The advent of mandatory data breach legislation has lit up the local market in cyber security insurance, but Australia remains ‘unsophisticated’ in its understanding of cyber risk, says an industry expert.
The passage of the mandatory data breach legislation through the senate in February has helped create a hot new sector for insurers, along with other factors such as an ever-rising toll of cyber security incidents and the urgings of the federal government for organisations to carry out cyber risk health checks.
Under the legislation, organisations and Commonwealth Government agencies must notify the Australian Privacy Commissioner as well as affected individuals affected or at risk from the breach.
Civil penalties for not complying range up to $360,000 for individuals and $1.8 million for bodies corporate.
A spokesperson for the Insurance Council of Australia said the local cyber insurance market has been growing quickly more quickly than any other commercial risk market.
“Cyber-insurance is recognised as the fastest growing commercial segment of the Australian market,” the ICA spokesperson said.
“Cyber-insurance is increasingly being rolled into standard business insurance packages, or purchased as a stand-alone product, often incorporating full counter-intrusion and system recovery processes.”
In November last year, global insurance house Lloyds said demand for cyber insurance in Australia had increased by 168-fold in the past two years. It is extraordinary growth.
Mark Doepel, a partner with Sparke Helmore Lawyers and an expert on professional indemnity insurance and cyber risk says insurers such Lloyds have been quick to exploit the cyber risk market.
“In many ways the insurance market has been very quick to adapt to this emerging risk and to commoditise it and offer a product which provides a degree of protection should you be the recipient of a cyberattack,” he says.
However, Mr Doepel says local businesses are still struggling to get their heads around the implications of cyber risk which run the gamut from being subjected to a ransomware attack to denial of service to cyber espionage to having a storage system fall over and wipe out reams of customer data.
“I don’t think there is a huge amount of sophistication in Australia around what cyber risk means,” says Mr Doepel.
“We are a sophisticated jurisdiction in relation to understanding privacy principals, we still have a long way to go in understanding cyber.”
“One source of confusion is that when you use the word cyber it is a big, umbrella term. When you talk about cyber risk you are talking about any number of issues.”
Mr Doepel says the passage of the mandatory breach notification legislation has begun to wake up Australian organisations to the commercial risks.
“With the new mandatory notification in relation to certain types of breach that has of itself caused a lot of people to be very interested in this space. This time last year a lot of people were talking about cyber risk and cyber insurance but very few people were buying it.
“Now with the mandatory notification provisions everyone is interested in what they need to do in response to the risk and what products are available in relation to taking out insurance against this risk.”
Cyber underwriters are requiring more from clients before they take on the customer’s cyber risk.
“Underwriters are requiring more and more sophisticated information,” says Mr Doepel. “One of the things that’s very important is to know when a breach is happened. A lot of people just don’t appreciate when a breach has happened so insurers are very keen to educate in that regard.”
Mr Doepel believes that having cyber risk insurance could soon become a feature of doing business with government.
“I can imagine a world in the not too distant future to contact with government there will be a mandatory requirement that you have cyber insurance. Much like a doctor must have professional indemnity insurance you will have to have cyber insurance.”
On the risk side. The recent DBIR report from Verizon warns cyberespionage and ransomware attacks are on the increase.
The Verizon 2017 Data Breach Investigations Report says hot ticket items for cyber espionage include propriety research, prototypes and confidential personal data.
The report analysed 2,000 breaches and found more than 300 were espionage-related. Phishing emails were a common entre to this form of attack.
In the Verizon report, ransomware rose to become the fifth most common specific malware variety. Ransomware rose by 50 percent compared to last year’s report.