Cyber Security: The challenge for insurers and practices alike

Addressing the issue

“Right now, cyber insurance awareness is low within the Australian business community and there is a small number of insurance providers. The combination of a small premium pool and the increasing sophistication and maliciousness of some cyber-attacks have put significant pressure on insurers and business alike. Many insurers are reluctant to provide cyber insurance, or provide limited insurance cover, given the high cost and difficulty in pricing cyber risk due to its rapidly changing profile. If appropriate insurance is not available for businesses to mitigate cyber risk, many may not be able to, or may be reluctant to, adopt more innovative practises. This will hinder Australia’s economic productivity.” (Insurance Council of Australia, 2022)

One of the really interesting points that was raised in the report referred to above by the ICA, was that a degree of care needs to be taken by the Office of the Australian Information Commissioner (OAIC) with regards to the fining and penalties that accompany breaches of privacy. As the report says, this policy is important due to the need to change behaviour that may otherwise be far too casual in its recognition of the necessity of properly protecting data. However, if too broad an application of this policy is used it will make the affordability of cyber insurance even lower due to the difficulty for insurers to reasonably expect to profitably maintain a portfolio of policies in this sphere.

Whilst there may be insurance policies for aspects of cyber-attacks that will accompany other types of management indemnity cover, policies that are offered for standalone protection will require a burden of proof to be satisfied by the insured to show that they are taking all reasonable steps to deal with the risk even before insurance cover is introduced. It is interesting that whether due to the desire to gain an insurance policy or through a better understanding of the most likely cyber risks, the first step is for businesses to thoroughly review the risks that they are facing and to plan sensibly to deal with them.

The graphic included above highlights the points that need to be considered to start addressing your cyber insurance policy requirements. As part of this CPD activity, please read the article “Doing a Risk Management Stocktake” written by Peter Deans at 52 Risks. You can access the article by clicking here.