The Australian market needs to remember that cyber risk and insurance is “not all about privacy”, an expert has said.
James Burns, cyber product leader at
CFC Underwriting, recently visited Australia and said that while the cyber market is still “fairly nascent” its development away from stringent breach regulations makes it unique.
“Australia has had a very different development compared to say the US because the Aussie market has got to where it is so far without having had to date those stringent breach notification laws, that create really strict regulatory requirements,” Burns told Insurance Business.
“I think it is interesting because the developments we have seen in the Aussie market have been based on the back of concern around things like business interruption risk and wider operational risks as opposed to just their privacy risk.”
With mandatory breach notification on the horizon for businesses that fall under the Privacy Act, Burns noted that it remains to be seen how regulation impacts the market as it could have both a positive and negative effect.
“It is good in-so-far as it gives that opener and that ability to start talking about cyber risk but also a note of caution in so much as we don’t need to go down one road and ignore another really important one,” Burns continued.
Burns also highlighted the claims experience at CFC Underwriting, which has seen its cyber claims almost double in the past year as costs related to other strands of cyber risk dwarf those related to data breach.
“This is going to be a record year for us in terms of claims. We are probably going to handle over 750 cyber claims this year,” Burns continued. “Less than a quarter of all those claims are privacy or data breach related.
“The areas where we are seeing real growth are ransomware style events which tend to have business interruption losses because ransomware and business interruption tend to go hand in hand.”
For brokers, Burns said that it is important not to forget a client’s business interruption exposure, as for many SMEs a cyberattack could be enough to force them out of business without the appropriate cover.
“There are lots of business interruption events that are slipping under the radar because they don’t get the same press attention as the data breaches,” Burns continued. “In our experience, more often than not, they end up having much more devastating financial impacts on those companies than the data breaches.”
Related stories:
‘Big gap’ remains on cyber risk in not for profit and care sector
Willis Towers Watson unveils the top cyber-insurance trends for 2018