- Does your organisation rely on third parties and have you signed agreements with these parties?
- Do you know what obligations have been assumed in these agreements?
- Does the contract cover losses or damages that arise from a data breach or cyber event?
- Does your current insurance coverage clearly cover requirements of these contracts?
These are important questions facing Australian businesses as a greater reliance on technology and third-party vendors continues to increase significantly.
As public awareness of cyber risks and attacks continues to increase, more decision makers are requesting contractual cyber insurance liabilities be specifically addressed similarly to public liability.
Why is cyber insurance appearing on contracts?
Many Australian organisations are beginning to see contractual cyber insurance requirements across a wide variety of industries as cyber risk awareness increases. One way for organisations to protect themselves from financial loss, the expense of regulatory fines, penalties and reputation damage in the event of a data breach is to require contractors and vendors, with access to customer and employee personally identifiable information, to carry a cyber insurance policy.
Currently it’s common practice for vendors to provide proof of certain types and amounts of insurance cover and in some cases having their business named as an additional insured on vendor insurance policies. The types of losses, damages, and costs that arise from a data breach are often not covered by the standard insurance policy requirements listed in typical vendor contracts. Businesses without contractual cyber insurance requirements may leave themselves exposed to unexpected and uninsured losses.
Costs which can follow a breach
Many surveys have indicated that executives are unaware of the full scope of direct & indirect costs which can arise from a cyber attack or data breach.
Direct costs can include:
- Forensic IT expenses to determine the cause of the breach and extent of data loss
- Business interruption and increased working costs to keep the business operating as usual
- Breach notification and response costs
- Legal fees
- Public relations expenses
- Providing credit monitoring and identity theft restoration services
Indirect costs can include:
- Loss of income
- Goodwill and reputational damage
Should you require vendors to have cyber insurance?
We believe so, businesses currently require their vendors or contractors to indemnify them for public liability, professional indemnity and other current lines of insurance while completing the work. The same consideration should be shown for personally identifiable & sensitive data which could be compromised while the work is undertaken. Serious harm can be caused to an individual or business as a result of a data breach, anything from financial loss, emotional or reputational damage and even physical damage has been shown to occur.
All third parties who have access to customer or employee personally identifiable information should be having a conversation about sharing or transferring the risk of loss through cyber insurance if there is a data breach. Cyber insurance policies, among other things, typically cover the cost for computer and data loss restoration, notification costs, credit monitoring, and liability to third parties from your failure to handle, manage, store, and control personally identifiable information belonging to others.
The majority of Australian businesses collect and store data about their clients which in most cases is managed by an IT managed services group. According to a May 2016 Ponemon Institute report, 75% of the Australian IT and security professionals surveyed stated that the risk of a third party’s breach is a serious concern and increasing within their organizations.
Current Government View
Regulators in Australia have increased their efforts to bring cyber risks to the attention of organisations with both the Office of the Australian Information Commissioner (OAIC) and the Australian Investments and Security Commission (ASIC) providing regularly updated information and resources.
“While in its infancy in Australia, the rapidly growing cyber insurance market may help enforce improved cyber security performance.” “Although some organisations may be implementing international cyber security standards that all organisations can achieve, others are not doing so. In our interconnected world, a solid baseline of cyber security practice is critical to achieving confidence online.” — Australian Government Cyber Security Strategy
The Australian government has recently established a Notifiable Data Breaches scheme to address the growing concern around data breaches and privacy. Full details can be found here – OAIC
The passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 established a Notifiable Data Breaches (NDB) scheme in Australia. The NDB scheme requires organisations covered by the Australian Privacy Act 1988 (Privacy Act) to notify any individuals likely to be at risk of serious harm by a data breach. This notice must include recommendations about the steps that individuals should take in response to the data breach. The Office of the Australian Information Commissioner (OAIC) must also be notified.
Organisations will need to be prepared to conduct quick assessments of suspected data breaches to determine if they are likely to result in serious harm.
If the Privacy Act 1988 (Privacy Act) applies to your business, you will need to be aware of the risks of a failure to secure data where that failure results in a breach of the Privacy Act. The Privacy Act requires entities to take reasonable steps to protect personal information such as customer details. Significant penalties may apply to you if they are responsible for a breach of the Privacy Act. These include fines of up to $360,000 for individuals and $1.8 million for corporations as well as the potential for a compensation order being awarded.
At Cyber Insurance Australia we believe the Privacy Amendment will continue to drive contractual cyber insurance requirements in the future as more organisations are made aware of their costly responsibilities towards data security.
We will continue to update this page with further developments as the landscape changes for Australian businesses.
Contact us to discuss upcoming changes which may impact your business.
Other articles you might be interested in: