It was a Friday afternoon when the first signs of a computer security problem emerged at a Sydney-based professional services business. An infected zip file had arrived – ostensibly from a client – and been opened, and rogue code was working alphabetically through the business’s files, locking each one as it went.
The managing director, who does not wish to be identified publicly, physically pulled the plug on the computer and called in the IT services supplier. Rather than pay a ransom, the company decided to reboot from its backup.
The organisation had been regularly assured by its IT supplier that its backups were all in order and secure. But when push came to shove, the backup hadn’t worked, and more than seven months of files were lost.
Since June 2015, the business has had to painstakingly recreate the files from emails and attachments. It has cost about A$10,000 in terms of the hours devoted to the rebuild, but it’s hard to quantify the cost of the damage to its reputation.
I might just pay [a ransom] next time,” says the managing director.
And there likely will be a next time, because computer security is a growing issue in Australia for businesses of all sizes.
Rising cost of cyber attack
In its first unclassified threat report, the Australian Cyber Security Centre notes that in 2014, Cert Australia, the national computer emergency response team, responded to 11,073 cyber security incidents.
The cost of breaches varies significantly, but when the Ponemon Institute and IBM surveyed 350 global enterprises, they found that, on average, the cost of an Australian data breach is A$2.82m.
Admittedly, just 23 Australian businesses were surveyed for the Cost of data breach study released in May 2015, but 43% of them had endured a security breach in the previous 12 months. That relatively small sample may explain why Australia apparently fared better than the US, where the average cost of a breach rose from US$3.52m to US$3.79m (A$5m to A$5.38m) over the space of a year.
The survey deliberately excludes what it terms “catastrophic breaches” – those that involve 10,000 records or more – to avoid skewing the findings for most companies. What it does attempt to price, however, are the direct costs of a breach, such as fees for forensic experts, outsourced hotline support, free credit monitoring subscriptions and discounts for future products and services. It also factors in indirect costs, such as in-house investigations and communications, and extrapolates the likely impact of declined turnover and reduced customer acquisition rates after an attack.
But, as Steve Ingram, cyber services leader for PricewaterhouseCoopers (PwC) in Asia-Pacific, says, the recent Ashley Madison hack demonstrates that the actual costs of breaches can stretch beyond mere money. “Ashley Madison was not just about embarrassment – in some societies adultery is a capital crime,” he notes.
According to Ingram, last year there was a 48% increase in cyber incidents, with two happening every second of every day. PwC’s statistics align roughly with Ponemon’s, putting the cost at roughly A$3m per breach. But it says this could be much higher for some organisations – a bank or retailer, for example, which may need to replace credit cards for millions of customers.
While A$3m is the average cost, Ingram says the number of incidents costing over A$23m has doubled.
Weighing up the value of cyber insurance
While he acknowledges increased interest in cyber insurance, Ingram says such policies have yet to be fully tested – and wonders whether there would be any payouts if the breach was ultimately discovered to be an inside job.
Roger Smith leads the cyber insurance group in Australia at Allianz, which launched its cyber insurance product in February 2014 and is currently focused on serving the needs of enterprise-scale customers.
Asked how much enterprises were currently seeking to insure themselves for, Smith said there was a diverse range, from around $500,000 to $50m.
“Increasingly, organisations are recognising the exposure cyber risk represents under traditional insurance policies like directors and officers liability, and also areas of risk which may not be insured, such as damage to the company’s reputation,” he says.
The biggest risk that companies face is business interruption, says Smith, but the anticipated introduction of mandated data breach notification in Australia will also inject additional cost.
In the US, where data breach reporting is mandated, Allianz aligns with other estimates when it says it can cost US$130 per record to notify and fix.
Smith says the dynamic nature of the cyber security risk and lack of historical actuarial data remains a particular challenge for insurers.
When it comes to pricing premiums, Smith acknowledges that “the lack of information presents a challenge when coming up with a rating structure”. He says that instead of relying on a formulaic approach to pricing risk, which had limited value, Allianz works closely with organisations to analyse the activity of an organisation seeking insurance, its approach to security and the overall culture of the enterprise, to understand and then price the risk profile.
Gartner research director John Wheeler says that, when calculating the total cost of a breach, it is important to add in the breach notification costs, crisis communications, forensic investigation, legal defence, even extortion fees.
Cyber insurance has limitations
While some of these costs could be covered by a cyber insurance policy, not all would.
Business interruption, meanwhile, could be covered by other insurance policies, although Wheeler acknowledges it could be difficult to get paid out because of the often vague definition of business disruption. As a general rule, he says cyber insurance does not cover the reputation costs – only recognising cost recovery for fixing a breach.
Despite the limitations of insurance, there is a growing appetite for protection.
Four to five years ago, Wheeler says it took an attack before management took cyber risk and the need for cyber insurance seriously. That’s no longer the case. “We see more customers proactively seeking this sort of insurance driven by their boards,” he says.
High-profile breaches, such as those at Sony, JP Morgan and Target in the US, and Telstra and Optus in Australia, have placed companies and their boards on high alert.
“We saw after the Sony attack they went for six months without an email. The impact and cost depends on the business continuity of the organisation. The greater costs are around reputation if the brand is damaged,” says Wheeler.
“A retailer or a financial services organisation can quickly spiral into a situation where they have customers leave,” he warns – and that gets pricey real quick.
This was first published in October 2015