Heading to the SME end of town
The thing that becomes quickly apparent when investigating cyber security and cyber insurance is the speed with which things are changing and the ever- increasing difficulty that insurers are having keeping up with the threats being posed. As described by Awiszus et al., the underlying issue to contend with results from the non-stationarity of data relating to cyber risk (2023). In other words, either due to lack of data or confidentiality of data there isn’t enough for an actuary to make a traditional judgement as to how premiums should be calculated and the events that they will cover. When they do manage to get a handle on it, the threat has changed or evolved and already they are scampering to solve the problem all over.
If you do a quick search for business cyber insurance in Australia, you can see that there are certainly companies that are offering policies which is great news. When you look at the events that are covered though, I would be surprised if in many instances you wouldn’t feel as though receiving cash to cover your loss isn’t really hitting the mark. This is in no way a criticism of the insurers or their policies. What I am getting at is that they largely feel like you will be getting cash to compensate for the horse that has long since bolted. The financial services industry is firmly rooted in trust leading often to the level of a fiduciary relationship between the provider and the investor. The reason this is important here is that if the trust element is damaged between you and your client (fairly or not), then it can’t be replaced with cash. Don’t get me wrong, insurance to cover court costs and fines may well be a different issue but at its heart the damage is done if trust is broken.
Whilst there are fairly limited instances thus far, in the aftermath of the Royal Commission especially, ASIC and the courts are looking very poorly at those who aren’t pulling their weight when it comes to a reasonable standard of cyber security.