From our earlier blog on this topic, we believe that unlike the United States, Australian business is woefully under insured with cyber liability.
It almost goes without saying that most businesses hold sensitive information (customer, suppliers or employees) and therefore could be liable for a data breach (think Privacy Act and more). Most have an online presence including websites and social media. Most are reliant of IT systems/processes to some degree and without them, they couldn’t do business. And anyone can be extorted by hackers….just ask Andrew Forrest at Fortescue.
We have identified five interesting facts (well…we think so) on cyber crime that may cause Australian business to reconsider their stance. Our material has been sourced from insurer CGU.
Fact 1 – Hackers hang around undetected for 280 days
On average, a hacker is inside the company’s IT systems for 280 days before detection. This provides ample time for hackers to get comfortable, sit back, watch, test and plan before engaging in a cyber crime(s).
Fact 2 – $276k is the average cost of a cyber incident
Fact 3 – Majority of attacks are on SMEs
60% of all targeted attacks were on small and medium business. Companies with between 1-250 staff were most likely to be targeted. These SME businesses perhaps lack scale to appoint dedicated cyber protection talent, systems and processes.
Fact 4 – A cyber attack disrupts a business for almost a month
The average time to resolve a cyber attack is 23 days. However, if a malicious insider or employee is involved, the time to resolve increases to 51 days.
Fact 5 – 72% of cyber tactics involve phishing emails
A startling 23% of recipients open phishing emails with 17% clicking on the attachments. Scary stuff and perhaps your team needs a regular reminder.
It may be worth highlighting that cyber liability insurance is really the last line of cyber defence. Insurance is no substitution for robust processes and controls, talent and training.
Please be aware of is that cyber liability insurance is fairly new in Australia. As a result, there is a lot of variation between policies as to things they do and don’t cover.
Also, there is a lot a variation in premium levels for “similar” coverage. This is understandable as insurers and underwriters grapple with risk appetite, shortage of local claims risk data, and the need to build suitably sized premium pools.
So before you select an insurer, it may be worth taking the time to consider your particular cyber risks. We are happy to help if needed.