What is cyber insurance and why do I need it?

12th March 2019 12:00 AM

CYBERCRIMES are growing, evolving and targeting businesses of all sizes around the world and as a result, cyber insurance is set to become one of the most essential policies for business owners.

In 2016, an elaborate cyber scam targeting local governments across Queensland took place. The fraudsters managed to steal $450,000 from Brisbane City Council, $294,000 from Townsville City Council and attempted to steal money from at least six others.

After impersonating a supplier, both through emails and phone calls, the scammers tricked the councils into changing the bank details for payments.

Phil Cole manages the Security Operations Centre for the University of Queensland, monitoring its systems for threats and attacks and minimising damage when attacks take place. From everything he's seen, supplier invoice fraud is on the rise.

"These sorts of attacks can be quite sophisticated - not necessarily with the technology but the social aspects of tricking the parties involved. For these sorts of attacks, small businesses that supply big businesses can be targeted," Mr Cole said.

All businesses are at risk of cybercrime. Contributed

Another scam that has gained traction in recent years is business email compromise, also known as CEO impersonation fraud or CEO wire fraud.

"Business email compromise attacks are the latest evolution of the old Nigerian prince scams and they are big business," Mr Cole said.

The FBI estimates global losses from these scams at around $3 billion.

"In these attacks, criminals will impersonate a senior manager and email a junior staff member, saying that they need help to urgently pay a bill or transfer funds," Mr Cole said.


Cyber insurance has enjoyed healthy growth in recent years as more business is done online and the potential rewards for cybercriminals rises.



"Sometimes they will gain access to business email accounts via phishing attacks to get an understanding of the staff, then launch their attack.

"Other times they will use openly available information such as LinkedIn, organisation charts or other business information to determine their targets, and simply spoof the email."

Phishing scams, malware campaigns, attacks against managed service providers, denial of service attacks and theft or loss of data are other common cyber incidents that have seen cyber insurance become part of prudent cyber security plans where measures are actively taken to prevent data breaches. 

Welcome to our Business Class series.
Welcome to our Business Class series. News Corp

Griffith University senior lecturer in applied ethics and socio-technical studies, Dr David Tuffley, said cyber insurance, also known as cyber liability insurance, will become one of the most important forms of insurance in the future as people live more of their lives in the virtual world.

"Cyber insurance has enjoyed healthy growth in recent years as more business is done online and the potential rewards for cybercriminals rises," Dr Tuffley said.

"We're likely to see strong growth for years to come since cybersecurity is a moving target and the criminals are always adapting new techniques. It covers such things as Forensic Investigation, Business Interruption, Legal and Public Relations, Extortion and Blackmail Costs.

Sharon Kenny, Head of Marketing for online insurance service BizCover, said cyber insurance could provide businesses with financial protection if they suffered a cyber incident.

"It's getting more and more pronounced. In 2017 Australia faced over 10 million cyber attacks and they're expecting this number is going to keep growing," Ms Kenny said.

"Nearly half of those attacks are aimed at small business and the cost for small businesses to manage the impact of a cyber attack is estimated to be around $10,000; funds a lot of small business owners simply don't have."

Sharon Kenny, BizCover. Contributed

While many small businesses believe they are covered for cyber attacks under other policies, Kenny said this was often not the case.

"A lot of people think this will be covered under another form of cover, but traditional liability products do not typically cover internet or online exposure and your business interruption following a cyber attack generally isn't covered under a standard business interruption policy," she warned.

But there is a lot small businesses can do to help prevent a cyber attack.

"It's important to have secure networks including firewalls and to encrypt all your information," Ms Kenny said.

"Having up to date systems and software, security software and backups is really important too, and ensuring your staff are trained and educated around policy and procedures."

Mr Cole recommended using password managers such as 1Password or LastPass.

"These securely store all your passwords, which means you only need to remember a single password to unlock it, then you can copy/paste your passwords from there. What this allows you to do then is use very long, random and hence secure passwords unique to each website or service you use," he said.

Small businesses in particular should be well-equipped with security networks to prevent an attack. Contributed

Both business email compromise and invoice fraud attacks rely heavily on confidence tricks to deceive the victim and trick them into doing something they shouldn't.

"A big part of the defence against these involves making sure that if staff sense something odd or unusual, they don't ignore it but instead check it out and verify," Mr Cole said.

"Business will also often have processes in place for transferring of funds or updating bank details - don't shortcut these, they're there for a reason."
While no single strategy is guaranteed to prevent cyber security incidents, the Australian Signals Directorate recommends organisations implement eight essential mitigation strategies - known as the Essential Eight - to block the majority of cyber attacks.

"It may not be practical for small businesses to implement all eight of these strategies, however implementing as many of these as is practical in the situation will go a long way to reducing risk," Mr Cole said.

For more business tips and advice, head here