Aug 27 2018

A leading figure in the field of cyber insurance has warned brokers about an emerging area of risk, saying exposure is set to explode within the next few years.

Gerry Power, national head of cyber sales for Emergence Insurance, recently wrote for Insurance Business Australia “What we’re going to see in the next three to five years is the mainstreaming of Internet of Things (IoT) devices,” He went on to say “That’s going to create a whole new area of exposure and that’s going to be something that brokers, businesses, and insurers all need to adapt to as the world around us changes.”

IoT involves extending internet connectivity beyond standard devices, such as desktops, laptops, smartphones and tablets, to any range of traditionally dumb or non-internet-enabled physical devices and everyday objects. Embedded with technology, these devices can communicate and interact over the internet, and they can be remotely monitored and controlled.

Consumer connected devices include smart TVs, smart speakers, toys, wearables and smart appliances. Smart meters, commercial security systems and smart city technologies — such as those used to monitor traffic and weather conditions — are examples of industrial and enterprise IoT devices. Other technologies, including smart air conditioning, smart thermostats, smart lighting and smart security, span home, enterprise and industrial uses.

In a smart home, for example, a user arrives home and their car communicates with the garage to open the door. Once inside, the thermostat is already adjusted to their preferred temperature, and the lighting is set to a lower intensity and their chosen colour for relaxation.

The article stated that one study by telecommunications giant Ericsson projected that there will be around 29 billion connected devices by 2022, of which 18 billion will be related to IoT.

“These days, we are operating in what I call a ‘plug-and-play’ environment where you just buy a device, plug it in and it works – but the trouble is security,” said Power.

“These products have all got settings that can be adjusted but if a customer or business uses them without changing the default username and password then all a criminal has to do is run an algorithm to find any devices in the area which are still operating on the default settings,” he explained.

Power also stresses, with the rapid expansion of IoT devices, brokers play an integral role in educating their clients on the risks they face.

“The insurance broker is the trusted advisor to businesses and it’s their role to make sure clients are aware of their exposure,” he said.

Jul 31 2018

The Office of the Australian Information Commissioner (OAIC) has received 242 notifications under the Notifiable Data Breaches (NDB) scheme in the period 1 April to 30 June 2018, according to the second quarterly statistical report on data breach notifications received under the scheme, released today. This is the first full quarter of operation of the NDB scheme since it commenced on 22 February 2018.

The growing number of notifications under the scheme demonstrates an awareness by entities of their obligations to notify the OAIC and affected individuals where a breach of personal information is likely to result in serious harm. Since the scheme commenced on 22 February 2018, the OAIC has received 305 notifications in total.

The OAIC’s acting Australian Information Commissioner and acting Privacy Commissioner, Angelene Falk, said ‘Notifications this quarter show that one of the key aims of the scheme – ensuring individuals are made aware when the security of their personal data is compromised – is being met. Data breach notification to individuals by the entities experiencing the data breach can equip individuals with the information they need to take steps to reduce their risk of experiencing harm, which can reduce the overall impact of a breach.

‘Notification to the OAIC also increases transparency and accountability. The report provides important information on the causes of data breaches so all entities can learn lessons and put in place prevention strategies.

‘The OAIC continues to work with entities to ensure compliance with the scheme, offer advice and guidance in response to notifications, and consider appropriate regulatory action in cases of non-compliance.’

According to the report, human error (88 notifications or 36%) continues to be a major cause of the breaches, with the most common human error being emails containing personal information sent to the wrong recipient. The risks of these types of data breaches can be greatly reduced by ensuring that staff responsible for handling personal information receive regular training.

