A Guide To Cyber Insurance

HOW TO STAY
PROTECTED AGAINST
CYBER THREATS

A CYBER INSURANCE GUIDE - PAGE 3
 INDAGARD INSURANCE SERVICES
Copyright © 2018 John Catibog
Disclaimer: This publication is for information purposes only. The
information in this publication does not take into account the
objectives, financial situation or needs of any person and should
not be taken as advice. Before making any decision, please consult
with a qualified professional.

CONTENTS
INTRODUCTION 4
MANDATORY DATA BREACH SCHEME 7
COMMON CYBER ATTACKS AND CULPRITS 12
STAYING SAFE ONLINE 19
THE COST OF CYBER SECURITY 24
WHAT DOES CYBER INSURANCE COVER? 29
BUT I ALREADY HAVE INSURANCE 34
GETTING CYBER PROTECTED 37

Did you know
that 60% of
businesses
close down
within 6
months of a
data breach
incident?

Introduction
Insurance is an essential item on any business’s balance
sheet.
Depending on the industry you are in, your clients,
vendors and/or the government may require you to
carry certain types of insurance. Chances are that you are
well familiar with these: public liability cover, builders
insurance, commercial auto, key person insurance, just to
name a few.
In this e-book, however, we will shed light on a different
type of insurance that is becoming more and more critical.
With data breaches on the rise, Cyber Insurance is the type
of insurance that deserves your attention.
It is not contractually required (yet) in most cases but the
lack of it can (and most possibly will) have devastating
consequences.
We’ll take an in-depth look at what cyber insurance is, the
covers it provides and the privacy laws that impact you.
Not only will we look at Cyber Insurance but we’ll also
discuss the most common cyber attacks/hacks you could
face.

According to Ponemon Institute, an average cost
Australian business incurs, is $139 per affected record.
If you had just a 1000 records (that could include
customer information, vendor information, email
subscribers, anyone who signed up to your website with a
password), your average cost would be $139,000.
Do you have this money set aside to cover a cyber breach
incident?
If not, read on.
What exactly is cyber
insurance?
Cyber Insurance is designed to help offset your costs in the
event of a data breach.
Like any other insurance, it’s a risk mitigation technique
that allows you to transfer some of that risk to the
insurance company.
Let’s face it; every business nowadays uses technology.
Whether you sell online, or simply have your customer
information on a server in a cloud, if your computer is
connected to the internet, the data is at risk.

The truth is, the data you are responsible for is never 100%
secure, and hackers make it their mission to breach your
computer’s defences.
Technology has massively changed the way business
is done today. While technology in business has many
advantages, it has opened the door to many new dangers
and risks that didn’t exist before the digital era.
You may be a local business, but your reach is global the
moment you’re online and at risk.
Cyber insurance will cover costs associated with notifying
the individuals whose data has been stolen, forensic
investigation costs and will protect you from lawsuits by
people affected by the data breach whose records you were
responsible for.
Of course, no policy is the same, so it’s important to look
at each quote you receive to determine what exactly is
covered.

MANDATORY
NOTIFICATION
DATA BREACH
SCHEME

Are there any laws that make
Cyber Insurance necessary?
The new Notification Data Breach (NDB) scheme has
changed the requirements for companies and agencies in
protecting the Personal Identifiable Information (PII) they
collect and store.
This new law made Cyber Insurance even more critical as
there are new (costly) obligations to deal with if the breach
happens.
On February 22, the Office of the Australian Information
Commissioner (OAIC) established the NDB scheme as part
of the Privacy Act.
What does this mean for you?
If your business, agency or non-for-profit organisation has
an annual turnover of $3 million, it is now mandatory for
you to report any data breaches to the OAIC.
Additionally, you must notify any individual whose
sensitive information has been accessed and is likely to
be harmed within 30 days of becoming aware of a data
breach.

