Will new data breach laws and high profile cyber-attacks in 2016 lead to surge in uptake of cyber insurance?
Insurance Law eBulletin - 16 February 2017
2016 was a year of prolific cyber-attacks on governments and multinational organisations, both in Australia and globally. Under the radar, there were many more daily attacks on a wide range of industries and businesses, including SMEs.
The benefits of cyber insurance can include a co-ordinated, rapid response team to a cyber incident but there is still a disparity between the scale and number of attacks and take-up of cyber insurance policies in Australia.
Whilst major incidents spread awareness, take-up of cyber insurance is more likely to be affected by legislative changes such as the implementation of mandatory data reporting requirements and the threat of fines and other penalties if organisations fail to maintain sufficient standards of cyber security.
In this eBulletin we look at examples of cybercrime, the insurance perspective, and the trends expected to result from new legislation.
Probably the most high profile cyber incident in Australia in 2016 was the attack on the nation's first e-Census. This Denial of Service (DoS) attack — deliberately overloading the system causing it to shut down — affected millions of Australians and was particularly embarrassing for a government which has prided itself on its cyber credentials.
On the global scale, the internet giant Yahoo disclosed multiple historic cyber-attacks, including what was said to be the largest data breach in history, when an alleged state-sponsored attack in 2013 compromised data from more than one billion user accounts. There were also well reported DoS attacks which temporarily brought down the websites of renowned web-based companies such as Airbnb and Twitter. The year then ended with the US expelling 35 Russian diplomats for alleged involvement in cyber-attacks against Hillary Clinton's presidential campaign.
Beyond the headlines, there are a far greater number of daily cyber-attacks. Cyber criminals have moved beyond focusing on frauds against financial institutions to targeting energy and utility companies, telcos, and a vast range of industries and businesses. Ransomware attacks — where the criminal encrypts the data of a computer system so it is locked and demands payment in return for its reactivation — are now increasingly common, including against SMEs.
PwC's Economic Crime Survey 2016, which surveyed 6,000 international organisations, found that Australian respondents experienced cybercrime at much higher levels compared with the global rate. Commentators widely report that cybercrime is the number one economic crime in Australia. However, an increasing awareness of cybercrime is not matched with an equivalent level of preparedness.
This disparity continues to be felt in the take-up of cyber insurance policies in Australia. Whilst there has been a steady increase in organisations purchasing cyber security policies, this is not matched by the number of cyber threats. It may be that organisations are not sufficiently aware of their own cyber risks because they do not have enough data and cyber-attacks against their competitors and suppliers may also remain unreported.
Claims are, however, only likely to increase as data security practices fail to keep pace with those technological developments which provide opportunities for cyber criminals.
There are clear benefits of cyber insurance, particularly for SMEs. Cyber insurance policies usually include cover for first party losses such as business interruption and the cost of notifying customers, without the requirement for physical damage which is a standard trigger under property policies. Cyber insurance can also provide third party cover for losses to others caused by failures to safeguard data, as well as regulatory fines. Without an insurance policy specifically tailored to meet cyber risks, the resulting uninsured costs may be difficult for businesses to absorb.
Further, many cyber policies now offer a rapid response service in the event of a cyber incident. This service includes the appointment of a coordinated team of experts including forensic, IT, public relations, and legal professionals who can assist SMEs to restore their systems, respond to an incident, and prepare for any future claims.
Australia's long-awaited mandatory data breach legislation was passed by the Federal Government on 13 February 2017 and will come into effect within the next 12 months. Similar legislation in the US was a catalyst for an increase in the uptake of cyber security policies. The legislation is expected to allow Australians to search online for notifications that affect them which may lead to more claims and a corresponding need for cyber cover. It should also give underwriters access to data on cyber threats in particular industries and businesses, which should enable them to price risks more accurately.
The mandatory notification requirements are likely to put more of a spotlight on directors' and officers’ accountability for cyber security issues which can no longer be assumed to be the exclusive remit of the IT staff. This could lead to an increase in D&O claims. The notification changes could be part of wider legislative changes to impose greater standards of cyber security.
In view of legislative developments and increased awareness of cyber threats, it seems likely that more business transaction contracts (particularly government procurement contracts) will contain clauses requiring parties to have their own cyber cover in place.
We expect to see insurers continuing to partner with experts in other industries such as IT and PR to develop more holistic cyber products including combinations of insurance, software applications, and risk management strategy.
As such, we expect to continue to see a steady increase of uptake in organisations purchasing cyber insurance, although legislative developments and any significant cyber security litigation may produce a surge in demand for cyber cover.
Michael Williams | Senior Associate
All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.