By: CT Group, KBI Pty Ltd
Over the last 12 months, the rise of remote work has increased cyber risk and made companies more
vulnerable to cyberattacks. While businesses are becoming more aware of cybercrime risks, there is still
inadequate understanding of what the risks are, and how to mitigate and insure them.
Most businesses are aware of potential expenses related to repairing operating systems, regaining system
access and addressing data breaches. But, many overlook a critical exposure: business interruption. Similar
to traditional loss events like fire or flood, having insurance to restore operations following a cyber event is
only useful if the business is able to survive through the restoration period.
A cyber insurance policy will address the direct impact of a cyber event, such as repairing your systems. But,
to cover lost profit and extra expenses during the restoration period you will need cyber business
interruption (Cyber BI) cover.
Unfortunately, organising Cyber BI cover is not simple. As a new and evolving form of insurance, cover terms
can differ from insurer to insurer, and understanding what is best for your businesses can be confusing.
In this article, we’ve worked with CT Group to explore cybercrime and cyber insurance in 2022 – including
how to mitigate cyber risk and transfer business interruption risks to insurance.
Table of Contents:
- Remote Work Fuels Cybercrime
- Key Cyber Risks Businesses Are Facing Now
- Business Interruption – The Costs
- What is Cyber Business Interruption Insurance?
- What Does BI Insurance Cover?
- How Is Cyber Business Interruption Loss Calculated?
- What does a Cyber Business Interruption Claim look like?
- Ensuring Your Policy Is Fit-For-Purpose
- Mitigating Your Cyber Risks
- Final Takeaways
- FAQs
I. Is cover limited to cyber events? What about general IT outages?
II. What period will my Cyber BI policy cover lost profit and additional expenses for?
III. Do businesses have to cover a portion of their own losses?
IV. What retention period and cover timeframe is right for me?
Remote Work Fuels Cybercrime
Cybercrime has been around since 1834 — when hackers breached the French Telegraph system and accessed
stock market data. Since the 1830s, technology has developed exponentially, and so has cybercrime.
In a survey by McAfee, two-thirds of responding companies experienced a cyber incident in 2019. The average
reported cost for each company’s most expensive breach was over $500,000.
Since 2019, the rise of remote work has only fuelled the fire. According to the Australian Cyber Security Centre,
cybercrime reports rose 13% in FY2020-21. Head of the Australian Cyber Security Centre, Ms Abigail Bradshaw
CSC, commented:
“As we shifted online to go school work or work from home or buy things, or keep communicating, the
criminals have also shifted and really prosecuted our online lives to make money or steal our
information.”
A recent Open VPN poll supports this statement. Among respondents, 73% of VP and C-Suite level IT managers
believed that remote workers pose a greater cyber-security threat than on-site workers.
Companies need to accept that they are constantly exposed to the very real and increasing threat of
cybercrime, and that cybercriminals are proactively and constantly trying to find ways to attack unprepared
victims.
Key Cyber Risks Businesses Are Facing Now
If your business is reliant on computers to function, a cyber-related business interruption can have a massive
impact on turnover. In extreme cases, malicious attacks can hinder your ability to generate income for weeks
or even months.
In 2022, cybercriminals are more vicious and dexterous than ever before. And, as businesses trade static
workstations for a more ‘fluid office’ the threat of cyber-attacks has increased exponentially. Today, even
organisations with advanced security and firewall technology are at the mercy of cybercriminals
Key cyber risks include:
1. Inadequate passwords:
It does not matter how secure your organisation’s secure infrastructure set-up is – humans are creatures of
habit and their actions are easy to interpret. Weak passwords are an easy target for hackers. Passwords your
staff should avoid include:
- Passwords based on easily traceable personal data (birth dates, anniversaries etc.)
- Passwords used on other platforms
- Feeble passwords for example digit/letter combinations.
2. Phishing assaults
Phishing is an older attack method – but according to several sources, including Spanning’s 2021 Cyberattacks
Blog, it still accounts for almost 90% of all data breaches. In a Phishing attack, the user receives
communication (usually an email) that appears to be from a source they trust. The email requests personal
data like passwords or security question answers, which the email’s real sender can use to access sensitive
information.
Like password related hacks, phishing attacks take advantage of human error. What makes phishing so
effective is that through social distribution of links and files, victims often inadvertently propagate malicious
content.
3. Malware
Malware, or ‘malicious software’, is arguably the most widespread form of cyber security threat. Malware causes
systems to behave strangely. This includes preventing access to programs, deleting files, syphoning
information to other sources, and infecting connected systems.