Why do I need cyber insurance?
If you recall, the introduction to this book gave an
alarming statistic – an average cost the business incurs, is
$139 per affected record.
With NDB in place, this average is sure to climb up for
compliant businesses due to now mandatory notification
and regulatory costs.
Simply put, the damages and consequences from a cyber
attack can significantly hurt your business.
Keep in mind, that your costs will be far higher than the
mandatory regulatory costs.
Consider this. If the data breach happens, will you want to
hire a PR firm to mitigate the reputational damage and bad
press?
Of course, you would.
What about the income that lessens due to your customers
not trusting you anymore?
Wouldn’t you need some kind of financial supplement to
keep you from shutting the doors due to no income?
Cyber Insurance attempts to keep your business running
while you deal with the fallout from the breach. Business

Interruption, Media & Relations and more are all covers
available under the policy.
If you don’t have the protection Cyber Insurance provides
against cyber risks, then there is a real chance that you will
be the one who foots the bill from cyber damages along
with any loss of data.
If you are a contractor, you may start to see the
requirement of having a Cyber Liability Insurance policy
included in your future contracts. People are beginning to
realise that a cyber threat is real and everyone wants to be
protected in case anything happens.
Do you:
 Have your employees use computers,
smartphones, and/or the internet as part of their jobs?
 Create, keep and use sensitive customer
information from customers, employees and suppliers?
 As a consultant recommend or implement any
security measures for your client?
If you answered yes to any of those questions, then you
need cyber insurance.

I’m just a small business. Why
would hackers want to target
me?

According to various studies, at least 45% of all cyber
attacks target small businesses.
Look, the tech giants like Apple, Yahoo, Facebook and
more, all anticipate data breaches and have whole
departments that deal with data security.
A big corporation will have teams of people monitoring
their security and susceptibility to attacks 24/7, and even
they are not immune.
Just think of Equifax data breach scandal that affected over
143 million Americans.
Small businesses are often targeted because it’s easier.
Their data is less secure, they don’t invest enough (or at all)
into security countermeasures and thus is seen as an easier
job for the hackers.
Sometimes, the hackers themselves don’t even
intentionally target you. They may have automated
malware randomly flooding vulnerable systems, and your
business happens to be one of the victims.

COMMON
CYBER
ATTACKS
AND
CULPRITS

What are the most common
types of cyber attacks?
There is a wide range of methods cyber criminals use to
breach your system and steal your data.
A short list of common techniques these criminals might
use includes malware, phishing, DDOS, SQL Injection, and
Social engineering.
To give you a better understanding of the threats you
could potentially be facing online, please see below the
brief overview of each of these methods.
Malware
This is one of the most common ways for cyber criminals
to breach your system.
Malware is a harmful software intended to be used
maliciously against your machine; once installed, it can
spread and disable your computer, overload your servers,
and steal your records.
Common types of malware include viruses, ransomware,
worms, and spyware.
Attackers will disguise malware as harmless links or email
attachments to trick you or your staff into clicking.

Once clicked, malware can be used to gain control of your
system, spy on your activities, monitor keystrokes and
passwords, create vulnerabilities to be accessed further or
crash your computer and network.
Phishing
Phishing is a cyber attack where the perpetrator pretends
to be someone else to trick you into providing passwords
or financial details.
They may pretend to be a reputable business or
organization, a regular person who is in a rough situation,
or a group that is in charge of giving you some kind of
prize or award.
DDOS
Short for distributed denial of service, DDOS attacks are
used to crash computers, servers, or networks.
They work by overloading the system with incoming data
from multiple sources; often the attacker will use a group
of people or bots to send repeated information to the
system from numerous different connections.
They might enlist the help of people from a website or else
use various different servers to hit your system from many
entry points.

SQL Injection Attack
Standard query language (SQL) is a management language
that is used to query and handle information within
databases.
In an SQL Injection attack, the attacker will use code to
“trick” a database into providing them sensitive or valuable
information by exploiting vulnerabilities in the system.
Before you have any chance of reacting, the attacker has
copied this information from your database and now has
full access to it.
Imagine if your system stored medical files, credit card
details, or tax file numbers and fell victim to this kind of
attack!
Social engineering
Social engineering involves an elaborate ploy to
manipulate an individual into giving up sensitive
information.
Cyber attackers will use human interaction to coerce
the individual to break procedure and either directly or
indirectly give them access to valuable information.
Attackers often use tactics that, on the surface, seem
completely innocent and harmless but that, in actuality,
can seriously jeopardize the safety of your data.

