grandeduc - Fotolia

Australian organisations forced to take cyber insurance seriously

The take-up of cyber security insurance in Australia remains low, but it could increase if data breach notification regulations come into force

This article can also be found in the Premium Editorial Download: CW ANZ: CW ANZ: Take cover from cyber threats

Demand for cyber insurance remains patchy across Australia, with estimates ranging from 3% to 14% of organisations currently having some form of coverage.

The persistent lack of mandated data breach notification is regularly cited as a reason for this. While Australia’s proposed data breach notification legislation is making slow progress, the nation certainly does not lack data breaches.

At the tail end of 2016, big four bank NAB announced it had accidentally sent the personal details of 60,000 customers to the wrong website, while in early 2017, a slew of hacktivist attacks were launched – some by a Tunisian Islamist group which defaced the website of Victoria’s treasurer and a handful of schools. Another was launched against Victoria’s Human Rights Commission website.

In its 2016 threat report, the Australian Cyber Security Centre noted that there had been 1,095 serious security incidents affecting government systems, and 14,804 affecting private business in the 12 months to the end of June 2016.

Fergus Brooks, national practice leader for cyber risk at Aon Risk Solutions, is a broker who focuses on cyber insurance. He’s also one of the NAB customers affected by a recent email breach – but has yet to hear directly from the bank about the issue, and predicts that it has been handled so poorly that there will be customer churn as a result.

The fact is that many data breaches are costly in terms of customer losses, reputation damage and, in some cases, because of the cost of compensation.

Yet, Brooks said fewer than 3% of Australian businesses have any form of cyber insurance. In the US, where there is mandated data breach notification, he said about a quarter of companies have some form of cyber insurance.

Be prepared for cyber attack

A survey of 400 small and medium enterprises (SMEs) conducted by accountancy network BDO and security agency Auscert, released in December 2016, suggested the situation is not as dire as Brooks believes.

The survey found that 9.4% of organisations had standalone cyber insurance, and another 13.7% claimed to have coverage through an extension to an existing business insurance.

However, the survey also revealed that only 19% of SMEs had, or planned to have, a chief information security officer, and only one in five organisations had a security operations centre able to respond to breaches or security incidents.

Read more about cyber security

It noted that a key issue for all organisations was thorough cyber incident response planning in order to minimise the impact of any systems failure or service interruption. This was found to be a feature of effective cyber insurance policies, ensuring that companies had access to experts (and funds to pay for them) who could support them with post-incident public relations, legal advice and technology forensics.

Organisations without coverage, it found, would remain exposed, and also at risk from class actions and potential regulatory fines.

Cyber insurance must be recognised as one component of an effective cyber security strategy, said Brooks, noting that one should not replicate the other regarding technology spending and insurance.

Cyber breach law slow in coming

Through 2016, Brooks predicted the proposed mandated cyber breach laws would spur demand for cyber insurance. More recently, he said he was “not putting any faith in the Senate” to get the law passed, despite the issue having bipartisan support.

The Privacy Amendment (Notifiable Data Breaches) Bill 2016 was tabled in Parliament in October, but no progress had been made at the time of writing.

With a handful of exceptions, most data breach notifications to the Office of the Privacy Commissioner remain voluntary. In 2015-16, just 107 such notifications were made for Australian organisations.

Unlike Brooks, Leon Fouche, a partner at BDO, said he remained “optimistically confident” that the mandatory reporting legislation would be passed in the coming year. “If we want to be seen as a serious player, we need to increase our privacy protection,” he said.

Privacy protection must improve

BDO’s inaugural security survey, which was conducted with Auscert, was intended to uncover the extent of the cyber security problem, identify SME preparedness and protection efforts, and provide a benchmark against which SMEs could measure themselves.

The survey, said Fouche, confirmed Australia as an “emerging country” regarding its attitude to cyber insurance.

The sector most at risk seems to be the mid-market, he said, with many small businesses having availed themselves of insurance protection through professional association insurance schemes – particularly architects and accountants. Meanwhile, on the other end of the scale, energy, financial services companies and the health sector had taken out coverage.

A Symantec survey of Australia’s small businesses suggested that 14% already had coverage. It also indicated that 19% were looking to buy cyber insurance in 2017 and predicted it would cost them around $2,900 a year.

Examine insurance small print

Fouche warned, however, that companies need to carefully examine the fine print of any cyber insurance policies before signing up and paying a premium. A number of organisations that had invested in insurance and believed they were covered found that their policies were inadequate when they went to make a claim because of a series of exclusions.

While cyber insurance is generally affordable, he said the jury was still out as to whether those policies would respond to a claim.

As an example, Fouche cited the case of a retailer with $100m turnover that secured $5m worth of cyber cover for a $50,000 premium. “It was not worth the paper it was written on,” he said.

Some policies explicitly state that if there has been any change to the IT environment over the year covered by the premium, it would not be covered. That would apply even to security patches made to the systems.

Insurance brokers need to work with clients to ensure more effective risk analysis and secure more appropriate cover.

Fouche said organisations should do the following as a first step:

  • Identify critical assets and crown jewels.
  • Liaise with a broker and underwriter to assess remediation needed and coverage required.
  • Stress test any policy by considering a security scenario and determining whether the policy would respond as required in the event of a breach or security incident.

Read more on Information technology (IT) in Australia & New Zealand