4. Trojan viruses
Trojan Viruses are a form of malware. They disguise themselves as legitimate, helpful software. But under the
surface, they are harmful. A common ploy is to send a warning to a user saying that it detected malware in their
system. They offer to scan your device, but the ‘scan’ it carries out is actually the transfer of malware
5. Cryptojacking
A definitive sign of the times – Cryptojacking is the act of hijacking a computerised device and syphoning
computing power from the machine without the official user’s knowledge. The additional power is usually used
to mine cryptocurrency.
6. Ransomware and extortion
Ransomware can be described as malware’s nastier cousin. Ransomware encrypts your files in a way that is
nearly impossible to remove without the necessary software codes. Organisations can be held to exorbitant
ransoms to free their systems and data. Although ransomware has been around for many years, 2021 saw
increased ransomware complexity. New trends include:
- Extortion: When an organisation’s system is seized by threat actors, and money is extorted in exchange for the release of system functionality.
- Double-Extortion: When cybercriminals deprive companies of data in addition to encrypting it, allowing them to dictate greater ransom demands.
- Ransomware-For-Hire: There are syndicates-for-hire that will attack large enterprises for a big payout from a third party. These are well-organised crime rings with global networks, capable of attacking large enterprises.
- Supply Chain Attacks: 2021 saw a stark surge in attacks on tech companies. Experts believe it’s due to the appeal of attacking software code, and then launching an attack on the company’s vendors and customers, creating a chain reaction of malicious attacks, often with the intent to collect multiple ransoms.
The risks associated with these threats are different for individuals and businesses.
Password breaches: The scale of a password breach is generally larger for a business than an
individual. An organisation-wide breach can compromise the classified data, personal information or
even bank accounts of thousands of clients.
Phishing: The impact of phishing depends on what information is accessed by the hacker. Individuals
tend to be targeted for identity theft, while businesses tend to be targeted for bank account access.
Malware: Malware can result in the total loss of company data, or company client lists with costs
running into the millions.
Ransomware: Ransomware attacks are by far the costliest. And unfortunately, they are becoming
increasingly more frequent. In the first quarter of 2021, there was a 43% increase in the demands from
cybercriminals, averaging an extortion cost of $220,298, according to ChannelE2E. This cost is exclusive
of productivity loss, loss of system and network access, data loss, damage to brand reputation, client
loss and loss of revenue. Extortion costs aside, the IT manpower and hours required to solve these
onslaughts, is enormous. They can easily take weeks, if not months, to resolve and run into millions of
dollars.
The below chart shows cybercrime statistics for the 20/21 financial year. It is a good indication of how prevalent
cybercrime is in Australia now.
Australian Cyber Security Centre’s 2020-2021 Observations | Cybercrime Statistics |
---|---|
Over 67,500 cybercrime reports | Up 13% from previous year |
Self-reported losses from cybercrime totalling more than | $33 Billion |
Percentage of cybercrime incidents affecting entities associated with Australia’s critical infrastructure | 25% |
Over 1,500 cybercrime reports of malicious cyber activity related to the coronavirus pandemic | Approximately 4 per day |
Pandemic-related cybercrime reports involving Australians losing money or personal information | 75% + |
Nearly 500 ransomware cybercrime reports | Up 15% from previous year |
Crime Type: Fraud, Online Shopping Scams and Online Banking Scams | Top Rated |
An increase in the average severity and impact of reported cybercrime, categorised as ‘Substantial’ | Nearly 50% |
Cyber Business Interruption – The Costs
An attack related outage can cost your business thousands in lost profits and unexpected expenses. In a survey
by McAfee, in 2019 the average length of a responding business’s longest cybercrime-related interruption was
18-hours. For more than 33% of respondents, attack-related system downtime cost between $100,000 and
$500,000.
Cyber business interruption examples:
In 2017 the LA Times reported that a NotPetya worm attack interrupted business at Danish shipping company
Maersk for two weeks at a cost of $200-$300 million.
According to Computer Weekly, a 2020 cyber-attack left Avon representatives in several countries unable to
place orders. Parts of the Avon UK system remained down more than a week after the incident.
Mitigating Your Cyber Risk & Cyber related business interruptions
In addition to understanding the risks, and insuring against them, it’s probably most important to ensure
companies are preparing for, and mitigating key risks. CT Group has provided a list of tactics all businesses
should undertake to manage and reduce their exposure to the growing threat of cybercrime:
Staff training: Security Awareness and Cyber Training can greatly reduce the vulnerabilities companies face, by
creating awareness and helping staff carefully navigate possible pitfalls.
Enforce cybersecurity policies: Organisations must implement strict policies and set a standard of behaviour
when it comes to the safe use of cyber-based company assets. Cloud-based governance infrastructure can help
to monitor and maintain sovereignty over the use and exchange of data.
Inspect encrypted traffic: Encrypted channels are now commonly used by cybercriminals. Adopt cloud-native,
proxy-based applications that can inspect, decode, detect, and prevent threats in all HTTPS streams, for each
user.
Up-to-date software: Apply software Patch Management, which ensures that all critical security updates are
deployed to the endpoints within the network in a timely manner to address new vulnerabilities and fix them as
they are discovered.
Migrate to the cloud: Move your company’s operations to the Cloud to gain stricter control over network access
and avoid locally stored assets. The cloud also makes limiting and granting access very simple.
Understand the cover your business needs: Whilst it is imperative to establish what your company’s risk status
is, having a clear understanding of the different types of insurances is just as important to make the right
choices. For example, having a Cyber Insurance policy is essential to provide Emergency Incident Response,
Liability and Financial Loss cover after an attack, while Cyber Business Interruption Insurance exists as a breach
response to make up for the income that could not be earned during the restoration period after an attack.
Develop a response plan: Prepare for the worst with the right business insurances. Speak to your IT service
provider about a data backup and disaster recovery plan and build your response strategy into your overall
business continuity program.
What Is Cyber Business Interruption Insurance?
- Incident response costs and access to 24/7 emergency response teams
- Costs related to restoring and re-protecting your computer systems
- Costs to respond to and defend legal actions related to privacy or security breaches
- Cover for stolen funds & lost data
- Help to restore reputational damage and PR costs
- Costs associated with investigating and notifying a data breach
In some — but not all — cases, your cyber policy may include business interruption cover, which is arguably one of
its most important coverage sections. The intention of cyber business interruption cover is to cover the revenue
you would have earned if you had not experienced the cyber event. It can also cover additional expenses incurred
to continue operating as best you can while the insurers help you recover from the loss.
If your Cyber policy does not include cyber BI cover, it is strongly recommended that you either add it to your
existing policy or seek an alternative policy with more comprehensive coverages.
What Does Cyber BI Insurance Cover?
The insurance market has not yet settled into a standard way of covering cyber business interruption, which
means policy terms can vary significantly between insurers.
A typical policy provides cover for:
- Loss of income
Covers the difference between your net profit and the net profit you would have earned without business interruption. - Operating expenses
Covers ordinary operational expenses that you must continue to incur through the outage, such as rent and payroll. - Additional expenses
Covers expenses incurred for the express purpose of reducing an outage-related income loss. For example, hiring a tech expert to put a workaround in place or paying customer service staff overtime to process sales by phone.
Your policy may also include or have an option to add:
- Forensic expenses
Covers costs associated with investigating the source of business interruption. - Contingent business interruption (also called dependent business interruption.)
Extends cover to situations where an attack on another company’s systems results in interruption to your business. The policy will usually require you to have a direct relationship with the company in question and would not extend to computer system failures among your customer base.
How Is Cyber Business Interruption Loss Calculated?
The way income loss is calculated will depend on your insurer and your policy. The process often includes
consultation with forensic accountants and technology experts.
Some things worth noting are:
- Cover will not include delayed sales=
Not all revenue lost during a system failure is lost forever. If a system failure means that a customer comes back later to purchase, this is not considered an income loss. - If there is no loss in revenue, you will not be able to claim for operational expenses.
If your business generates a normal revenue during the outage, insurers expect you to cover your normal expenses. (If you incurred extra operational expenses to prevent revenue loss, you can usually claim these as additional expenses.) - The length of time for which your insurer measures interruption loss will depend on your policy.
Your policy may have a waiting period, a retention period, or limit cover to the period between when the outage occurs, and your systems are restored. - Your policy may not cover at all if the interruption is too short
Many policies will only consider a claim related to an outage over a set length. In our experience, the waiting period can be as small as 3 hours and as large as 72.
Ensuring Your Policy Is Fit-For-Purpose
Especially for complex policies like cyber business interruption, it would be extremely beneficial to work with a
specialist broker who can properly review your requirements and align the best solutions to them.
A specialist insurance broker will also:
- Make sure you know all the options available on the market
- Explain the differences between cover types — including how they might affect a claim
- Provide targeted advice based on your business requirements
- Speak to insurers on your behalf to ensure optimal policy terms
- Support you in the event of a claim
Final Takeaways
- The rise of remote work is making businesses more vulnerable to cyber-attacks.
- Businesses should be aware of the key risks they are facing.
- Businesses should mitigate risk wherever possible.
- Cyber insurance, including Cyber BI cover, is crucial for businesses in 2022.
