Recent global cyber-attacks via a malicious email campaign, sending nearly five million emails per hour, sends email attachments containing a hidden malware known as 'WannaCry' to users.
To date, over 200,000 attacks have occurred in 150 countries, including Australia. The self-replicating virus was able to enter company networks when unassuming employees clicked on these email attachments. Ransom notes were then sent to those affected demanding sums up to US$300 within 2 hours (before prices would double) in exchange for their data being released. This type of attack has been coined "Ransomware" and we have shared a pictograph of how this virus works, courtesy of The Wall Street Journal.
Many articles have cited that the attack is believed to be the biggest online extortion attack ever recorded.
Dan Tehan, the Federal Assistant Minister for Cyber Security said the attacks were primarily aimed at small to medium sized private sector businesses, particularly those using older software and IT infrastructure.
Generally, the incidents were limited to PCs, servers or terminal computers which have Windows XP or Windows 2003 installed and Microsoft have issued emergency security patches which provide critical updates to help protect these operating systems. However, PCs with Windows 8 or 10 need to ensure that the latest service patches installed.
We believe this will now be a common software virus that can affect any business no matter their size or occupation, and is a timely reminder for industry of the need to effectively patch applications and to ensure that their technology remains supported by the developer.
Government agencies
Government agencies are taking a lead on cyber security as highlighted by the Department of Immigration & Border Protection (DIBP) in a formal statement outlining their preparedness should an attack occur to their IT infrastructure – refer http://newsroom.border.gov.au/releases/statement-on-anao-s-audit-on-cybersecurity.
While it is encouraging to note that despite the complex and cross jurisdictional environment the DIBP operates in, as at the date of the statement, there have been no successful attacks to their IT infrastructure. Interestingly, the DIBP have completed major program to mitigate cyber risks, however, they acknowledge there is still more work to do.
The Australian government's Cyber Security Strategy estimates cybercrime costs the country $17 billion annually.
Meanwhile, global cybersecurity company, Symantec, reports that 2015 saw over one million cyber attacks each day, including a record setting total of nine "mega-breaches" – defined as those in which more than 10 million records were compromised or stolen.
Mandatory Data Breach Reporting now a reality
Members should also be aware that the Federal Government has acted to prevent companies from hiding significant data breaches that impact the general public they service by passing the Privacy Amendment (Notifiable Breaches) Bill 2016 on 22 February 2017. Mandatory data breach notification requirements will commence 12 months after that date. To comply with the new privacy law, organisations need to ensure that by the 22 February 2018 they have reviewed and updated their Privacy procedures to document what needs to be done in the event of an eligible data breach including giving notice to affected individuals as well as notifying the regulator.
This legislation will see all entities governed by the Act, and those with annual turnover of more than $3 million will be subject to mandatory reporting of "eligible data breaches" to the Office of the Australian Information Commissioner (OAIC), plus any affected at risk individuals. Failure to comply could lead to fines of up to $1,800,000 for an organisation or $360,000 for an individual.
For further about who is subject to the Privacy Act, please visit the website of the OAIC at www.oaic.gov.au/privacy-law/rights-and-responsibilities.
Case study
Given that Cyber-attacks are now considered to be an everyday reality, readers should commence a process to review their potential cyber threats and be properly prepared for the consequences of any attacks.
The good news is that there are insurance products available which provide cover for these specific Cyber and Privacy breach exposures. In additional to providing monetary cover, some insurers have engaged dedicated and experienced IT breach response teams, which include specialist lawyers, IT forensic investigators and consultants with the aim of ensuring that they achieve the best possible outcomes for their clients.
We recently met with one of our insurance company partners and they made us aware of a recent claim lodged under their Cyber Liability product.
Their client was a freight forwarder. A disgruntled ex-subcontractor hacked the forwarder's network multiple times with the intention of disrupting business operations.
As a result of the attacks, the forwarder's network was down for 21 days. This included the forwarder's cargo/order tracking software and web based warehouse management system, which was severely compromised. This resulted in the forwarder's customers having no on line visibility which caused stress and anxiety for the forwarder and their customers.
The forwarder's woes continued as the IT issues spread upstream to their international partners.
The insurer responded by engaging a specialised service provider to locate and rectify the main cause of the disruption and to facilitate the restoration of the entire network.
The insurer settled the claim for $280,000 which was made up of $110,000 in Defence Costs and $170,000 paid out in relation to IT expenses and lost income for the time the network was down.
For more information about how we can assist members with this vital coverage, please call our insurance advisor, James Cotis at jcotis@FTAlliance.com.au .
Paul Zalai and James Cotis – Advocate for the Australian Freight and Trade sectors
www.FTAlliance.com.au