Who commits cyber crimes?
Cyber crime has evolved dramatically in the last decade.
Back in the 90’s a typical hacker was a lone wolf who wrote
a virus to show everyone what he could do.
These days cyber crime is a “legitimate business” for many
criminal organisations that devote considerable resources
to writing viruses and creating scams to get access to your
private data.
The type of people who commit these crimes go by many
names: Hackers, identity thieves, organized criminals, and
cyber terrorists, just to name a few.
Whatever they are referred to as, these attackers have a
common goal: to steal your data.
The threat, however, can sometimes come from much
closer to home – your data can be stolen by competitors,
your employees, or even be a simple human error.
Competitors
This one isn’t hard to believe. The perpetrators can be
your competitors wanting to give themselves an edge over
you.
There are numerous, unethical and creative ways

unscrupulous competitors can try and get access to your
data.
They might contact your employees, use theft or hack into
your computers to get the information and disrupt the
operation of your business.
You can’t underestimate how far a competitor might
be willing to go to gain an advantage. Whatever their
motivation or strategy is, competitors represent a real risk
to your system and your sensitive information.
Employees
Cyber threats aren’t just outside your organisation.
Employees can also pose a threat.
Employees, both past, and present, could hijack your
proprietary information to sell it to another party or use it
to start their own business venture.
They might steal important financial data for their own
benefit. Whether they are out for revenge or simply
looking for financial gain, it is essential to have processes
in place to safeguard your data.
Human Error
Data breaches aren’t always the work of cyber criminals.
Sometimes a data breach can simply be a result of basic
human error.

For example, an employee might dispose of paperwork
by throwing it in the bin. Unbeknownst to the employee,
those papers contained valuable information that gets into
the wrong hands.
It’s not uncommon for business owners to completely
underestimate or even ignore the risks posed by members
of their own staff with inside access to their data and key
information.
Another human error example is an employee losing his
work laptop (or it being stolen).
Is it employee’s fault?
Usually no.
But it can be a severe risk in the wrong hands.

STAYING
SAFE
ONLINE

Insurance should be seen as the last line of protection for
your business when all other measures fail.
After all, prevention is better than cure.
Insurers also look more favourably upon businesses that
are taking precautions to prevent a data breach and could
result in better premiums and terms for cover.
You cannot stop a cyber attack because if a criminal really
wants to access your system, they’ll find a way, but you can
make it as hard as you can for them. Often, that would be
enough of a deterrent.
After all, most would rather do a quick hack, get in and get
out rather than spending considerable amount of time and
resources hacking a well protected business that they don’t
know what they’ll find in.
Besides having cyber insurance, here are some ways to
minimise a cyber hack and the damaging aftermath.
Invest in security software
Security software is a must for keeping your data secure
and protecting the information you are responsible for
from cyber attacks.
Security software is a worthwhile investment, and both
antivirus and firewall should be installed to protect you

against the most common forms of cyber attacks.
An antivirus protects you against malware.
A firewall helps prevent any unauthorised access.
Make sure that you are continually upgrading your
software, as newer and more sophisticated viruses and
methods are developed every day.
Antivirus software can only be truly effective when it
is prepared for the latest and most high-risk malware
floating around on the web.
Encrypt your data
Encryption is a simple but highly effective way to make
data harder to access by hiding its readability. You’d be
surprised at how much more secure your data can become
using simple encryption software.
Update your software to the latest
versions
When software is updated, the developers add code to
protect against the latest forms of cyber attacks. It’s best
to update your software to the latest versions on a regular
basis. Often, vulnerabilities or exploits that were present in
earlier versions will also be patched up by the developers.

Restrict access
For highly sensitive or valuable information, it is a very
good idea to restrict access so that only those who you
trust and who need to see it can use it. After all, it doesn’t
make much sense to let sensitive information be accessed
by people who don’t need to see it, right?
Regular backup
For crashes and other more obvious cyber attacks, regular
backups will be a lifesaver in protecting and restoring your
data against damage or deletion.
Utilize both cloud and physical backups and update
them regularly. This will ensure that your backup is
always relatively current and that you don’t lose any key
information due to an attack.
Regular backup and safe storage of the backup is often
a condition insurers want to see in a business they are
assessing for cover.
Implementing Security Awareness
programs
Security Awareness Program is a training for your
employees to educate them on proper online use, who to
contact if they discover a security threat and that data is an
important corporate asset.

