8/7/2015

ODMOB LAWYERS

Edition 2015 Volume 2

technology is implemented

Cyber Insurance
Most modern organisations

Next Issue

there will always remain

some residual risk.

Edition 2015: Vol 3

are

In order to better understand

Due: 1 November 2015

Page | 1 substantially dependent upon

the residual risk allocation

Since the

the BOW TIE risk model is

The next issue will cover the

advent of the World Wide Web

helpful as it deals with each

value of IT penetration

(WWW) and the relaxation of

hazard by identifying firstly

testing. Its value should not

the rules governing who can

the various causations and

be under-estimated but

utilise the WWW by the

then concentrating on the

there are many legal issues

National Science Foundation

myriad of impacts the hazard

that must be considered

in 1992, organisations have

can result (See Annexure A: a

before engaging an ethical

globally

their

brief overview of the Bow Tie

hacking team to test the

business operations either in

Risk Model). The Bow Tie

security of your IT

full or partially to the WWW.

model involves identifying a

infrastructure.

As with most new business

vulnerability and identifying

environments,

the threat/causation that can

whether private enterprises or

public

enterprises

their IT systems.

migrated

the

criminal

element quickly followed suit

take

so as to capitalize on the

vulnerability.

vulnerabilities that arise in

advantage

of

the

Managing
Security Risk

It is now a daily occurrence

Now

that there are news alerts

stated that insurance is a

globally

transference of risk.

announcing

new

Cyber

authors

have

In fact,

this is not the case. Insurance

organisations

including

is not a transference of risk but

organisations.

is a post-event compensatory

Now

each

of

these

mechanism.

In

line

with

organisations have obviously

Australian

expended

substantial

31000:2009, Risk Management

resources by way of cyber

Principles and Guidelines, risk

security protection. It is not

is generally understood as

possible for any organisation

being the likelihood of an

to

event

implement

cyber

an

Standard

occurring

that

will

protection

impact an object. For example,

framework. That is, there is no

the author has Comprehensive

such thing as an absolute

Car Insurance. If an accident

secure system.

occurs

what

security

absolute

No matter
precautionary

with

company

The insurance

will

hopefully

any resulting damage that

arose out of the accident. The

cyber-attacks against major

government

the accident.

compensate the insured for

such operations.

many

company that is involved in

the

insured

vehicle it is not the insurance

risk will always lie with the

insured.
The same can be said for cyber
security risk.

The risk will

always lie with the owner of

the infrastructure, even if they
have cyber risk insurance. If
the

cyber

risk

insurer

is

satisfied that the proposed

insured has taken certain steps
to treat the risk by reducing
the likelihood of an adverse
event

occurring

then

the

insurance company may issue

an

appropriate

policy

to

cover,

insurance
from

financial perspective, some or

all of the loss arising from the

adverse event.

Page | 2

It is not

Further, when it comes to

These technology/procedures

uncommon for such policies to

actuarial tables, in general the

will include:

include

non-deductible

variables relied upon have a

amount which really covers a

common theme but in cyber-

self-insurance amount above

security risk it is generally not

which the Insurer will cover.

possible to compare apples

There

are

in

Australia

number of organisations that

are

offering

Cyber-risk

Insurance but it should also be

noted that this area is still at an
immature

stage

and

consequently still evolving as

an insurance product.

against apples as rarely are

two systems exactly the same
within the same risk profile.
Thus, insurers are not able to
really

have

standard

approach and each case needs

to be individually tailored to
meet that clients requirements.
This

can result

in

vastly

One of the difficulties in the

varying pricing structures for

provision of Cyber Insurance

basically the

is that there are no actuarial

Despite this immature status

tables that can assist the

for Cyber Risk Insurance all is

insurer in determining the risk.

not lost as there are some

Further, insurance companies

factors that an insurer will take

prefer the risks involved to be

into account in determining

independent

whether they will issue a

and

not

same

policy.

correlative. That is not the case

policy.

with cyber security risk as the

Cyber Risk Insurance

vulnerabilities can (most likely)

be

interdependent

and

correlative. This is especially

so

when

dealing

with

internet/WWW as the whole

environment

interconnects

and hence interdependent. As

McKinsey and Company in
their recent report on Cyberrisk noted modern society is

AIRMIC

(Association

of

Insurance and Risk Managers

in Industry and Commerce)
recently

undertook

an

extensive review of cyber risk

and identified that there are
first party risks (see Annexure
B) and third party risks (see
Annexure C) involved.

now hyper-connected. Thus, the

The insurer will analyse the

historical risk models that

precautionary technology and

insurance

procedures that the proposed

companies

have

traditionally relied upon are in

most

cases

inappropriate.

insured

has

implemented.