Key Statistics From The Report Include:

A total of 242 notifications were made under the NDB scheme in the quarter. In the January to March 2018 quarter, 63 notifications were received. (This was a partial reporting period due to the scheme commencing on 22 February 2018.)
Of the 242 notifications in this quarter, the primary source of breaches was malicious or criminal attacks (142 notifications or 59 per cent), followed by human error (88 notifications or 36 per cent) and system faults (12 notifications or 5 per cent).
The report shows that the majority of malicious or criminal breaches reported were cyber incidents, linked to the compromise of credentials (user names and passwords).
The most common human errors were:-
- An email containing personal information sent to the wrong recipient (22 notifications)
- Unintended release or publication of personal information (12 notifications)
- Personal information sent by mail to the wrong mail recipient (10 notifications)
Most data breaches involved the personal information of 100 or fewer individuals (148 notifications or 61 per cent of breaches). Thirty-eight per cent (or 93 reported breaches) impacted ten or fewer people.
The private health sector is the top sector for reporting data breaches under the Australian NDB scheme with 49 notifications in the quarter (noting that these notifications do not relate to the My Health Records system), followed by the finance sector with 36 notifications.

How Will A Cyber Insurance Policy Help?

A Cyber Insurance policy will play a fundamental role in providing your organisation with cover for costs incurred when making a data breach notification. Most insurers will provide a 24/7/365 day incident response hotline, giving you access to specialist vendor panel with local, regional and global capabilities.

You can read a full copy of the report here

Apr 13 2018

The Office of the Australian Information Commissioner (OAIC) has published the first quarterly report on data breach notifications received under the Notifiable Data Breaches (NDB) scheme, which came into force on 22 February 2018.

The OAIC received 63 data breach notifications under the scheme during the first six weeks of the scheme’s operation. In the 2016–17 financial year, the OAIC received 114 data breach notifications on a voluntary basis.

The NDB scheme requires entities with obligations to secure personal information under the Privacy Act 1988 to notify individuals when their personal information is involved in a data breach that is likely to result in serious harm. These data breaches are referred to as ‘eligible data breaches’. Entities must also notify the OAIC about eligible data breaches.

The NDB scheme formalised the community’s expectation for transparency when a serious data breach occurs. According to the 2017 Australian Community Attitudes to Privacy Survey, 94 per cent of Australians believe they should be told when personal information is lost by a business.

Just over half of the eligible data breach notifications received in the first quarter indicated that the cause of the breach was human error. In the 2016–2017 financial year 46 per cent of the data breach notifications received by the OAIC voluntarily were also reported to be the result of human error.

This highlights the importance of implementing robust privacy governance alongside a high-standard of security. A Cyber Insurance policy gives insureds 24/7 access to an incident response team of experts who understand the importance of immediately mitigating potential threats to insureds’ businesses.

A Cyber Insurance policy should be part of every successful business’s risk management framework. Cyber insurance is not the first line of defence; it is designed to protect a business when its IT security, policies and procedures fail to stop an attack.

Key statistics from the first quarterly report include:

Top five sectors that notified the OAIC of eligible data breaches included health service providers (24 per cent of notifications), legal, accounting and management services (16 per cent), finance (13 per cent), private education (10 per cent), and charities (6 per cent).
78 per cent of eligible data breaches were reported to involve individual’s contact information. 33 per cent were reported to involve health information and 30 per cent to involve financial details.
51 per cent of the eligible data breach notifications received indicated that the cause of the breach was human error. 44 per cent of breaches were reported to be the result of malicious or criminal attack, and 3 per cent the result of system faults.
59 per cent of data breach notifications reported that the personal information of between one and nine individuals was affected. 90 per cent of data breach notifications related to breaches involving the personal information of less than 1,000 individuals.

For more information on how a Cyber Insurance policy can assist in protecting your business, contact your Account Manager now.

You can read the OAIC full report here

Feb 19 2018

From Thursday 22 February, Australia’s Notifiable Data Breaches (NDB) scheme comes into force. The scheme requires notification of unauthorised access to, disclosure of, or loss of information likely to result in serious harm.

The NDB scheme means you cannot keep silent on data breaches and hope for the best. From 22 February 2018, breaches must be reported to both the Office of the Australian Information Commissioner and people affected.

A wide range of entities are at risk and the statistics are horrifying. For example:
•   63% of confirmed data breaches involved leveraging weak, stolen or default passwords and usernames
•   22% of small businesses breached by ransomware attacks in 2017 were so badly affected they could not continue operating
•   41% of people surveyed globally could not identify a phishing email
•    30% of phishing emails were opened and 12% clicked on infected links or attachments.

