The cyber insurance market in Australia is still in its infancy with buyers confused by what is on offer and their own accountability levels, but coming mandatory data breach rules are likely to focus attention and accelerate the local market.
Panelists at the inaugural InnovationAus.com Cyber Insurance Forum in Sydney last week explored the state of the Australian cyber insurance scene and its immediate future.
The biggest cyber insurer worldwide is Lloyds of London, which has a 20 to 25 per cent share of the global cyber insurance market – which is estimated to be about US2.5 billion and rapidly rising.
Christopher Mackinnon is Lloyd’s general representative in Australia and he says the local corporate market is only just waking up to the need for cyber insurance, although he expects a surge of interest in the first quarter of 2018 as boards react to mandatory breach legislation going active in February.
Lloyds recently estimated that a major, worldwide cyberattack could trigger economic losses of the order of US$53 billion – as large as those caused by hurricane Sandy in 2012.
So while the potential exposure to a grade one cyber disaster is huge, the local market is still getting its head around the cyber insurance product set.
“The issue we are seeing is that insurance buyers are generally not fully informed as to what they are buying and how they need to connect that to their own security,” Mr Mackinnon told the Forum.
“That’s one of the big challenges we have as an industry, to make sure that we are not just looking to sell them a product ,but that we are looking to sell them a service and advice and structure to make sure their security systems are aligned with the last resort which is the insurance policy,” he said.
Boards must get involved with their companies’ cyber preparedness Mr Mackinnon said, and if they don’t it could affect an insurers’ readiness to take on risk.
“Last year Lloyds did a survey of 350 senior European business leaders on the issues around insurance and 92 per cent of them said they had been hacked or had some kind of data problem in the previous 12 months, and 42 per cent of them were concerned about it happening again.
“That is a terrifying statistic. This has to elevated to the board level. This is no longer the IT department confirming that everything’s going to be all right mate. That’s not acceptable anymore,” he said.
“This has got to sit with the CEO and the board.”
“Insurers more and more are not going to be interested in taking on risk from an organisation that does not have this elevated at board level.”
On the consumption side of the cyber insurance market, those organisations that do journey down the path to getting insured had better lawyer up, according to Teresa Aquilina, a senior vice-president at Guy Carpenter, an integrated solutions provider to the insurance industry.
“Let’s take a look at where insurance policies are now. You pretty much need a law degree to figure out what’s covered and what’s not. For a policy holder, I don’t know how they understand what is actually in there.
“I think we are still a way off understanding and having a standard policy learning out there,” Ms Aquilina said.
However, Ms Aquilina acknowledges that one size does not fit all when it comes to cyber insurance.
She advocates more ‘plain english’ in policy development and notes that the more advanced US cyber insurance market is setting direction in how insurance does and doesn’t cover cyber events.
The federal government is unlikely to push up any specific regulations around standards for the cyber insurance industry here, according to Pip Wyrdeman, a senior adviser with Prime Minister Malcolm Turnbull’s Office of the Cyber Security Special Adviser.
“I think there will be a push to have a stamp of approval from government around certain things such as education but I don’t know that there will be something that underpins a set of standards that will drive the insurance companies,” Ms Wyrdeman said.
“It’s very much going to be a market driven exercise which government will support,” she said.