Australian cyber claims: live and kicking

Cyber is an evolving risk issue that has become a leading concern for many organisations. In an increasingly punitive legal and regulatory environment, it has potential to cause major financial and reputational damage. Importantly, directors need to set the culture, putting cyber risk on board level agendas regularly and with adequate time. Boards need to be highly aware of legislation and legal responsibilities.

Cyber risks have continued their rapid climb moving into the top five business risks globally for the first time this year. In a recent survey of Australian CEO’s conducted by PwCi, cyber risk was rated the second highest business threat to organisational growth.

“Cyber crime has now outweighed drug trafficking as the most lucrative form of crime.”

Some overseas cyber criminal networks have sophisticated business models with established business strategies, executive management teams and even employee health-plans & performance reviews. This problem is not going away, particularly as Australia moves up the ranks to become a number one target.

Australia ranks as one of the most hacked countriesii in the world.

The recent Australia Post phishing scamsiii highlight Australia’s vulnerability with the scam achieving an 80% success rate and a speeding infringement scam resulting in a 95% success rate.

These high success rates motivate hackers to further focus efforts on Australian business and scale up their attacks targeting specific employees in organisations to steal corporate secrets, credit card details, bank records, customer lists, intellectual property and more.

Current scenarios

Some common threats we are seeing in Australia are CFOs in global firms receiving emails from what appears to be legitimate head office email addresses requesting a transfer of funds to pay for overseas taxes to an offshore bank account.

We have also seen examples where hackers had placed software within the company systems monitoring email correspondence to look for legitimate requests on the part of a supplier, such as a change of bank account. At this point the hackers would step in as the “man-in-the-middle” and take over control of the conversation, ultimately ensuring that the money transfer would go to their own account and not to the legitimate supplier’s account. In order to launch such an attack it is sufficient to penetrate the systems at only one of the two companies involved.

“Australia ranks as one of the most hacked countriesii in the world.”

Another common scenario is the ‘crypto locker’ where hackers placed malware onto an organisation’s network and encrypt all files. They then demand a ransom be paid in order to un-encrypt the operating system. Clients have reported paying the ransom and then find that their systems are wiped or that the hacker encrypts the files again six months later demanding a further payment.

Other companies, which operate infrastructure such as utility providers, have had physical engineering tampered with through hacked computer networks, causing havoc and major environmental incidents.

Australian Banks have also been the target of attacks. In February this year, a virus known as Carbanakiv was used to access bank employee computers and ultimately get inside the banking network. Once inside, they can mimic the actions of cash transfer staff after watching how they operate. The hackers then transfer money from the bank into off-shore accounts or order the bank’s ATMs to dispense cash to a waiting criminal.

A changing risk landscape

In Australia, cyber incidents have increased 48% in the last 12 months and the annual cost to Australian business of data breaches alone is $1.6 billion. The Ponemon Institute’s 2014 Cost of Data Breach: Australia reportv found that the average cost of a data breach experienced by Australian companies was $2.8 million.

From a data protection and recovery perspective, Australia is also lagging behind. The EMC Global Data Protection Indexvi found 64% of Australian businesses experienced data loss or downtime in the last 12 months with 78% not fully confident in their ability to recover after a disruption.

Business trends, such as big data, mobile and hybrid cloud also create new challenges for data protection in Australia with 58% of businesses lacking a disaster recovery plan for any of these environments and just 7% having a plan for all threevii.

Figure1 Source: Aon Risk Solutions

Australian Cyber Insurance Claims

For those interested in not just hearing about cyber scenarios in Australia but actual cyber insurance payouts, here are a few examples:

  • A company accountant of a Sydney manufacturing firm received an email from her boss asking her to transfer $120,000 to a supplier abroad. Because this was a common type of request, she processed the payment before realising that the tone of the email wasn’t right and the domain name was a single letter off. Upon further investigation, it was found that cyber thieves had infiltrated their systems and grew knowledgeable enough about company dealings to send a convincing phishing email that lost the company thousands. The cyber policy covered the costs associated with phishing scams.
  • A director of a medium-sized healthcare firm in Brisbane received an email from an unknown individual who claimed that he had breached the company’s systems and was holding confidential patient data which he would release to the public unless the company paid 25 bitcoin (approximately $7,500). The insurer’s claims team first helped identify that this was a credible threat and then work closely with the company to determine if paying the ransom would be the best course – which was the ultimate outcome.
  • A furniture store based in Melbourne was the victim of a significant data breach after malware had been unknowingly installed on some of its in-store payment systems. Evading anti-virus software and present on the system for many months, this resulted in the loss of nearly 20,000 customer credit card details. The company faced a large bill after it had to launch a forensic investigation and pay for Payment Card Industry related fines and card brand assessments. The cyber insurance policy responded to these forensic costs and PCI fines.
  • An unencrypted laptop belonging to an employee of a charity was left on public transportation. It contained the personal details of nearly 5,000 donors. Conscious of the need to protect its brand and reputation, the charity decided to voluntarily notify those affected. The cyber policy covered the notification costs.
  • A small accountancy firm found their entire network riddled with malware after a temporary worker accidentally clicked on an infected link. In order to fix the problem, they had to hire a specialist team of IT forensic consultants that had to rebuild their system and restore data at cost of $45,000. The cyber policy covered the external costs associated with restoring, repairing and rebuilding systems.

Where to from here?

There is a significant need for organisations and boards to become more aware of the threat that cyber risk poses to their bottom line, brand & reputation. As awareness increases and highly publicised breaches continue to be seen in the media, companies are looking to transfer some of the financial risk off the balance sheet to an insurance mechanism.

As insurers contemplate the opportunities around this growing market, they must also consider the risks. This is often a difficult class to price given limited historical actuarial data. This is particularly heightened when considering the impact of aggregate exposure amongst insureds often using the same cloud providers and the systemic risk that may flow from a ‘black swan’ event.

i http://www.pwc.com.au/ceosurvey/
ii http://www.idgconnect.com/abstract/10004/why-australia-hacking-magnet
iii http://auspost.com.au/about-us/scam-alerts.html
iv http://www.abc.net.au/news/2015-02-17/banks-victim-of-multi-national-hacking-attack-security-firm-says/6130370
v http://www.ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global-analysis
vi http://www.emc.com/microsites/emc-global-data-protection-index/index.htm?cmp=SOC-14Q4-GDPI-OT
vii http://www.emc.com/microsites/emc-global-data-protection-index/index.htm?cmp=SOC-14Q4-GDPI-OT

Eric Lowenstein
Cyber Risks Practice Leader
Aon Risk Solutions
Level 33 201 Kent Street Sydney NSW 2000
t +61 2 9253 7445 | m+ 61 402 103 633
Connect with me on LinkedIn | Twitter
eric.lowenstein@aon.com | aon.com.au

CPD: Actuaries Institute Members can claim two CPD points for every hour of reading articles on Actuaries Digital.