The number of Australian businesses using commercial cloud computing services has risen from 19% to almost one third in just one year and just because your data is in the cloud, it doesn’t mean it is protected.

Lax security is frequently to blame for breaches. We suggest you review your arrangements with cloud and other third-party service providers and, where possible, encrypt sensitive information before disclosing it to third parties.

Claims experience at Cyber specialist Emergence Insurance shows that:
•   Multiple backups are a must
•   Whether or not the NDB scheme is triggered in a ransomware attack, the impact on the business and reputational damage can be substantial
•   Encryption can effectively protect data.

You are only as safe as your weakest link.

Cyber Insurance is not the first line of defence; it is designed to protect a business when its IT security, policies and procedures fail to stop an attack.

A Cyber Insurance policy should be part of every successful business’s risk management framework. A good Cyber product includes instant access to an incident response team of experts who understand the importance of immediately mitigating potential threats to insureds’ businesses.

A Cyber Insurance Policy like that of Emergence gives businesses financial support and incident response expertise to recover from adverse events, including ransomware attacks, point-of-sale intrusions, denial-of-service attacks and cyber espionage.

Contact your Account Manager now to discuss how a Cyber Insurance policy will work for you.

Jan 31 2018

On February 22 2018 the Privacy Amendment (Notifiable Data Breaches) Act 2017 comes into effect, requiring Australian organisations affected by a serious data breach to notify all individuals whose information may have been compromised. Failure to notify could result in fines of $360,000 for individuals and $1.8 million for organisations.

Data Breach Notification legislation – will your business be affected?

If your turnover is more than $3 million per year and are you governed by the Privacy Act 1998 (Cth.), or if you are a smaller business handling sensitive information, then this new legislation can impact your business.

More information about how to determine whether this applies to your business or organisation please refer to the OIAC (Office of the Australian Information Commissioner) website https://www.oaic.gov.au/engage-with-us/consultations/notifiable-data-breaches/draft-entities-covered-by-the-ndb-scheme

What is a notifiable data breach?

A Notifiable Data Breach is a data breach involving personal information that is likely to result in serious harm to any individual affected. An eligible data breach arises when the following three criteria are satisfied:

there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds;
this is likely to result in serious harm to one or more individuals; and
the entity has not been able to prevent the likely risk of serious harm with remedial action.

Here’s a few examples of where the legislation would apply:–

A device containing customer’s personal information is lost or stolen and there is no way of managing it remotely or ensuring that it hasn’t been accessed.
A database containing personal information is hacked
Personal information is mistakenly provided to the wrong person.
Employees accessing or disclosing personal information outside the requirements of their employment.
Paper records found in an insecure recycling or garbage bin.

What You Need To do!

Organisations will need to ensure they have an adequate Data Breach Response Plan in place by the time the legislation changes are implemented.

Having a Data Breach Response Plan is part of establishing robust and effective privacy procedures. And having clear roles and responsibilities is part of good privacy governance. A data breach response plan can also help you:

meet your obligations under the Privacy Act — an entity must take reasonable steps to protect the personal information that it holds; those reasonable steps may include having a data response plan
protect an important business asset — the personal information of your customers and clients as well as your reputation
deal with adverse media or stakeholder attention from a breach or suspected breach
instil public confidence in your capacity to protect personal information by properly responding to the breach.

How Will A Cyber Insurance Policy Help?

In addition, the benefits of a Cyber Insurance Policy can include:

Crisis communications and reputational mitigation expenses.
Incident response and investigation costs.
Liability arising from failure to maintain confidentiality of data.
Liability arising from unauthorised use of your network.
Online media liability.
Regulatory investigations and or enforcement proceedings expenses and fines/penalties

Speak to your Account Manager today for more information on how a Cyber Insurance Policy will assist your organisation.

For more information on the requirements of the Notifiable Data Breaches scheme, visit the Office of the Australian Information Commissioner’s website https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme