Professional Documents
Culture Documents
ODMOB LAWYERS
technology is implemented
Cyber Insurance
Most modern organisations
Next Issue
are
Since the
value of IT penetration
be under-estimated but
globally
their
security of your IT
infrastructure.
environments,
enterprises
their IT systems.
migrated
the
criminal
take
so as to capitalize on the
vulnerability.
advantage
of
the
Managing
Security Risk
Now
globally
transference of risk.
announcing
new
Cyber
authors
have
In fact,
organisations
including
organisations.
is a post-event compensatory
Now
each
of
these
mechanism.
In
line
with
Australian
expended
substantial
is generally understood as
to
event
implement
cyber
an
Standard
occurring
that
will
protection
secure system.
occurs
what
security
absolute
No matter
precautionary
with
company
The insurance
will
hopefully
the accident.
such operations.
many
the
insured
cyber
risk
insurer
is
occurring
then
the
appropriate
policy
to
cover,
insurance
from
adverse event.
Page | 2
It is not
These technology/procedures
will include:
include
non-deductible
There
are
in
Australia
offering
Cyber-risk
stage
and
have
standard
can result
in
vastly
basically the
independent
and
not
same
policy.
policy.
interdependent
and
when
dealing
with
interconnects
AIRMIC
(Association
of
undertook
an
insurance
companies
have
cases
inappropriate.
insured
has
implemented.
1. What
security
architecture technology
has been implemented
e.g. firewall technology;
2. What access control
technology has been
deployed;
3. Has
an
intrusion
detection system been
deployed;
4. What qualifications /
experience
do
the
security staff possess;
5. What
type
of
information does the
proposed
insured
collect/process is it
credit card information
or sensitive personal
information such as
health records;
6. Is the proposed insured
a high profile target- this
may be assessed by way
of industry sector such
as banking or health or
transport sectors OR by
way of trade name such
as
high
profile
companies like major
retailers or multi-media
companies;
7. Does the proposed
insured have a security
awareness program in
place it is not
uncommon for a cyberrisk incidents to occur
through inadvertence
from an internal staff
member; for example by
opening a document
from someone they have
no knowledge of which
document has some
malware attached or
embodied in it;
8. What
patching
mechanism/process has
been implemented? A
case in point is the
Verizon Slammer worm
case where Verizon
argued that it had done
everything possible to
prevent an infection
from
the
Slammer
Worm.
The MAINE
PUBLIC
UTILITIES
COMMISSION
held
that while Verizon's
Operational
Support
Systems (OSS) faced a
serious situation with
the attack by an Internet
"worm" on Saturday,
January 25, 2003, the
Company did not prove
that it took sufficient
steps to prevent this
type of occurrence from
having a major effect on
its systems. Basically,
there was a failure to
implement a patch
promptly
which
allowed the worm to
impact
Verizons
business operations.
Page | 3
Cyber Insurance
Policy
As
noted
above,
Cos.
large
US
insurance
based
company
that
their
General
not
cover
any
costs
Such insurance is
mature
within
insurance sector.
the
However,
damage
reputation.
to
Reputation
Liability
Despite
this
now
specifically
Instead
it
is
important
to
For
that
has
been
How this is
attacks
funded
attacks
constrained
as
State
are
by
not
either
resources or time.
Most
zero
day
characteristics
STUXNET
worm
attacked
of
which
industrial
and
programmable
years.
Further Commercial
hacking
reasons
Commercial
property
of its
PlayStation
as
logic
to
why
an
organisation
should
Further, the
In
reason
nefarious
Government
Australian
Centre
organisation
over time.
November
2014
Australian
Page | 4
established
the
Cyber-Security
(ACSC).
still
the
organisations.
for
this
that
has
not
Australian
Crime
Commission (ACC)
Australian
Federal
Police (AFP)
Australian
Security
Intelligence
Organisation (ASIO)
Australian
Signals
Directorate (ASD)
Computer Emergency
Response Team (CERT)
Australia
Defence
Intelligence
Organisation (DIO).
Consequently, it is important
first
cyber-security
The ACSC
deny,
destroy
received
Cyber
instigated
stability or prosperity
aspects:
the insured.
public
threat report.
degrade
or
ransom-ware.
This type of
amount
perpetrator.
to
Without
the
the
decryption
message.
by
all
key.
This
modern
Conclusion
increase
against
in
cyber-attacks
Australian
time.
Cyber insurance is
market
as
there
are
organisation has a
of
an
organisation
the
organisations
data
relates
like
(a)
it
may
forces
not
an
the
organisation
to
Annexure A
Simple BOW TIE RISK
MODEL
Page | 5
Impact 1 ($ Value)
Causation 1
Mitigation 1
Treatment 1
Causation 2
Hazard/Event
Treatment 2
Mitigation 2
Impact 2 ($ Value)
Treatment 3
Mitigation 3
Causation 3
A treatment is
designed to reduce
the likelihood of the
event occurring. For
example the
implementation of
firewall technology
that is designed to
repel some cyber
attack..
Treatment 4
Causation 4
Impact 3 ($ Value)
2.
3.
Cyber extortion attempt to extort money by threatening to damage or restrict the network,
release data obtained from the network and/or communicate with the customer base under
false pretences to obtain personal information
4.
Reputational damage arising from a data protection breach being reported (whether
factually correct or not), that results in loss of intellectual property, income, loss of customers
and/or increased cost of operation
5.
Theft of money and digital assets direct monetary losses and associated disruption from
theft of computer equipment, as well as electronic theft of funds / money from the organisation
by hacking or other type of cyber crime
Page
|6
Page
|7
1.
Security and privacy breaches investigation, defense cost and civil damages associated
with security breach, transmission of malicious code, or breach of third-party or employee
privacy rights or confidentiality, including failure by outsourced service provider
2.
Investigation of privacy breach investigation, defense cost, awards and fines (may not
be insurable in certain territories) resulting from an investigation or enforcement action by
a regulator as a result of security and privacy liability
3.
Customer notification expenses legal, postage and advertising expenses where there is
a legal or regulatory requirement to notify individuals of a security or privacy breach, including
associated reputational expenses
4.
Multi-media liability investigation, defense cost and civil damages arising from
defamation, breach of privacy, negligence in publication of any content in electronic or print
media, as well as infringement of the intellectual property of a third party
5.
Loss of third party data liability for damage to or corruption / loss of third-party data or
information, including payment of compensation to customers for denial of access, failure of
software, data errors and system security failure
Annexure D: Cyber Risk Insurance Policies (Benier, Eling & Wirfs analysis)
Page
|8
Category
Subcategory 1: actions of people
Description
Elements
1.1 Inadvertent
1.2 Deliberate
1.3 Inaction
2.3 Systems
business
risks
arising
from
changes
in
the
external parties
Annexure E: Marsh cyber security Policy Framework (Curtesy of Marsh Insurance Brokers)
Page
|9
Data Privacy Liability
Cyber Extortion
A genuine threat to the organisations IT system or the data may lead to:
Expert fees to negotiate with the hacker
A Ransom
Multimedia Liability
Page
| 10
Ajmccullagh57@gmail.com
PLEASE NOTE this paper is NOT the provision of legal advice. If a reader has an issue then
they should seek appropriate legal advice. The author makes no warranty as to
correctness of anything contained in this paper. This paper is the sole opinion of the
author and must not be relied upon as legal advice. Every situation is different and as
such proper analysis must be undertaken when seeking a legal opinion. Consequently,
the author takes no responsibility for any errors that may exist in this paper and certainly
takes no responsibility if any reader takes any actions based on what is (expressly or by
implication) contained in this paper. All readers take full responsibility for anything they
may do in reliance of anything contained in this paper.