Cyber crime: Litigation, liability and reputational risk

Size and strength does not offer immunity to the latest security threat.

Major organisations including Sony, Citigroup, Google, Mastercard, Dell Australia and RSA have all been victims of cyber crime in recent years; experiencing significant data and security breaches which have impacted millions of customers.

Bank accounts, medical records and contact information are among the data which has been breached, exposing these companies to litigation and liability, significant financial recovery costs, loss of future business and reputational damage.

Predominantly these data breaches are the result of intentional attacks by criminal hackers; however the theft of hardware, such as desktop computers and backup tapes, has also resulted in data loss. Additionally, accidental information exposure has also made headlines with organisations misplacing or losing data on laptops and failing to erase hard drives.

While the media spotlight has focused on data breaches within large organisations, any business that keeps sensitive data on employees, customers, patients, students, partners or other third parties can be liable for damages if that information is breached, regardless of the reason.

"Protecting data is no longer an IT responsibility - it is the responsibility of the CEO and CFO," says Kevin P. Kalinich, Global Practice Leader - Cyber Insurance, Aon Risk Solutions, Chicago.

Domestically, the financial implications of data breaches have grown consecutively over the past three years.

A report from security company Symantec and the Ponemon Institute on the Cost of Data Breach found 22 Australian companies from ten different sectors suffered significant financial losses from data breaches in 2011.

Findings from the study identified lost or stolen devices as a common factor in data breaches. Of the companies surveyed 36 per cent who had experienced data breaches attributed them to third parties, including outsourcers, Cloud providers and business partners.

These findings were echoed by Australian Privacy Commissioner Timothy Pilgrim, who in April this year said there is evidence to suggest that data breeches are on the rise.

"The Office of the Australian Information Commissioner was notified of 56 data breaches in the last financial year, equivalent to a data breach a week. This is up from 44 in the previous year, an increase of 27 per cent," Mr Pilgrim said.

New legislation is currently being enacted across the United States, Europe and the UK and will shortly reach Australia. The legislation will require organisations affected by a data breach to contact each individual affected. The magnitude of a task such as this should a wide-scale breach occur would cause many organisations to falter, exposing them to severe penalties.

Traditional crime or civil liability insurance policies may not extend to cover cyber-specific breaches.

In Australia, there are a number of cyber-security policies available, covering a wide range of scenarios. A 'cybersecurity' policy can complement an organisation's risk management strategy
by transferring a proportion of the financial risk from the business to the insurer when a privacy breach occurs.

With the proposed Australian Privacy Principles in mind, Aon strongly recommends cover for the following cyber risks:

  • liability for a privacy breach due to the release or display of any electronic media
  • liability for a privacy breach due to an alleged failure to prevent unauthorised access to a computer system
  • civil fines or civil penalties which the business or an individual is ordered to pay as a result of a privacy or security breach
  • customer notification expenses (e.g. mail-outs), customer support and credit monitoring
  • the loss of data and the cost of restoring it
  • business interruption expenses in the event of a breach.

Each policy must be closely scrutinised, however, to ensure there are no qualifications or exclusions which would effectively exclude cover, should a breach occur in specified circumstances. For example, insurers may limit cover to a computer connected to a network. This would effectively exclude cover for laptops, tablets and hand-held devices, all of which could contain personal information.

"Common misconceptions exist within organisations who don't believe they could be a target for data breaches," says Stephen Trickey, National Leader, Aon Financial Services Group in Australia.

"Certain organisations mistakenly believe that because they have a firewall, a quality IT team, or antivirus protection, they will not be targeted. Many organisations believe only online retailers or specific industries such as data storage or financial institutions are vulnerable to data breaches."

"Hackers do not discriminate; they are continually scanning networks for vulnerabilities without a specific target," says Trickey.

"An important message for all corporations to heed is insurance costs will increase exponentially following a breach; retrospective coverage is generally unavailable."

Aon has a range of specialist personnel who can assist you to design, negotiate and place a cyber-security policy which, as far as possible, appropriately covers you against a breach of the Australian Privacy Principles and other privacy legislation, codes or standards due to the electronic disclosure of, or electronic access to, personal information.



For more information please contact:

Stephen Trickey
National Leader
Aon Financial Services Group
t: + 61 2 9253 7577

Subscribe to Risk Online

Share this article