- Choosing a cyber policy is difficult because policies vary significantly from insurer to insurer.
- To get your Cyber BI cover right, KBI recommends engaging a specialist broker.
- A broker can give you a clear picture of the cover available, explain each cover option to you, and help you make sure that the policy you end up with is the best one for your needs.
FAQs
Is cover limited to cyber events? What about general IT outages?
- In most cases, cover is limited to a privacy or security breach. But, there are some situations where extended coverage is available for other outages.
What period will my Cyber BI policy cover lost profit and additional expenses for?
- Your insurer will only be responsible for covering lost profit and additional expenses for the period agreed on in your policy. This period differs significantly from insurer to insurer, and the option you pick can drastically affect your position in the event of a claim.
Some typical timeframe based limitations include:
- A waiting period before a claim is eligible: Your policy may exclude cover for interruptions that do not last longer than a specified number of hours (or sometimes days.)
- A waiting period before losses are eligible: Your policy may exclude all cover for losses that take place in the waiting period and only calculate loss from the time the waiting period ends.
- Cover ends when systems are restored: Your policy may consider a business interruption to be over as soon as systems are restored. If your policy limits cover this way, it will prevent you from claiming for residual effects of an outage—for example, the revenue lost in the days following an outage due to disgruntled customers.
- Cover ends a set number of days after your system is restored: Some policies cover losses for a period of time after systems are restored. This allows you to claim for the residual effects of a business interruption. Still, there is no guarantee that cover will last long enough to support you until you return to normal income levels.
- Cover until income is restored: Some policies include cover for the entire period of income loss. This is the most comprehensive option available but usually also the most expensive.
Do businesses have to cover a portion of their own losses?
- Many policies expect the insured to cover a portion of losses. This can be called the retention, excess, deductible, or waiting period, and it might be defined as losses within a period of time, a dollar amount, or both. Like most things in Cyber BI insurance, retention details vary significantly from policy to policy.
Common Cyber BI retention terms include:
- No cover for losses and expenses incurred during the waiting period
- No cover for the first $X of losses and expenses
- No cover for the first X hours of interruption
- No cover for losses and expenses incurred in the waiting period and for the first $X of losses and costs incurred following
What retention period and cover timeframe is right for me?
- There is no one-size-fits-all rule. The type of cover that is right for you will depend on many factors, including your operations, your operating costs, your cash flow, the complexity of your systems, and your core vulnerabilities. In our opinion, the best option is always to consult an expert broker.
Even among companies in the same industry, needs can vary:
Take a 24-hour outage for an online store. Some stores are confident that customers will come back the next day, while others are not. Some stores will lose a single order per customer, while others will lose months of subscription or follow-up purchase income.
Should you need more information on Cyber Insurance, please contact the KBI team on 1300 907 344 or email
info@kbigroup.com.au
Should you need more information on Cyber Security, please contact the CT Group team on 1300 434 237 or
email solutions@ctgroup.com.au
All information on the document is provided in good faith, and while significant care has been taken to ensure the information is conveyed in the intended manner, we make no representation or warranty of any kind, express or implied, regarding the accuracy, adequacy, validity, reliability, availability or completeness of any information on the document. NO CIRCUMSTANCE SHALL WE HAVE ANY LIABILITY TO YOU FOR ANY LOSS OR DAMAGE OF ANY KIND INCURRED AS A RESULT OF THE USE OF THE DOCUMENT OR RELIANCE ON ANY INFORMATION PROVIDED ON THE DOCUMENT. YOUR USE OF THE SITE AND YOUR RELIANCE ON ANY INFORMATION ON THE SITE IS SOLELY AT YOUR OWN RISK. EXTERNAL LINKS DISCLAIMER The Site may contain (or you may be sent through the Site) links to other websites or content belonging to or originating from third parties or links to websites and features in banners or other advertising. Such external links are not investigated, monitored, or checked for accuracy, adequacy, validity, reliability, availability or completeness by us. WE DO NOT WARRANT, ENDORSE, GUARANTEE, OR ASSUME RESPONSIBILITY FOR THE ACCURACY OR RELIABILITY OF ANY INFORMATION OFFERED BY THIRDPARTY WEBSITES LINKED THROUGH THE SITE OR ANY WEBSITE OR FEATURE LINKED IN ANY BANNER OR OTHER ADVERTISING. WE WILL NOT BE A PARTY TO OR IN ANY WAY BE RESPONSIBLE FOR MONITORING ANY TRANSACTION BETWEEN YOU AND THIRDPARTY PROVIDERS OF PRODUCTS OR SERVICES.