What are the business cyber insurance requirements in Australia?
Published 14 December 2021
Take-up rates for cyber insurance cover in Australia remain relatively low compared to more traditional commercial property and liability insurances, according to the Insurance Council of Australia. But as the pace of cyber attacks continues to increase and massive cyber claim payouts persist, insurers are reducing their cyber risk appetite and capacity. Businesses lacking cyber security controls can expect to see 100% to 200% rate hikes, reduced coverage terms and even possible non-renewals.
While having cyber insurance cover for businesses isn’t mandatory in Australia there are moves towards increased accountability where third parties are involved, especially for those holding Australian Finance Service Licences.
The Australian Prudential Regulation Authority (APRA) and Australian Securities and Investments Commission (ASIC) have made it clear that cyber risks are a key systems and control issue. Under the Corporations Act 2001 company directors are required to protect their business and its shareholders against major business risks or face claims for damages. They can also be investigated as to the extent of the business’s preventative measures and response protocols to a cyber incident occurring.
Legislative moves to make boards more accountable for cyber security
In Australia personal information is protected by the Privacy Act 1988 and under its terms the Office of the Australian Information Commissioner (OAIC) may seek a civil penalty order of up to $2.1 million in cases involving serious lapses in protecting privacy ‒ and this has been flagged to increase to $10m or 10% of annual domestic revenue.
In the recently published paper 'Strengthening Australia’s cyber security regulations and incentives, An initiative of Australia’s Cyber Security Strategy 2020' the Australian government cites research which shows that currently company boards don’t have an adequate understanding of cyber risks.
The paper proposes that stronger voluntary cyber security standards be developed in consultation with the business sector to define the responsibilities and processes for managing cyber security risks. It makes no comment on how any mandatory standards would be enforced or the penalties for breaches.
For the financial services sector cyber security, breaches and non compliance risks around privacy are key concerns due to the significant amount of customers’ personal information they hold.
Both APRA and ASIC have made it clear that cyber risks are an essential systems and control issue. For this reason Australian Finance Service licensees are required to have appropriate measures in place for managing business risks.
Some recent initiatives to increase cyber security rigour include
• APRA has released its Cyber Security Strategy for 2020 to 2024, introducing heightened accountability where companies fail to meet their legally binding requirements under its CPS 234 standard
• ASIC's increasing focus on cyber security and cyber resilience as part of company directors’ duties
• ASIC has commenced its first enforcement action against an Australian Financial Services Licensee for breaches arising from failure to adequately prepare for cyber security incidents
• the forthcoming review of the Privacy Act 1988 is highly likely to update data security requirements for businesses and highlights the ongoing need for financial service providers to review their data governance approach accordingly
• the introduction of a private member’s bill proposing a mandatory ransomware reporting framework, requiring notice to be provided to the Australian Cyber Security Centre on payment of a ransom demand.
These moves have implications for having insurance protections in place.
What cyber insurance covers
While there is no standard cyber insurance policy although there are some commonly offered coverages that provide excellent mechanisms to save bottom line costs in the aftermath of a cyberattack. Other policies, including crime, property, liability, kidnap and ransom, and errors and omissions, may also offer some limited insurance coverage to cyber exposures. However, a comprehensive stand-alone cyber insurance policy usually affords the most complete coverage for cyber risks, while traditional insurance lines are increasingly tightening policy language to exclude cyber risk-related costs.
There are four segments to the cyber insurance risk transfer solution.
1. Your liability to others
• Pays defence costs and damages/settlements that you owe to others as a result of a failure of network security or a breach of private information.
• Pays defence costs and fines/penalties regarding regulatory actions against you arising from a breach.
• Pays contractual assessments owed due to noncompliance with PCI (credit card) standards due to a breach.
• Pays defence costs and settlements arising from professional/ media errors and omissions (optional coverage).
• Pays claims alleging financial loss to third parties (such as your employees or clients).
2. Your costs of breach response
• Pays your costs to engage forensic, legal and PR advisors.
• Pays your costs of notification of the breach to affected individuals as well as credit monitoring and identity theft monitoring.
3. Your own operational costs after a breach
• Pays the ransom in the event of cyber extortion as well as for related forensics. The insurer may deploy vendors whom are expert negotiators with immediate access to cryptocurrency.
• Pays your costs to recover data that has been damaged as a result of a computer security failure.
• Pays your loss of income as a result of business interruption caused by a failure of computer security. This can extend to business interruption losses due to an attack on a vendor, commonly referred to as 'contingent business interruption'.
4. Additional services from the insurer
• Provides immediate 24/7 help at discounted panel rates in the event of a suspected incident .
• Free or discounted cyber risk management services during the policy period. These may include employee training, help with technology controls, compliance and incident response planning.
How insurers view businesses' cyber risks
Due to the heightened cyber threat environment, cyber insurance underwriters have responded with a laser focus on data security controls when evaluating risks. Virtually all cyber insurance insurers will require evidence of at least some preventive controls which may include multi-factor authentication (MFA) remote desktop protocol (RDP), data backup practices, segregation of networks, encryption, patch management, privileged account management (PAM), employee training and a host of others. Cyber insurance applications often require additional ransomware supplemental applications that may involve dozens of questions around controls specifically designed to prevent or mitigate the effects of ransomware attacks.
Without some of these controls in place, many carriers are refusing to quote on insurance cover for the businesses concerned. Those that do will likely demand significant rate increases. Even businesses considered to be best in class risks that comply with all underwriting required security controls should brace for potential rate increases, limited capacity and possible coverage restrictions.
Access cyber risk management expertise
Our cyber security experts can assist businesses with addressing underwriter questions, strategies for improving cyber security vulnerabilities and obtaining optimal cyber insurance coverage.
The content - including publications - on this blog is intended only to provide a summary and general overview on matters of interest. It is not intended to be comprehensive nor does it constitute legal advice. We attempt to ensure that the content is current but we do not guarantee its currency. You should seek legal or other professional advice before acting or relying on any of the content.