1. What
security
architecture technology
has been implemented
e.g. firewall technology;
2. What access control
technology has been
deployed;
3. Has
an
intrusion
detection system been
deployed;
4. What qualifications /
experience
do
the
security staff possess;
5. What
type
of
information does the
proposed
insured
collect/process is it
credit card information
or sensitive personal
information such as
health records;
6. Is the proposed insured
a high profile target- this
may be assessed by way
of industry sector such
as banking or health or
transport sectors OR by
way of trade name such
as
high
profile
companies like major
retailers or multi-media
companies;
7. Does the proposed
insured have a security
awareness program in
place it is not
uncommon for a cyberrisk incidents to occur
through inadvertence
from an internal staff
member; for example by
opening a document
from someone they have
no knowledge of which
document has some

malware attached or
embodied in it;
8. What
patching
mechanism/process has
been implemented? A
case in point is the
Verizon Slammer worm
case where Verizon
argued that it had done
everything possible to
prevent an infection
from
the
Slammer
Worm.
The MAINE
PUBLIC
UTILITIES
COMMISSION
held
that while Verizon's
Operational
Support
Systems (OSS) faced a
serious situation with
the attack by an Internet
"worm" on Saturday,
January 25, 2003, the
Company did not prove
that it took sufficient
steps to prevent this
type of occurrence from
having a major effect on
its systems. Basically,
there was a failure to
implement a patch
promptly
which
allowed the worm to
impact
Verizons
business operations.

Page | 3

Cyber Insurance
Policy
As

noted

above,

Cos.

large

US

insurance

based

company

successfully sought a judicial

ruling

that

their

General

Commercial insurance policy

did

not

cover

any

costs

associated with a data breach

suffered by one of its policy
holders.
very

Such insurance is

mature

within

insurance sector.

the

However,

property insurance generally

only covers physical damage
to property. It will not cover
data breach situations because
from a technical perspective
there has not been any actual
physical damage to property,
even though there may be
substantial

damage

reputation.

to

Reputation

damage is not covered by

property damage policies nor
according to US law General
Commercial
Insurance.

Liability
Despite

this

success by Travelers Cos, most

insurers

now

specifically

exclude cyber-risk from such

insurance policies.

Instead

special insurance policies have

cyber

and are continuously being

insurance is a special policy

developed to cover cyber risk.

designed to cover cyber-risk.

Network under Sony's general

liability policy.
Hence

it

is

important

to

understand what is on offer

and in particular what is
excluded in a policy.

For

example, it appears that it will

not be unusual for a cyberpolicy to exclude a cyberattack

that

has

been

orchestrated by State funded

organisations.

How this is

proved or the timing of such

proof is difficult at this time to
determine. This type of attack
is really outside the purview of
ordinary

attacks

funded

attacks

constrained

as

State

are

by

not
either

resources or time.

Most

hackers once they identify a

particular

zero

day

vulnerability will exploit it

immediately; whereas State
funded hacking groups may
park a particular vulnerability
exploit so as to identify further
vulnerabilities. They will then
package a sophisticated attack
mechanism. This was one of
the

characteristics

STUXNET

worm

attacked

of
which

industrial

and

A similar position was held in

programmable

liability insurance has been

favour of Zurich America

controllers that controlled in

available globally for many

Insurance Co. in that Zurich

particular the operations of

years.

Further Commercial

was not obligated to cover

centrifuges, especially IRANs

General Insurance has also

Sony Corp. of America for

nuclear centrifuges. Despite

been around for a substantial

litigation related to the 2011

this exclusion, there are many

time and recently Travelers

hacking

reasons

Commercial

property

of its

PlayStation

as

logic

to

why

an

organisation

should

Further, the

available but it is only one

consider cyber-risk insurance.

report notes that they see no

element in the cyber protection

In

reason

nefarious

cycle. It is not a substitute for

Government

activity to subside or even

good security frameworks and

Australian

plateau out. Hence, the threat

an insurer will not cover an

Centre

to Australian business is real

organisation

This centre brings

and is only going to increase

implemented proper modern

over time.

security in protecting their

November

2014

Australian
Page | 4

established

the

Cyber-Security
(ACSC).