Stay Smart Online program, an Australian government
initiative, has collated tips on safe online behaviour
to help you stay secure online. You can get it on the
StaySmartOnline.gov.au website.
Some good precautionary measures for online use would
be to restrict the use of social media during work hours
and disallowing sending work-related data to/from
employee’s personal email.
The amount of time it takes to teach your staff some of
the basics of safe online use is well worth the risks it might
protect your organization against.
Change your password regularly
A very easy way to protect against cyber attacks
is to change your password regularly. Some good
recommendations would be to increase the complexity of
your passwords and to not write them down anywhere.
It’s not at all uncommon for an attacker to gain access to a
system due to an easily hacked password.

THE COST
OF CYBER
SECURITY

How much damage can a cyber
breach do?
According to the findings from the 2017 Cost of Data
Breach Study: Australia conducted by IBM and the
Ponemon Institute, notifications due to a cyber breach
have an average cost of $500,000.
Activities that are involved with notifications include
the building of contact databases, checking to see if the
business meets regulatory requirements, discussing the
breach with outside experts, and miscellaneous costs
related to the communication to those affected.
Those are just the costs of notification activities!
We haven’t even started to factor in other costs related to
the damages.
Additionally, consider these numbers:
 The total cost of a data breach averages out to
$2.51 million
 The cost per lost or stolen record is an average of
$139
 The financial, services, technology,
communications, industrial, and education industries have
greater costs due to the sensitive information they use.

Another thing to keep in mind, is the fact that often the
breach is not discovered immediately.
Usually the attack runs in the background getting all the
incoming information straight to the bad guy on the other
end.
The longer the attack happens, the higher the cost.
Multiply those costs by hundreds or thousands of records
and you can see how quickly the numbers grow.
THE HARDEST COST TO
QUANTIFY IS THE LOSS OF
CUSTOMER TRUST
If you knew your best friend’s data was compromised
because he was doing business with Company A, would
you willingly give them your personal information?
Of course not.
I wouldn’t either.
So that company has already lost you and me as their
potential customers.
It’s easy to see how this could snowball quickly resulting
in no new customers, reduced or non existent business

income all while incurring unexpected expenses.
Recent examples are the worldwide trending
#DeleteFacebook and Mark Zuckerberg in damage control
as an impact of the lost of the trust. Target and Yahoo! are
other recent examples that made headlines.
There’s no doubt the damage to the trust amongst their
customers would have a negative impact on their business.
How much cyber insurance do I
need?
It depends.
Some factors to consider are your industry, how and where
you operate your business, the size of your business and
the type of information you keep.
The limits you need can also be dictated by the contract
requirements you have with your clients or vendors.

How much does cyber liability
insurance cost?
Again, it depends.
This is like asking “how much would it cost me to buy a
house?” You can’t give a cookie-cutter answer because
the factors involved is different for everybody. You have
to consider the location of your house, the size of it and
many more factors that are unique for every buyer.
As with buying a house, when purchasing an insurance
policy the cost depends on several factors.
The most important being the size and nature of your
business, as well as, the level of cover you wish to have.
The cost of cyber liability insurance is never a certain until
your risks are properly reviewed by the underwriters,
however a rough, indicative starting range of cyber
insurance premiums can be between $900 to $2,500, for
cover between $500,000 to $2 million for a small business.
Corporate businesses that have larger operations or across
border will have much greater costs but they also have a
great deal to lose.
It may seem like the unnecessary cost but the cost of the
yearly premium is so much less than what a business
would have to pay if the incident was to happen.

WHAT DOES
CYBER
INSURANCE
COVER?

