In the COVID-19 pandemic, businesses have been forced to move to remote working. This change in modus operandi opens a whole new opportunity for cyber hackers to try to infiltrate your computer systems, programs, software and networks as you operate remotely across your devices.
The cost can be huge. Data from the Australian Cyber Security Centre (ACSC) found that cyber attacks on Australian businesses are costing the economy $29 billion a year.
All signs point to a rise in these cyber attacks, too. The government started receiving pandemic-themed cyber crime reports from March this year, and ASIC recently reported over 100 reports of COVID-19-themed scams. So, it is not a matter of if you get hacked, but when!
While every industry is at risk, the mortgage industry has very significant risk factors, such as:
- The amount of private information held (such as ID, financials, bank account details, transfer of monies, titles etc);
- The value of this private information to criminal activity; and
- The amount of parties involved in a transaction (buyers, vendors, brokers, conveyancers, financial institutions, real estate agents, loan mortgage insurers, aggregators) who are likely all working from a different software platform.
A breach in any step of the loan writing process, which may be as simple as someone having the same passwords for multiple accounts or out-of-date virus software, could have catastrophic results.
Bear in mind that there are new and emerging risks, too. Credential stuffing utilises lists of compromised user credentials to breach into a system. The attack uses bots for automation and scale and is based on the assumption that many users reuse usernames and passwords across multiple services. Meanwhile, social engineering is used by hackers to intercept emails and steal bank account details with the intention of fraudulently transferring funds.
But it’s not just attacks that leave the industry exposed.
What if you left a USB stick in a café, with all your clients’ financials?
Or trying to multitask and accidentally sending an email to the wrong person while on the phone? Both events could be classified as “breach of privacy” in a cyber world.
So, how can a business protect itself from the damage of cyber attacks?
Having a cyber insurance policy is one option. Cyber insurance covers your business and third-party losses that you are responsible for due to any negligence.
This can include:
Cyber extortion cover
This covers damages and costs associated with mitigating a cyber extortion incident, including ransom and reward payments, where the law allows. Cyber criminals often trade in bitcoin models where the proceed gains are untraceable.
Theft and loss of data restoration
This covers incidents where an information asset went missing, whether through misplacement or malice. This includes cost of data loss restoration, including decontamination and recovery.
Business interruption cover
This covers for losses due to a network security failure or attack, human errors or programming errors. This covers reasonable costs to bring your business back to the condition it was in immediately before the cyber event.
Breach of privacy liability cover
This covers liability arising from failure to maintain confidentiality of data regulatory investigation expenses. This covers for regulatory fines (where the law allows), regulatory action defence costs and consumer redress payments. In addition, notification of those affected by the privacy breach.
Crisis communication expenses cover
This covers crisis management and mitigation measures to counter a credible impending threat, or actual cyber event, against your IT infrastructure/software.
Incident response and investigation costs (the most important part)
These types of costs incurred are also supported by a 24/7 emergency assistance service, including cyber learnings for your employees. Access to an incident response hotline provided by insurers can support you throughout this stressful time and the ongoing claims process by using a network of forensic, cyber extortion, legal, notification, fraud remediation and public relations experts. Some cyber insurers also have access to a range of online webinars tips, tools, and cyber-related information.
You could also follow some of the following steps to reduce your risk of attack:
- Undertake a refresher of any IT guidelines that have been issued and familiarise yourself with the do’s and don’ts of your network;
- Install required anti-virus and malware software on your computer systems;
- Change your password on a regular basis and do not share passwords;
- Take care not to leave your mobile phone or laptop open without locking it if you move away from it;
- If you are forced to use public WiFi options, don’t take the option where you can let others in your vicinity see your ID. Be also aware of who is sitting near you and could see over your shoulder;
- Regularly back up to an external hard drive or the cloud;
- Take care when surfing the web and be mindful of the information you share and any two-way activity that you engage in, such as chatting on forums;
- Rethink any “click here” buttons on such sites or emails. This is often done to steal your IP address (your location) and use it elsewhere unlawfully;
- Educate yourself, your employees and even your clients on the risks that are associated with data protection;
- Stay on top of any breaches, watch for email alerts; and
- Have an incident response plan in place to know what to do should this happen to you and test your privacy control.
I hope the above is of assistance to you and your business.
James Gillard is the managing director of Insurance Made Easy. He is responsible for major account acquisition, servicing and liaising with underwriters, risk management strategies, marketing, promotions and seminars.
He has 25 years general insurance experience as a broker and business owner and 15 years of sales and management experience in the travel industry. In addition, he is a qualified and practising mortgage/finance broker, with 12 years of experience.