Under the Privacy Amendment (Enhancing Privacy Protection) Act, strict rules will govern how companies can collect, maintain, distribute and destroy personal information. Further reforms are expected to be passed by the Senate later this year, which propose that businesses and government agencies must notify customers of serious data breaches in relation to personal, credit reporting or tax file number information. The introduction of mandatory data breach notification law will ensure that if there is a breach, consumers are aware and can then take remedial action. The Privacy Amendments (Privacy Alerts) Bill 2013 will also force companies to tighten their data security.
Even though cyber insurance has been available for around ten years and is one way businesses can better manage the risks related to a data breach, and also limit the significant costs that result from them, the take up in Australia has been poor to date, with less than 1 per cent of Australian businesses covered.
This is in stark contrast to countries like the US where mandatory data breach notification laws have been in place for some time, resulting in 25 per cent of listed companies purchasing cyber insurance in the same way they buy protection against fire, flood and theft.
The poor take up of cyber insurance in Australia is startling, especially when you consider the fact globally the cost of cyber-crime is estimated to be $388 billion annually, and the average cost of a data breach reported by an Australian company jumped 23 per cent to $2.72 million in 2012.
This is the equivalent of $141 per lost or stolen record, according to the 2013 Ponemon Institute/Symantec Cost of Data Breach Study. The study also found that 43 per cent of local data breaches were caused by malicious criminal attacks; 33 per cent were due to mistakes by staff or third parties such as cloud providers and business partners; and 24 per cent involved system failures.
In addition to hefty penalties and recovery costs that can apply after a cyber crime, a business also faces a loss of productivity and income, damage to corporate brands and customer trust, and exposure to legal action.
Given all of these costs, cyber insurance can provide peace of mind for as little as $42 per month. If a data breach occurs, insurance can not only cover civil penalties and fines but also forensic investigation costs, legal fees, damages, and compensation for lost or reduced revenue due to business disruption.
Policies may also cover the cost to repair, replace and improve computer systems and security, and hire a public relations consultant to restore any brand or reputation damage.
But, of course, not all policies are the same. There are many different types and levels of cover, and because cyber insurance is still relatively new in Australia, it’s important you research and compare policies to ensure you get adequate cover.
Seeking advice from a specialist broker could also save you time and money.
Seven years ago cyber crime barely rated a mention in the World Economic Forum’s Global Risk Report, but today it’s ranked as the fifth biggest threat to business behind income disparity, extreme weather, unemployment and climate change.
A recent survey conducted by PricewaterhouseCoopers found 63 per cent of Australian businesses believe the risk of cyber crime has risen in the last 12 months.
It’s no longer a problem that Australian businesses can afford to ignore. Small to medium-sized enterprises are particularly at risk with evidence that criminal gangs are actively targeting them because they’re seen as a soft target with inadequate security. For instance, a medical centre on the Gold Coast and a mechanic in Alice Springs were two recent victims of cyber crime.
Given the majority of organisations don’t even know where to start when it comes to protecting against cyber threats, while criminals are becoming more and more sophisticated in their ability to exploit businesses using the internet, cyber insurance is a simple way to manage risks.
BizCover’s top tips to prevent and manage data breaches:
- Clearly identify confidential client and business information, and train staff and any relevant third parties on how to properly handle this information
- Restrict the number of people who have access to devices, and ensure that passwords for computers, smart phones and databases are strong and regularly changed;
- Review and test security and risk management measures such as anti-virus software on a regular basis; and
- Review your existing insurance policy to ensure it covers you in the case of a breach and, if not, investigate Cyber Insurance options.