aware of hacking risks. It notes that American insurers are already writing more than US$1 billion in annual premiums to cover cyber-related risks, showing clear market growth.
The article suggests the landscape has changed: while many small businesses may not have needed coverage for traditional risks, the increasing importance of data means they face new exposures. Whether a small business needs cyber insurance depends on how much data it holds, the potential impact of a breach and its existing security and backup practices, but the trend is that more businesses are considering such cover.
According to the article, cyber policies can cover loss of a business’s own data (for example from a disgruntled employee, fire or equipment failure) and the more recent phenomenon of covering loss of other people’s data. They can help with legal costs and clean-up after hacks, extortion or data vandalism, and sometimes losses linked to intellectual property theft or cyber blackmail.
The article highlights several high-profile examples: AusCERT once lost 8,000 subscribers’ personal information in the mail; WellPoint was fined US$1.7 million after exposing more than 600,000 personal records; Sony’s PlayStation Network had 77 million users’ data stolen (including about 280,000 Australians); Telstra was ruled in breach over a mishandled database of 734,000 customers; and Vodafone was criticised when staff shared a single log-on that exposed customer information. These cases show both regulatory fines and reputational damage are real risks.
The article notes cloud providers often use the danger of data loss as part of their sales pitch, and that moving to the cloud can reduce some risks but raises questions about the cloud’s security. It also points out that busy small businesses can forget to back up data, creating exposure. For investors, this highlights operational and security questions around companies that rely heavily on cloud services and digital records.
Yes. The article mentions that privacy and data protection authorities are active: after high-profile failures and growing privacy legislation, Australia’s Office of the Australian Information Commissioner was being notified of a data issue roughly every week in 2010–11 and was investigating many incidents, including ones that had not been made public.
The article lists several cyber threats investors should watch for: criminal hacking for financial gain, data vandalism that destroys systems, cyber blackmail (extortion), and theft of intellectual property (including allegations of state-linked theft). These risks can lead to fines, remediation costs and reputational harm that affect company value.
Call 1300 880 160
Start a chat
Schedule a call
