What is Cyber Insurance? 

During the 2020-21 financial year, the Australian Cyber Security Centre (ACSC) observed self-reported losses from cybercrime in Australia totalling a staggering $33 billion. Most businesses rely on technology to some extent, which means they’re exposed to increasingly sophisticated cybercriminals. According to the ACSC, an average of 164 cybercrime reports are made by Australians every day – that's about one report every 10 minutes.  

Cyber Insurance covers the physical loss or damage to information, IT systems and networks. It can also cover loss of profits to be business, caused by the introduction of malware, extortion or hacking, as well as management of the incident itself. 

Why is Cyber Insurance important?

Businesses must have guards against hackers and other types of cyber breaches. What’s more, because of stricter data privacy laws, they’re increasingly required to ensure personal information is secure. A breach will be investigated and require costly actions, including contacting hundreds or thousands of customers. There’s also the potential for hefty fines and penalties.

It’s easier to buy an insurance cover that protects your main cyber-related risks of damage to your systems and recovery, rather than trying to find specialist consultants to rebuild systems and keep the business operating. Cyber Insurance policies also generally include significant support with managing the incident, which can be essential when faced with reputational damage or regulatory enforcement.

What does Cyber Insurance cover?

There is a wide range of Cyber Insurance available. While all policies cover liability to third parties for passing on viruses, some also cover damage to your own networks. 

Additional sections that we recommend considering include:

• incident response – specialists to identify the issue and repair
• lost income and additional costs related to the incident
• data recovery and restoration
• consumer notification costs and ongoing monitoring costs
• legal defence costs
• cyber extortion management and fees
• crisis and PR management of the incident
• management of communications with regulators. 

Managing cyber risks to your business

Cyber Insurance is a key part of your management of cyber incidents and attacks. Many resources are available to help minimise the likelihood of a successful attack, including the Australian Cyber Security Centre. 

The top 3 things that you can do easily are:

1. Update your devices to protect information.
2. Set up multi-factor authentication for logging on.
3. Back up your data real-time of at least daily.

Explore your insurance options today. Talk to your professional insurance and risk adviser and get the best cover for you and your risks.

Frequently Asked Questions

What is not covered by Cyber Insurance? 

Like any insurance, not everything is covered by your policy. Some common exclusions include:

• personal injury
• consumer redress funds, unless specifically covered
• loss of money or securities, unless specifically covered
• your intentional conduct or wrongful use of personal information 
• failure to take reasonable care in securing your IT systems

Is Cyber Insurance required in Australia? 

Cyber Insurance can help you to manage your business's financial risks. While it isn’t mandatory in Australia, it is expected that certain businesses have some level of cover in place – including critical industries, care, finances and utilities. Without insurance, you would be forced to pay out of your own pocket for repair, recovery, and remediation costs from a cyber incident or attack.
 

What are the main areas covered under Cyber Insurance?
 
Cyber Insurance typically helps you with expenses spent on five main areas: 

1. Third-party liability
2. Emergency response and business continuity assistance
3. Recovery of your data and IT systems
4. Business interruption due to interference to your systems
5. Loss to you from crime or fraud. 
    

Does Cyber Insurance cover data loss? 

Yes, Cyber Insurance covers your lost information and data, as well as any loss caused to your customers or suppliers if a virus is transferred. It also covers:

• notifying potentially affected customers of a data breach
• employing computer forensic experts to identify and restore data
• repairing damaged computer systems, both hardware and software, to enable the data and systems to operate.

What are the benefits of Cyber Insurance? 

Cyber insurance is a specialist insurance policy that provides cover against cyber incidents or attacks that aren’t covered by other insurance policies, such as professional indemnity, management liability, or business packs. This could potentially leave a gap in cover. A Cyber Insurance policy will pay for legal costs, crisis managers, and payment of credits and refunds to customers.

What is Social Engineering Fraud Insurance? 

Social engineering fraud is part of a type of cyber (internet-based) crime. In simple terms, it’s when a cybercriminal tricks a person at home or in a business into sharing confidential information or transferring money, which the criminal steals. With seven out of 10 businesses experiencing some type of cyberattack in the past five years, social engineering crimes are a problem for both small and large businesses.