First party damages
This covers the costs incurred by your business.
It’s important because it provides you the money needed
to respond to a breach and get you back to operating at the
same level before the breach occurred.
A policy can include:
Privacy Notification & Crisis Management Expenses
 Notification of the data breach to those affected.
A vital cover to the cost of complying with the new NDB
scheme.
 Hiring a forensic firm to investigate the breach.
 Hiring a PR firm to manage the bad press and
restore your customer’s faith.
 Providing credit monitoring to those affected
MULTIPLE BREACHES
A travel agency with 4 locations experienced 3 separate
breaches over a year’s period. Over 250,000 records were
compromised including credit card and passport information.
The Cyber Liability policy paid $1.75M in forensic and legal
costs and the cost of notifying those affected.

Business Interruption Costs
This cover your loss as a result of a hack and to get you
back in business again.
 Loss of income - compensating the business for
lost income while it is dealing with the fallout from the
breach.
 The cost to recover the data and system
restoration.
 Extortion and ransom payments – payments
to the extortionist that is holding your data hostage or is
threatening an attack.
Social engineering damages
A cyber insurance policy can cover offline damages
sustained due to the use of deception in manipulating
individuals into divulging confidential, personal
information which can be used for illicit purposes.
Third party liability costs
This covers the costs you will incur to compensate those
that have been negatively affected as a result of your
system being breached.
Let me demonstrate. Imagine your business was to clean

one-of-a-kind widgets. You take the widget from the
customer to be cleaned at your workshop. Overnight, a
fire starts and destroys the dirty, but functioning, widget.
You are liable for the costs to replace the widget. However,
you may also be liable for the costs incurred by the client
as a result of losing the widget.
Cyber Policy works in a similar same way – third party
portion of the cover protects your business against a legal
action and costs incurred by others as a results of their data
being compromised in your possession.
Multimedia costs
Coverage can extend to social media damages; for
instance, libel and slander. Additionally, it can also cover
the costs of copyright infringement.
SHOPPING, INTERRUPTED
A large online retailer’s ($5M turnover) website was hacked
and included a link to a competitor’s website when the hackers
got access to their customer’s sensitive data. Business
Interruption portion of the policy paid $800,000 to repair
the website, comply with regulations and notify affected
individuals.

It’s important to look through a policy and see if it meets
any needs you might have in this area.
What should I look for in a
cyber insurance policy?
It is vital that you understand the definitions and wordings
within the agreement. Some of the covers we discussed
may not be included in a package. One insurer might
define something as a cyber event while another would
not.
Other important details to note are limits, sub-limits, and
time frames.
Finally, you will want to consider the unique risks to your
business, what exclusions are present in the policy, and
whether or not you want to consider extensions for third
parties.
Businesses that need more.
Some businesses, due to their real or perceived level of
risk, will be more difficult to organize a policy for.
Examples of types of businesses that are included in this
category are adult content sites, application development,
credit card processing sites, government and medical
professions with a large number of records, online retailers
with a large online presence and restaurant franchises.

BUT
I ALREADY
HAVE
INSURANCE

I have public liability insurance.
Doesn’t it cover cyber crime?
Yes and no.
While there are certainly some business insurance policies
that cover cyber-related instances, there are also many that
don’t.
Even with a cyber liability endorsement to a liability
policy, you will never get the same limits that you would
with a standalone Cyber policy.
Typically, the endorsements have an aggregate limit of
$50,000 which will vanish very quickly leaving you to foot
the rest of the bill.
Also, the extension endorsements often do not include
first party cover - basically you may not be covered for PR
/ Media relations cost, forensic investigation and incidents
covered by multimedia cover or social engineering cover.
My financial officer organises
our insurance. What’s there to
be concerned about?
While financial officers play a very important and
necessary role in a company, it’s worth keeping in mind

that their performance may be measured in terms of
saving money.
As a result, they may opt for the cheaper insurance policy
that doesn’t adequately cover your business against cyber
risks in order to meet their cost objectives.
As the director, you could be the one held accountable in
case of a data breach and subsequent lawsuit. Because of
this, you are going to want to make sure you are covered
for events like a cyber breach.
My IT people say my system is
rock solid. Is there any reason
to worry?

While they may truly believe that’s the case (in which
case, get their word in writing so that they will accept
responsibility in the event of a breach), the fact of the
matter is that no system, no matter how secure, is immune
to breaches or vulnerabilities.
You also might want to review your agreement with your
IT service providers and see what happens in case of a
breach.
It’s a good idea to have clarity in your contract and find
out exactly what would happen were your system to be
exploited.