still
the

together the expertise of 6

agencies:

organisations.
for

this

One of the more invidious

that

has

not

cyber assets. Cyber insurance

is available in Australia but it

Australian
Crime
Commission (ACC)
Australian
Federal
Police (AFP)
Australian
Security
Intelligence
Organisation (ASIO)
Australian
Signals
Directorate (ASD)
Computer Emergency
Response Team (CERT)
Australia
Defence
Intelligence
Organisation (DIO).

types of attacks is the use of

The ACSC recently released its

Consequently, it is important

first

cyber-security

that users DO NOT open any

The ACSC

files from people they do not

defines a cyber-attack as being

know or are not expecting a

a deliberate act through cyber

file from people they know.

space to manipulate, destruct,

Users should check with the

deny,

destroy

sender to make sure that the

computers or networks, or the

sender actually did send the

information resident in them,

received

with the effect, in cyber space or

knowledge should be part of

Cyber

the physical world, of seriously

the any awareness program

protect against a cyber-attack

compromising national security,

instigated

but it does have 2 important

stability or prosperity

organisations and in particular

aspects:

the insured.

organisation to cover itself in

public

threat report.

degrade

or

ransom-ware.

This type of

malware once activated on a

system will encrypt all files on
the system and will only be
decrypted if the victim pays a
ransom

amount

perpetrator.

to

Without

the
the

decryption key all data is

effectively lost by the victim,
until they are provided with
the

decryption

message.

by

all

key.

This

modern

The ACSC has identified that

during the period from 2011 to

Conclusion

2014 there has been a 3.6 fold

In Australia, cyber-attacks are

increase

only going to increase over

against

in

cyber-attacks
Australian

time.

Cyber insurance is

is still a maturing market. This

immaturity should not deter
the

market

as

there

are

responsibilities at law upon

management to include such
protection. The management
of an

organisation has a

fiduciary duty to protect the

assets

of

an

organisation

including information assets

and as such if they fail to
protect

the

organisations

information assets they could

leave themselves open to a
class action by shareholders or
by stakeholders to whom the
exposed

data

relates

like

customers. This has happened

in the USA and is not unlikely
to occur in Australia.
insurance

(a)

it

may

forces

not

an

case of an incident; and (b) it

forces

the

organisation

to

direct its attention to cyber

security in order to get the
insurance.

Annexure A
Simple BOW TIE RISK
MODEL

Page | 5

Impact 1 ($ Value)
Causation 1
Mitigation 1
Treatment 1

Causation 2

Hazard/Event

Treatment 2

Mitigation 2

Impact 2 ($ Value)

Treatment 3
Mitigation 3
Causation 3

A treatment is
designed to reduce
the likelihood of the
event occurring. For
example the
implementation of
firewall technology
that is designed to
repel some cyber
attack..

Treatment 4

Causation 4

Mitigation involves some post

event action that either
reduces the financial
impact(such as insurance) or
the actual impact arising from
the event occurring. For
example having a disaster
recovery program in place that
can be activated after an event
has occurred.

Impact 3 ($ Value)

Annexure B: First Party Cyber Risk Exposure (AIRMIC Analysis)

1.

Loss or damage to digital assets loss or damage to data or software programs,

resulting in cost being incurred in restoring, updating, recreating or replacing these assets to
the same condition they were in prior to the loss or damage

2.

Business interruption from network downtime interruption, degradation in service or

failure of the network, resulting in loss of income, increased cost of operation and/or cost being
incurred in mitigating and investigating the loss

3.

Cyber extortion attempt to extort money by threatening to damage or restrict the network,
release data obtained from the network and/or communicate with the customer base under
false pretences to obtain personal information

4.

Reputational damage arising from a data protection breach being reported (whether
factually correct or not), that results in loss of intellectual property, income, loss of customers
and/or increased cost of operation

5.

Theft of money and digital assets direct monetary losses and associated disruption from
theft of computer equipment, as well as electronic theft of funds / money from the organisation
by hacking or other type of cyber crime

Page
|6

Annexure C: Third-party cyber liability exposures (AIRMIC Analysis)

Page
|7

1.

Security and privacy breaches investigation, defense cost and civil damages associated
with security breach, transmission of malicious code, or breach of third-party or employee
privacy rights or confidentiality, including failure by outsourced service provider

2.

Investigation of privacy breach investigation, defense cost, awards and fines (may not
be insurable in certain territories) resulting from an investigation or enforcement action by
a regulator as a result of security and privacy liability

3.

Customer notification expenses legal, postage and advertising expenses where there is
a legal or regulatory requirement to notify individuals of a security or privacy breach, including
associated reputational expenses

4.