Cyber Insurance is a specific type of insurance policy that has been developed to cover the loss of money, data and confidential information stolen by cybercriminals. 

Human-based:
This involves person-to-person communication such as:

• impersonation
• posing as an authorised user (like your boss)
• posing as a third-party stakeholder
• shoulder surfing to gain private credentials
• dumpster diving to check your computer's trash for valuable information.

Computer-based:

This approach generally targets victims via computer software, often by:

1. Baiting - uses false promises to incite curiosity and greed in the victim.
2. Phishing - uses spam email and text messages to trick users into entering their personal info, clicking malicious links, or downloading attachments that contain malware. 
3. Pretexting - falsely mimics an authoritative person to gather information (policeman, doctor, bank representative, etc.).
4. Spear phishing - more targeted emails or texts to a person that mimics someone the person knows, especially in the context of business, like the employer of the victim, using personal information to trick the person into believing the criminal is real. 
5. Scareware - arouses fear and panic in its victim so the victim will act, such as paying a fake bill or calling before service is suspended for non-payment.

Unfortunately, these types of crimes can and do frequently go unnoticed until confidential data has been stolen or funds have been transferred, and it's too late to recover them. It’s difficult to eliminate the risk of social engineering fraud, and criminals are increasing their attacks. Fortunately, a comprehensive Cyber Insurance policy can cover losses caused by social engineering attacks.

Why is Social Engineering Fraud Insurance important?

Businesses are becoming more integrated into the digital community – from banking, health insurance, and buying goods or services online. This leaves a lot of ways that people and companies can be exposed. In Australia, a cybercrime report is made approximately every eight minutes.

While anyone can be the subject of social engineering attacks, there are certain groups scammers typically target, due to factors such as seniority, access to sensitive information, or ability to access systems. These include:

• high-profile individuals
• senior management
• system administrators 
• staff members (mainly from finance, legal, etc).

Ultimately, no matter what your position is within the organisation or existing cyber defences, no one really is immune to being scammed and becoming a victim of social engineering or cybercrime. As part of your risk management, a Social Engineering Insurance policy can minimise the impact and financial loss to the business.

What does Social Engineering Fraud Insurance cover?

It’s important to know that cyber risks and social engineering fraud are not usually covered under the normal Business Insurance policy, so you’ll need to look at these separately.

As mentioned, Social Engineering Fraud cover is part of a Cyber Insurance policy that covers:

• incident response – specialists to identify the breach and remove the cause
• financial loss and additional costs due to the incident
• data recovery and restoration
• legal defences costs
• cyber extortion management and fees
• crisis and PR management of the incident.

Your policy should extend to cover losses due to impersonation of vendor/suppliers, executives, and clients.

Because different businesses and industries have different levels of complexity and risk, we recommend talking with your insurance adviser. They’ll work with you to understand your business, provide you with advice to manage your risks, and recommend the best insurance options and solutions.

Frequently Asked Questions

What is an example of social engineering?

Social engineering crime, in simple terms, is when a cybercriminal tricks a person at home or in a business into sharing confidential information or transferring money, which the criminal steals. Examples include phishing which tricks users into entering their personal info, clicking malicious links, or downloading attachments that contain malware, giving the criminal access to the computer.

What are the the main types of social engineering attacks? 

The five most common social engineering attacks are:

(1)    baiting
(2)    phishing 
(3)    pretexting
(4)    spear phishing
(5)    scareware.

What is an example of social engineering phishing? 

Phishing is a social engineering trick that sends out spam emails or texts to trick users into entering their personal info. By clicking malicious links, they are redirected to a scam webpage, where the victim is tricked into handing over sensitive personal information or downloading attachments that contain malware, giving the criminal access to the computer.

Is social engineering fraud a type of cybercrime in Australia? 

Yes, many forms of social engineering happen within cyberspace. A criminal pretends to be someone else and tricks the victim into giving them information or access to their computer, or transferring money. Any social engineering tactic constitutes fraud and qualifies as cybercrime.