GETTING
CYBER
PROTECTED

How do I get a cyber insurance
quote?
Our process for getting you a quote has been streamlined
and is made very easy.
For most small businesses, getting a quote can be started
here with our online quote request.
We genuinely believe it’s one of the most important covers
a business can have and we are on a mission to bring
awareness of those risks, and how Cyber Policy can solve
them to every business we can.

Because not every business is the same, we will have a
necessary conversation where we find out more about your
operation, your risks and verify any additional information
an insurer will ask to provide the quote. Then we’ll take it
from there and present you with a proposal, approved by
one of our highly rated insurers.
Please contact us at 0456 456 085.
Which product is right for me?
With the influx of new products on the Australian market,
it can be difficult to know which one is the right fit for your
business.

This is a situation where having an experienced insurance
broker can pay off.
Once we get an adequate understanding of your business’s
particular cyber risks, needs, and goals, we will work hard
to match your requirements with the right product and
insurer.
We will be your guide in the confusing (and new) world of
Cyber Liability Insurance.
READY FOR A
QUOTE?

Conclusion
At the end of the day, there are numerous high-cost risks
being posed to nearly every business in the world by cyber
attackers. Your business could potentially be facing huge
issues with data breaches and system attacks.
No system can be 100% protected from these kinds of risks,
and no business can spend all of their time monitoring
their computers and data to make sure everything is fine.
It makes much more sense to simply take out a cyber
insurance policy so that, if such a breach or cyber event
were to happen, you know your business would not be
financially culpable for the damages.
Contact us today, and we will show you your options and
set you up with the right policy for your business. We
will make sure that you have a peace of mind that your
business is protected in the event of a cyber attack.

About The Author
John Catibog is the director of
Indagard Insurance Services. He
has a degree in Computer Science
with Deakin University and is an
experienced insurance broker with
in-depth knowledge of today’s
insurance marketplace.
Phone: 0456 456 085
hello@indagard.com.au
www.indagard.com.au

Have you ever wondered if you’re getting the best insurance
cover for you at the best price? Or felt that your insurance broker
shouldn’t take that long to respond to your email?
As a business owner, you’re constantly juggling, every single day.
Staff to manage, marketing strategies to implement and financials
to deal with are just some of the balls in the air.
Business insurance is an essential part of your business’ financial
stability but getting different quotes, comparing prices, researching
the covers is time consuming.
Let us free up your time so you can focus on running your
business.
Indagard Insurance Services
www.indagard.com.au
Call: 0456 456 085
Email: hello@indagard.com.au
Write: PO Box 155
Flemington Vic 3031

References
The Office of the Australian Information Commissioner (2018),
Notifiable Data Breaches scheme, https://www.oaic.gov.au/privacy-law/
privacy-act/notifiable-data-breaches-scheme
Ponemon Institute (2017), 2017 Ponemon Cost of Data Breach Study,
https://www.ibm.com/security/au/en/data-breach/
Rapid7, Common Types of Cybersecurity Attacks, https://www.rapid7.
com/fundamentals/types-of-attacks/
Stay Smart Online (2018), Security Awareness Implementation Guide,
https://www.staysmartonline.gov.au/get-involved/guides/security-
awareness-implementation-guide
Simpson, K. (2017), Top 10 Tips for Data Theft Prevention, Inc., https://
www.inc.com/thehartford/10-data-theft-prevention-tips.html
Dual Australia (2014), DUAL CLAIMS EXAMPLES - CYBER &
PRIVACY PROTECTION, http://www.athoc.com.au/news-and-info/
athoc-content/uploads/2014/10/Dual-Cyber-Privacy-Protection-
Claims-Examples-03-14.pdf
Birkett, R. (2018), Business Law Breakfast on Privacy, Aitken Partners,
Lecture 7 March 2018
Joseph, M. (2018), Austbrokers Cyber Pro, Austbrokers Cyber Pro Pty
Ltd, Lecture 22 March 2018

A Guide To Cyber Insurance

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a A Guide To Cyber Insurance

Semelhante a A Guide To Cyber Insurance (20)

Último

Último (20)

A Guide To Cyber Insurance