Australia slow on the cyber insurance uptake01 December 2017
Despite an increasing number of insurers offering standalone cyber insurance in the local market, Australian businesses are generally yet to show any real appetite for obtaining cover against this important emerging risk. This is despite a number of recent events-which would almost certainly cause any business to consider the need for this type of cover-ranging from the recently well-publicised Petya and Wannacry breaches to the rapidly approaching mandatory notification provisions of the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), which will come into effect in February 2018. A review of the market suggests there are a number of possible reasons for the hesitancy in purchasing standalone cyber insurance.
"IT can handle it"
Most large businesses, and even some SMEs, have historically allowed internal IT departments to deal with all aspects of computer and data security. It is clear that boardrooms and C-suite officers of all businesses need to have a clear understanding of the risks and subsequent costs that businesses now face in this rapidly evolving area. Directors are encouraged to become familiar with the entire lifecycle of cyber security within an organisation and acknowledge the risks that may emerge at any time, ranging from pre-breach, breach and response issues.
A number of directors still lack understanding about the potential dollar losses that a company can sustain from a cyber breach-true, breach costs may be minimal, but associated costs such as IT systems repairs, extortion costs, and reputational/PR costs can be extensive and catastrophic. A cyber breach can have a significant impact on the profit and loss statement of a business and erode shareholder value. One can easily imagine a world where disgruntled shareholders openly criticise the Board for failing to engage the IT department to ensure systems are unshakably robust and that all staff are well-trained in identifying and dealing with cyber breach issues.
Organisations must understand that IT resilience is only part of the solution and should be used in conjunction with standalone cyber insurance. In this regard, any officer tasked with risk management and especially insurance procurement within an organisation should consistently and clearly engage with the IT department on risk transfer and procuring insurance policies. Any proposal for cyber insurance should be completed in close consultation with the IT department.
High awareness, low literacy
Directors and officers are becoming more aware of standalone cyber insurance cover, however, there remains a lack of understanding as to the scope of cover available under these policies. This appears to be due to a number of reasons. First, the new bespoke forms of coverage are unique in their structure, with many offering cover for first and third party losses. This has led to a degree of difficulty in insureds appreciating the full extent of cover on offer. Insurance brokers are leading the way in helping insureds understand the depth of cover available in this space and the issues that need to be closely looked at, such as cost of cover, limits on indemnity as well as inclusions and exclusions under the policy being considered.
Businesses also need to understand the unique benefits that are offered under many of today's comprehensive standalone cyber policies. Generally, a traditional insurance arrangement provides cover and benefits to an insured in the instance of an event giving rise to a loss. Standalone cyber policies differ because many insurers offer benefits to insureds before, during and after loss events.
It is in an insurer's interests to work closely with insureds at all times to ensure that cyber resilience is part of the overall risk management of the insured. This allows insurers to both understand the risk and to see the insured take proactive steps to mitigate and contain any loss that may result from a breach. Insureds should also appreciate that when a breach occurs, insurers may provide a reconnaissance team to help with all aspects of the breach, ranging from IT security and repair, audit and accounting expenses, legal expenses and possibly some fines and penalties.
Timing is key
Another reason for the possible lack of appetite for cyber cover is that it is still relatively "early days" for this risk in Australia. Jurisdictions with deep cyber cover market penetration, such as the United States and Canada, have had notification and privacy laws since the early 2000s. Understandably, our legislative system has to develop and the risks more widely appreciated, before there is an upswing in the purchase of cyber cover. It isn't difficult to foresee a world in the near future where state and federal governments make cyber insurance mandatory for parties wishing to contract with government (or a government agency) and for it to become a requirement for any business as part of their standard operations.