What is a Cyber Attack?
A cyber attack is an attack launched from one or more computers against another computer, multiple computers, or networks. Cyber attacks can be broken down into two broad types:
- attacks where the goal is to disable the target computer or knock it offline, or
- attacks where the goal is to get access to the target computer’s data and information.
The situation is becoming so bad that most professionals believe it is not a matter of if a business will be attacked but when.
What is Cyber Insurance?
Cyber Insurance has been designed to help businesses who have experienced a cyberattack.
In the unfortunate event that your system is hacked, the correct cyber cover will assist your business to respond to the incident and get the operations of the business back up and running. Without such cover the impacts on a business and its reputation can be devastating.
In many cases, the policy can also provide access to a panel of top-tier breach coaches and other service providers who can help you recover from an attack more quickly/who can help you put in place safeguards to potentially limit the severity attacks.
Who is Cyber Insurance for and Why Is it Required?
As technology becomes more accessible to businesses of all sizes, we encourage all businesses to consider Cyber Insurance as modern businesses are intrinsically linked with technology and the internet and a breach or attack can severely hamper productivity and revenue.
Results from the Australian Cyber Security Centre (ACSC) Small Business Survey show the following impacts of cybercrime in Australia:
- 144 reports of cybercrime are reported per day to the ACSC
- Estimated $300M in losses due to cybercrime each year
- Out of 1763 respondents,62% have been a victim of an attack
- More than half of the participants advised that they spend less than $500 a year on cybersecurity which suggests a DIY approach on a very complicated area of their business
- The Report found that although businesses feel cyber security is important to their business the understanding of the impacts of a cyberattack are severely underestimated
The impact of falling victim to a cyber attack can be devastating for businesses, particularly those who do not have the financial capacity to recover from such an incident. There are also regulatory and contractual requirements businesses have with regards to customers’ personal information. If a business stores customer data such as names, addresses, credit card information etc on any type of computer system on or offline, then there is a regulatory obligation to keep that data secure.
What Does Cyber Insurance Cover?
As Cyber Insurance risks are more understood, and the product becomes more widely known within the insurance market the covers will become more standardised but should still be catered to individual business requirements. However, some of the events that Cyber Liability Insurance Cover Include:
- Data loss, recovery, and recreation
- Business Interruption
- Loss of Transferred Funds
- Computer Fraud
- Cyber Extortion
If hackers expose or steal the personal information of your clients a cyber liability insurance policy pays for:
- Notification Costs: These expenses can be significant as the company bears the burden of identifying potential victims and providing notification to the relevant victims
- Computer Forensics: The Costs to hire computer forensic consultants to determine whether a data breach occurred, to contain and prevent further damage and to investigate the cause and scope of the breach
- Reputational Damage: Data breaches can have severe impact on a business’ reputation.
What is Not Covered?
Just like all insurance polies there are certain exclusions that apply to Cyber Insurance. Some typical exposures that are not covered are:
- The policy will not respond if you are sued for any potential vulnerabilities in your system before a breach occurs
- Losses due to theft of intellectual property
- The cost to improve security and technology systems after an attack will not be included in most policies.
Claims Examples
1. Cyber Theft
The CFO of a construction company received a fraudulent email from the CEO, whose e-mail account had been compromised due to a Cyber Event. The email requested the transfer of a large sum of money. The email convinced the CFO to transfer money to a third-party bank account. Later it was determined that the email was not authored by the CEO, but it was too late for the bank to stop the transfer.
Cyber Event Protection covered the forensic investigation of the crime as well as response costs to remove the threat and secure the e-mail system. If Cyber Theft coverage was also taken, the direct financial loss the insured suffered would be covered as well.
2. Property Developer
Following the sale of two properties, the insured was required to make a payment of $400,000 to their property consultant. On the day the payment was due, the insured received an email from the consultant advising their banking details had changed. The insured requested that this be sent to them in writing on the consultant’s letterhead which they received, including the signature of the director of the consultancy company. The insured was later chased by the consultant for payment at which time it was discovered that the email and letter had been fraudulent. The insured contacted their bank to stop the payment and were informed that the money had already been withdrawn and transferred overseas.
The insured made a claim on their Cyber Policy which triggered the optional Social Engineering cover. DUAL appointed an IT forensic consultant who identified that the hacker had infiltrated the consultant’s system and intercepted correspondence between the insured and the consultancy firm. The insured was reimbursed for the outstanding funds (capped at the Social Engineering sub limit of $250,000). Payment: $250,000.
3. Customer Privacy
An employee at an engineering firm found a way through his company’s network security defences and gained access to a customer’s trade secret. The employee sold the trade secret to a competitor. The customer sued the engineering firm for the failure to protect the trade secret and was awarded for damages. The customer received over $500,000.
Types of Cyber Attacks
We have detailed below some common types of Cyber Attacks to help educate you and make you more aware of this increasingly problematic issue that is occurring not just across construction related businesses but all types of businesses.
According to a recent Forrester Survey 75% of the respondents who operate in the construction & engineering industry have experienced a cyber-attack in the past 12 months and expect that they will be victim of future attacks.
Specific cyber exposures relating to construction related businesses are:
- Liability to third parties arising from breach of private information
- The costs of dealing with a breach including notification, ransom payments, forensics, legal services and lost income through business interruption
- Breach of confidential business information including plans, technical drawings and specifications
- Liability for delay in projects caused by unauthorised accesses to project data and systems
As a business operator It is important to be aware of the types of cyber attacks that can be made against your business in order to protect your business and its reputation. Below are details of some of the top types of cyber attacks commonly used today by attackers in the construction industry.
1. Phishing Attacks:
Phishing attacks are one of the most common types of cyber attacks. Phishing involves attackers trying to obtain personal information or data, like usernames, passwords, and credit card details, by disguising themselves as trustworthy entities. Phishing is mainly conducted through electronic media, like emails and telephone calls.
2. Spear Phishing Attacks:
Spear phishing refers to any fraudulent activity conducted through email or phone call to gain unauthorised access to an individual’s confidential information. It has become one of the most common types of cyber attacks
3. Whale Phishing Attacks:
Whale phishing aims to access sensitive and confidential information of powerful people e.g., CEOs.
4. Drive-By Attacks:
In these types of attacks in Cyber Security, hackers insert malicious scripts into multiple websites and end up getting access to all the confidential documents of the users who visit those websites. Through these malicious scripts, the whole system gets corrupted, and all the information gets accessed by the hacker.
5. Ransomware:
In a ransomware attack, an attacker will obtain overall access to your system and prevent you from accessing your company or client information. The attacker will then demand payment in order to regain access. This is a major type of cyber attack and there is no guarantee that paying the ransom will allow you to securely obtain your information back.
6. Trojan Horses:
A Trojan is a malware software program that aims at hacking digital devices by appearing as useful software. It is one of the most dangerous types of cyber-attacks and is commonly used to obtain financial and confidential information from victims.
7. Man in The Middle Attacks:
A Man in the Middle Attack takes place when the attacker inserts themselves in between the client and the business to misinform the client and get unauthorised access to their systems.
If you would like to discuss your business risk further, or would like to obtain a quotation please give the team at Master Builders Insurance Brokers a call on (02) 8586 3555 or email nsw.insurance@mbib.com.au .