Multi-media liability investigation, defense cost and civil damages arising from
defamation, breach of privacy, negligence in publication of any content in electronic or print
media, as well as infringement of the intellectual property of a third party

5.

Loss of third party data liability for damage to or corruption / loss of third-party data or
information, including payment of compensation to customers for denial of access, failure of
software, data errors and system security failure

Annexure D: Cyber Risk Insurance Policies (Benier, Eling & Wirfs analysis)

Page
|8

Category
Subcategory 1: actions of people

Description

Elements

1.1 Inadvertent

unintentional actions taken without malicious or

harmful intent
actions taken intentionally and with intent to do harm
lack of action or failure to act in a given situation

mistakes, errors, omissions

1.2 Deliberate
1.3 Inaction

Subcategory 2: systems and technology failures

2.1 Hardware
risks traceable to failures in physical equipment
2.2 Software

risks stemming from software assets of all types,

including programs, applications and operating systems

2.3 Systems

failures of integrated systems to perform as

expected

Subcategory 3: failed internal processes

3.1 Process design and/or
failures of processes to achieve their desired
execution
outcomes due to poor process design or execution

3.2 Process Controls

inadequate controls on the operation of the process

3.3 Supporting Processes

failure of organisational supporting processes to

deliver the appropriate resources

fraud, sabotage, theft and vandalism

lack of appropriate skills, knowledge,
guidance and availability of personnel to
take action
failure due to capacity, performance,
maintenance and obsolescence
compatibility,
configuration
management, change control, security
settings, coding practices and testing
design, specifications, integration and
complexity

process flow, process documentation, roles

and responsibilities, notifications and alerts,
information flow, escalation of issues,
service-level agreements, and task hand-off
status monitoring, metrics, periodic review
and process ownership
staffing,
accounting,
training
and
development, and procurement

Subcategory 4: external events

4.1 Catastrophes

events, both natural and of human origin, over which the

organisation has no control and that can occur without
notice

Force majeure events such as weather event,

fire, flood, earthquake, unrest

4.2 Legal Issues

risk arising from legal issues such as injunctions

regulatory compliance, legislation and

litigation

against processing/collecting certain information

4.3 Business Issues

business

supplier failure, market conditions and

economic conditions

risks arising from the organisations dependence on

utilities, emergency services, fuel and

transportation

risks

arising

from

changes

in

the

environment of the organisation

4.4 Service Dependencies

external parties

Annexure E: Marsh cyber security Policy Framework (Curtesy of Marsh Insurance Brokers)

Network Security Liability

Liability to a third party as a result of:

Destruction of a third partys electronic data
Your networks participation in denial of service attacks
Transmission of viruses to third party computers and systems
Prevention of authorised access to an IT System

Page
|9
Data Privacy Liability

Liability to a third party as a result of:

Unauthorised disclosure of personally identifiable information
Unauthorised disclosure of third party corporate information in your care, custody or control
Prevention of authorised access to an IT System
Liability for regulatory fines and defence costs as a result of:
Unauthorised disclosure of personally identifiable information

Expenses incurred to respond to a personal data breach event, including:

Computer forensic costs
Data Breach Incident Response Costs
Notification costs including call centre costs
Credit monitoring and ID theft protection costs
Public Relations and crisis management consultancy costs

Cyber Extortion

A genuine threat to the organisations IT system or the data may lead to:
Expert fees to negotiate with the hacker
A Ransom

Network Business Interruption

The interruption or suspension of computer systems may result in:

The organisations loss of income
Increased costs of working caused by a network security breach

Data Asset Protection

Multimedia Liability

The corruption, destruction of data or computer programs, may result in:

Replacement, restoration or rectification costs
Costs to determine that data or programs cannot be replace
Liability arising from the publication of online content:
Infringement of intellectual property rights
Invasion of privacy
Defamation

Dr. Adrian McCullagh

ODMOB LAWYERS

Page
| 10

Ajmccullagh57@gmail.com

PLEASE NOTE this paper is NOT the provision of legal advice. If a reader has an issue then
they should seek appropriate legal advice. The author makes no warranty as to
correctness of anything contained in this paper. This paper is the sole opinion of the
author and must not be relied upon as legal advice. Every situation is different and as
such proper analysis must be undertaken when seeking a legal opinion. Consequently,
the author takes no responsibility for any errors that may exist in this paper and certainly
takes no responsibility if any reader takes any actions based on what is (expressly or by
implication) contained in this paper. All readers take full responsibility for anything they
may do in reliance of anything contained in this paper.