Cyber Insurance - Case Study
Is Cyber Insurance Important?
“We don’t do much online in our business, we won’t ever need a cyber insurance policy”.
This is a common perspective from small businesses regarding cyber insurance. It’s completely understandable, and to be honest, a few years ago we would have thought the same thing.
When you stop to think about it though, it’s very rare for businesses not to have any online presence these days. Even when you don’t conduct business over the internet, most businesses have email accounts and some form of client records kept on computers or other devices like tablets and mobile phones.
Personal information and data are carefully regulated through Privacy legislation – with good reason too. Data breaches can have severe consequences for the people whose details are breached, such as financial fraud, identity theft and even physical harm or intimidation.
This means that there are strict guidelines about what needs to happen when a data breach occurs under the Notifiable Data Breaches (NBD) Scheme and there are penalties for businesses who are involved in data breaches – even when the breach may be accidental or as a result of cyber criminals targeting your business.
Breaches that result from human error or a failure in business information handling processes or security systems can include:
Loss or theft of physical devices (laptops, storage devices, tablets, phones etc.) or paper records that contain personal information (staff, customers etc.)
Unauthorised access to personal information by an employee e.g. when there are insufficient restrictions on staff accessing files when they’re not approved to do so.
Inadvertent disclosure of personal information due to human error e.g. email sent to the wrong person.
Disclosure of personal information to a scammer as a result of inadequate identity verification processes.
This is a real-life example of a claim made against a business’ cyber insurance policy provided by Bizcover:
A business’ employee misplaced a company laptop. The laptop had numerous client records and credit card details stored on it.
The business was required to notify the Privacy Commissioner about the breach, as well as notify all the impacted individuals. The business also hired a public relations firm to help rebuild the business’ reputation.
The total amount of the claim ended up being $250,000
Even without the hiring of a public relations firm or factoring in reputational damage, the direct, financial consequences for businesses can be significant. In 2022, parliament passed an amendment to the Privacy Legislation increasing the penalty for businesses that suffer repeated or major data breaches. The maximum civil penalty has been increased to be the greatest of:
$50 million
30% of adjusted turnover for the period
3 times the financial gain from the misuse of data in the most serious breaches
Whilst the maximum penalty is unlikely to be imposed on small businesses following accidental breaches, could your business absorb the cost of a significant claim like the one in the case study or even a smaller fine imposed by the Commissioner?
Our business certainly couldn’t, and that’s why as well as trying to implement and maintain strong security and business processes, we also hold a cyber insurance policy. As a business and a family dependent on that business, it just isn’t worth the risk not to.
If you would like to get more information about cyber insurance in the context of your business activities, you can contact us by filling out the form below, or giving us a call!
You can start by using the resources below to help protect you and your business today!
Creating a strong password: https://www.avast.com/c-strong-password-ideas