grandeduc - Fotolia

Australian organisations forced to take cyber insurance seriously

The take-up of cyber security insurance in Australia remains low, but it could increase if data breach notification regulations come into force

This Article Covers

IT in Australia & New Zealand

RELATED TOPICS

This article can also be found in the Premium Editorial Download: CW Asia-Pacific: CW ANZ: Take cover from cyber threats:

Demand for cyber insurance remains patchy across Australia, with estimates ranging from 3% to 14% of organisations currently having some form of coverage.

The persistent lack of mandated data breach notification is regularly cited as a reason for this. While Australia’s proposed data breach notification legislation is making slow progress, the nation certainly does not lack data breaches.

At the tail end of 2016, big four bank NAB announced it had accidentally sent the personal details of 60,000 customers to the wrong website, while in early 2017, a slew of hacktivist attacks were launched – some by a Tunisian Islamist group which defaced the website of Victoria’s treasurer and a handful of schools. Another was launched against Victoria’s Human Rights Commission website.

In its 2016 threat report, the Australian Cyber Security Centre noted that there had been 1,095 serious security incidents affecting government systems, and 14,804 affecting private business in the 12 months to the end of June 2016.

Fergus Brooks, national practice leader for cyber risk at Aon Risk Solutions, is a broker who focuses on cyber insurance. He’s also one of the NAB customers affected by a recent email breach – but has yet to hear directly from the bank about the issue, and predicts that it has been handled so poorly that there will be customer churn as a result.

The fact is that many data breaches are costly in terms of customer losses, reputation damage and, in some cases, because of the cost of compensation.

Yet, Brooks said fewer than 3% of Australian businesses have any form of cyber insurance. In the US, where there is mandated data breach notification, he said about a quarter of companies have some form of cyber insurance.

Be prepared for cyber attack

A survey of 400 small and medium enterprises (SMEs) conducted by accountancy network BDO and security agency Auscert, released in December 2016, suggested the situation is not as dire as Brooks believes.

The survey found that 9.4% of organisations had standalone cyber insurance, and another 13.7% claimed to have coverage through an extension to an existing business insurance.

However, the survey also revealed that only 19% of SMEs had, or planned to have, a chief information security officer, and only one in five organisations had a security operations centre able to respond to breaches or security incidents.

Read more about cyber security

It noted that a key issue for all organisations was thorough cyber incident response planning in order to minimise the impact of any systems failure or service interruption. This was found to be a feature of effective cyber insurance policies, ensuring that companies had access to experts (and funds to pay for them) who could support them with post-incident public relations, legal advice and technology forensics.

Organisations without coverage, it found, would remain exposed, and also at risk from class actions and potential regulatory fines.

Cyber insurance must be recognised as one component of an effective cyber security strategy, said Brooks, noting that one should not replicate the other regarding technology spending and insurance.

Cyber breach law slow in coming

Through 2016, Brooks predicted the proposed mandated cyber breach laws would spur demand for cyber insurance. More recently, he said he was “not putting any faith in the Senate” to get the law passed, despite the issue having bipartisan support.

The Privacy Amendment (Notifiable Data Breaches) Bill 2016 was tabled in Parliament in October, but no progress had been made at the time of writing.

With a handful of exceptions, most data breach notifications to the Office of the Privacy Commissioner remain voluntary. In 2015-16, just 107 such notifications were made for Australian organisations.

Unlike Brooks, Leon Fouche, a partner at BDO, said he remained “optimistically confident” that the mandatory reporting legislation would be passed in the coming year. “If we want to be seen as a serious player, we need to increase our privacy protection,” he said.

Privacy protection must improve

BDO’s inaugural security survey, which was conducted with Auscert, was intended to uncover the extent of the cyber security problem, identify SME preparedness and protection efforts, and provide a benchmark against which SMEs could measure themselves.

The survey, said Fouche, confirmed Australia as an “emerging country” regarding its attitude to cyber insurance.

The sector most at risk seems to be the mid-market, he said, with many small businesses having availed themselves of insurance protection through professional association insurance schemes – particularly architects and accountants. Meanwhile, on the other end of the scale, energy, financial services companies and the health sector had taken out coverage.

A Symantec survey of Australia’s small businesses suggested that 14% already had coverage. It also indicated that 19% were looking to buy cyber insurance in 2017 and predicted it would cost them around $2,900 a year.

Examine insurance small print

Fouche warned, however, that companies need to carefully examine the fine print of any cyber insurance policies before signing up and paying a premium. A number of organisations that had invested in insurance and believed they were covered found that their policies were inadequate when they went to make a claim because of a series of exclusions.

While cyber insurance is generally affordable, he said the jury was still out as to whether those policies would respond to a claim.

As an example, Fouche cited the case of a retailer with $100m turnover that secured $5m worth of cyber cover for a $50,000 premium. “It was not worth the paper it was written on,” he said.

Some policies explicitly state that if there has been any change to the IT environment over the year covered by the premium, it would not be covered. That would apply even to security patches made to the systems.

Insurance brokers need to work with clients to ensure more effective risk analysis and secure more appropriate cover.

Fouche said organisations should do the following as a first step:

  • Identify critical assets and crown jewels.
  • Liaise with a broker and underwriter to assess remediation needed and coverage required.
  • Stress test any policy by considering a security scenario and determining whether the policy would respond as required in the event of a breach or security incident.

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

Read more on Information technology (IT) in Australia & New Zealand

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Simon Smith, eVestigator, Master Programmer and Cyber Security Expert.

There is a reason for this. The market conception of cyber insurance may not realise that they already had the exact same product with Management Liability. The insurance companies are merely taking products away from ML or adding exclusions, labelling it a new product called Cyber Insurance, making it next to impossible to comply with and have found another way to gain more money from small business.

I have read the policies and compared most of them. Crime cover is standard in many ML policies. Statutory cover is standard in many ML policies. Workplace theft is also covered. Computer crime involving the unauthorised use, tampering, alteration, deletion any kind of use not permitted triggers crimes under many ML policies. This would cover DOS, DDOS, hacking, employee e-fraud, remote attacks - almost anything I can think of done remotely. There is and has never been a requirement to know who the attacker was.

What has changed? Can someone enlighten me? Statutory cover has covered any statutory body (OAIC) for investigations, inquiries, and in some cases fines or penalties.

Again there is good and bad insurance, but I know the good ones and one thing that is certain amongst most of them. Hardly any of them understand anything about IT let alone Cyber Security, proven in many cases.

Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close