This is content for Liberty International Underwriters
Earlier this year, guests at the lakeside Romantik Seehotel Jaegerwirt hotel in Austria were locked out of their rooms after hackers broke into the hotel’s electronic key system and demanded a ransom to unlock the doors.
In March, personal information including email addresses and passwords, was leaked along with access to profile pictures and more than 2 million voice recordings of children and adults when internet-connected toy maker CloudPets suffered a security failure. Hackers demanded a ransom or they would expose the data.
Both the hotel locking system and the children’s toys relied on the Internet of Things, where everyday devices are connected to the internet to allow them to communicate with or be controlled by computer systems.
IT security experts say companies are vulnerable to being hacked via Internet of Things (IoT) devices as their use increases, sometimes without adequate security controls.
“The Internet of things has the potential to increase the attack surface exponentially because we’re potentially talking about many, many devices that have internet connectivity,” says Scott Ceely, managing director of IT security consultancy Seer Security.
The IoT potentially allows hackers to damage not just a company but also its customers, for instance by hacking into a car’s GPS system or into medical devices such as pacemakers.
“The real concern now is about the flood of products into the market that potentially just aren’t safe, for a variety of technical and also privacy reasons,” Ceely says.
In fact, late last year the Privacy Commissioner examined 45 different IoT devices, including fitness and health monitors, smart travel locks and thermostats, from both multinational and start-up businesses and found 71 per cent of them did not provide a privacy policy that adequately explains how personal information is managed.
Hackers can also use the Internet of Things to gain entry into an organisation’s overall computer system, says Michael Shatter, a partner in risk advisory services at RSM.
“The way to think about an attack is that you’re not always going to go straight towards the safe. Sometimes, to get to the safe, you might have to go via the drawer because in the drawer, there might be a little black book that’s got the code for the safe,” Shatter says.
Even something as commonplace as a photocopier and printer can add to a company’s vulnerability, as these are connected to the network and often don’t have security controls.
“What we often do now when we scan an environment during one of our penetration testing attacks, we actually focus on those devices because those devices may have default passwords and credentials,” Shatter says. “These are very useful attack vectors for people with illegitimate objectives to try and gain access to what would otherwise be considered a secure environment.”
The looming introduction of mandatory data breach notification, expected early next year, has also put a spotlight on cyber security.
Under the bill which was passed by Parliament in February, businesses and government agencies will be required to notify the Privacy Commissioner if they suffer an eligible data breach. They also have to notify affected customers “as soon as practicable” after becoming aware a breach has occurred.
The legislation covers government agencies and organisations governed by the Privacy Act, although companies with a turnover of less than $3 million are exempt.
A failure to comply with notification rules can incur fines of up to $360,000 for individuals and $1.8 million for organisations.
Kelly Butler, Managing Principal & Cyber Leader at insurance broker FINPRO Marsh, says there is a heightened awareness about cyber risks and more companies are seeking out specialist insurance.
While some general business insurance policies carry cyber extensions, these often only cover the expenses incurred by the company itself in the event of a cyber breach.
“Those extensions don’t really offer the full scope of what a cyber policy is meant to do and a cyber policy in my mind is really plugging the gaps of those traditional policies that haven’t really evolved with the world and technology and aren’t adequate enough in terms of looking at the cyber risk that clients now face,” Butler said.
They cover expenses involved with a cyber breach, such as the cost of notifying the Privacy Commissioner and customers, business interruption, the cost of IT and crisis consultants and the cost of defending a prosecution for the data breach and fines.
Cyber extortion is usually included, such as if a company’s data is stolen and a ransom demanded. Insurance can include the cost of negotiating as well as any eventual ransom.
Importantly, cyber policies generally cover third-party expenses, such as if customers suffer a loss or damage because their personal or financial data has been compromised.
Butler said the internet of things is a new area for the insurance sector, although some insurers already offer policies that cover third party damage arising from IoT hacking.