Cyber insurance a last line of defence against scams: part 2 of an API Magazine crime series

Have you ever considered why circus trapeze artists perform above a safety net?

It isn’t to make their act seem riskier and edge-of-your-seat exciting but to genuinely safeguard against human error and avoid the grand finale descending to a ‘splat’.

In the real estate and property sector it can sometimes feel like a major sale is the highlight of a day, until you find yourself in a situation where your reputation is mud, your customers are taking you to court because you lost their money or data to a fraudster lurking in the dark web, or that you can’t cover the out-of-pocket expenses that arise from an incident response.

Cyber insurance is the last line of defence.

To threat actors (scammers) all small businesses are ripe for the picking, especially those in the real estate sector known to be transacting large amounts of money.

“Small businesses that have little or no controls will be hit, not because they’ve been targeted - just because they’re the low hanging fruit,” Austbrokers Cyber Pro director Michael Joseph told Australian Property Investor Magazine.

“A lot of these threat actors have automated things such as bots that are just circling around knocking on the door and if the door’s shut, they move on very quickly but if it’s not shut, they go in and say, ‘okay, now we’re in we’ll cause some havoc’.

Michael Joseph, Director, Austbrokers Cyber Pro

“The challenge for very big business is if a threat actor wants to get in, they may spend weeks or months trying to get through that door.

“You won’t see that with a small business, but the attitude of it won’t happen to me, is not a good attitude to have, because I’ve seen it many times; it does happen to them.

“Unfortunately, for some of those businesses, if they don’t have insurance and they transfer $100,000 to a scammer and have to pay that back to a client, that could send them under as a business,” Mr Joseph said.

An Insurance Council of Australia paper released recently, Cyber Insurance: Protecting Our Way of Life in a Digital World, showed only 20 per cent of SMEs and 35-70 per cent of larger businesses have standalone cyber insurance.

“Cyber insurance awareness is low in Australia, however, the digital evolution of the economy and society since the COVID-19 pandemic has resulted in increasing awareness of cyber risks,” Insurance Council of Australia CEO Andrew Hall said.

“As a result of this, in recent years, the number of organisations taking up cyber insurance in Australia has increased rapidly.”

Andrew Hall, CEO, Insurance Council of Australia

The cost to investigate, repair and recover data and operating systems has also increased. In the first quarter of 2022, premiums in the US jumped 110 per cent and in the UK, 102 per cent, according to KPI Broking managing director Ken Phillips.

“UK rates have a flow-on effect in our market; if we go offshore for cover it’s mostly to London.

“Two years ago, a large real estate firm’s cyber insurance premium might have been just under $3,000 per year but this year they’re paying $6,000.”

Mr Joseph said cyber insurance can cover services needed in the wake of a cyber security breach, like a business email compromise or ransomware event. 

“Incident response services and assistance provided at the time of a cyber incident are particularly key for smaller businesses who do not have the funds or manpower for incident response or security operations service.”

“Cyber insurance policies have 24/7 breach assistance numbers that ensure a suite of experts are there to assist the organisation and coordinate the recovery,” he said.

Mr Phillips lists other important items covered as privacy, notification, crisis expenses, data recovery, data extortion, security, business interruption and privacy liability.

“Privacy liability relates to the release of personal identifiable information, which is a breach of privacy, so a business can get sued by their customers or fined by regulatory bodies for releasing that information.

Ken Phillips, Managing Director, KPI Broking

“If it’s all their customers’ data, then they can all sue,” Mr Phillips said.

“Some of these policies have extensions on them, so, for computer and social engineering, which is your business email compromise, they’re often limited to $100,000 cover, or for telephone fraud expenses and reputational harm, to$250,000.

“Cyber products are constantly evolving, and it can be difficult to keep up with, so I tend to stick with the same cyber supplier who offers a product I believe to be one of the broadest.”

Global law firm Clyde & Co has dealt with many cyber attack cases involving significant sums of money misdirected, and breach of personal information of renters, buyers, sellers, and staff.

“Cybercrime will always be a cost of doing business for the real estate industry and there are good insurance options available to parties to protect against financial risk associated with breach investigations, funds losses and associated third party claims and regulatory investigations,” Clyde & Co partner Reece Corbett-Wilkins said.

It’s a key reason Mr Phillips strongly recommends real estate and property sector businesses and suppliers fully embrace risk management from the top level down, and introduce ongoing cyber security training as a regular practice.

“Then, make sure your IT supplier is ticking all their boxes - you want to be able to rely on your IT guys to react really quickly in the case of a cyber security event.

Reece Corbett-Wilkins, Partner, Clyde & Co

“Thirdly, make sure you read all the conditions in your insurance policy so you’re meeting them, as there’s no point purchasing a product if you’re ignoring the conditions,” Mr Phillips advised.

For some policies, it is a condition of claim to have risk management procedures in place before the claim will be considered. If not, the cover is null and void.

“The cyber insurance market no longer has an appetite for organisations that can’t demonstrate strong cyber security checks and balances,” Mr Phillips said.

Mr Corbett-Wilkins said parties entrusted with handling sensitive personal, financial and identity information for buyers, sellers and other parties connected to a transaction (including prospective tenants/buyers/valuers/financiers), and often key parties (such as estate agents and conveyancers/lawyers) hold funds on behalf of transacting parties, making them high risk targets.

“Threat actors follow the money to maximise their chance of cashing out and the recent real estate price boom has provided a fertile playground for motivated cyber criminals to play in.

“You can’t sit on $10.2 trillion of real estate value and expect not to be targeted by sophisticated cyber criminals,” Mr Corbett-Wilkins said of the nation’s property market.

Which is where the real estate professionals that can be flying like a trapeze artist one day may need a reliable safety net on another.