ASIC fires cyber warning shots
Get real: ASIC says both sides of cyber insurance sector must tighten up
ASIC Commissioner John Price has read the riot act, albeit civilly, to both companies and insurers over the need for boards of the former to get their cyber resilience up to spec and the latter to make sure their products aren't shonky.
Speaking at the inaugural InnovationAus.com Cyber Insurance Forum, Mr Price went the full stern schoolmaster on company boards who are still head-in-sand over cyber risk and resilience.
“Never before has this issue been more important for the boards of companies, who help set the strategy and risk appetite for their organisations, and the executive management of those companies, whose role is to design and implement the company’s risk management framework, and ensure it operates within the risk appetite set by the board,” said Mr Price, who is also a member of the Council of Financial Regulators and the sponsor of ASIC's Innovation Hub for FinTechs.
“In particular we expect boards to understand what it takes to improve an organisation’s overall cyber resilience so it can survive and recover from an attack as quickly as possible,” he told the Cyber Insurance Forum.
Mr Price expressed support for the burgeoning cyber insurance industry, which is on the up due to a global flood of cyber threats and incidents, and the February onset of mandatory breach notification legislation in Australia.
“For ASIC, it’s important that companies have a good risk culture in this area because that helps foster investor and consumer confidence and also fair and efficient markets.
“In our view, putting a price on cyber risk gives companies a strong incentive to develop a better risk culture,” he said.
While ASIC might like a price on cyber risk, Mr Price also put the cyber insurance industry on notice that it was being watched by the national corporate regulator.
“ASIC also has an important role in regulating the conduct and disclosure of people who provide and market insurance products, including cyber insurance.
“We focus on conduct of insurers and distributers through the lens of fair outcomes for consumers and investors, including customers and investors being treated fairly, insurance products performing in the way that customers and investors have been led to believe they will and delivering value for money, and financial services firms taking into account consumers’ information imbalances,” Mr Price said.
The ASIC Commissioner had good things to say about cyber insurance and the risk assessment and cyber auditing that creating a cyber insurance policy entails.
“We expect cyber risks to be a component of (a company’s) enterprise risk management framework. To that end, seeking out tailored cyber insurance would clearly be one of several management strategies that could be pursued to help manage that risk,” Mr Price said.
He warned against cyber insurance being some panacea for all cyber risk.
“Importantly however, there needs to be a good understanding of coverage and limitations of any insurance cover,” he said.
“By no means is cyber insurance a substitute for good risk management in this area.”
Also speaking from the federal government side at the Cyber Insurance Forum was Pip Wyrdeman, a senior adviser with Prime Minister Malcolm Turnbull’s Office of the Cyber Security Special Adviser.
Ms Wyrdeman was talking on how government and insurers could work together on developing the cyber insurance market in Australia.
“The cyber insurance market in Australia is still quite immature and there is a fundamental lack of data that enables insurers to determine what effective underwriting of cyber needs to be,” Ms Wyrdeman said.
In good news for cyber insurers at this point of the local market development, Ms Wyrdeman appeared to indicate that the federal government was not looking at heavy regulation for the sector, but letting the market rip.
“The best way forward is to go back to the fundamental principals of cyber security strategy and work on the partnership space,” she said.
“As a government, we are trying to increase awareness and cyber literacy,” said Ms Wyrdeman with the overall objective of lifting the nation’s cyber resilience.
Cyber insurance and the auditing and risk assessment that goes with selling policies was a much better tool than government regulation in helping lift resilience she said.
While in its infancy here, Ms Wyrdeman said the ‘rapidly growing’ cyber insurance market could help raise the country’s overall cyber resilience.