Cybercrimes have now started causing problems for companies in Australia. According to reports provided by the ACSC, there has been a rise in the number of calls placed on the Australian Cyber Security Hotline by 16% when compared to the last year. The average loss reported from such an event has risen by 8%, standing at about $80,850.
With the rise in cybercrime threats, business owners need to understand what cybercrime is and the need for cyber insurance policies.
Is Cyber Insurance Compulsory?
There is no legal requirement in Australia to have cyber insurance. With the rising exposure to losses that arise out of cyber events, most organisations see it as necessary in terms of risk management.
Businesses might be regulated within certain sectors in terms of information security and cyber security practices. Though there might not be any law mandating cyber insurance, having coverage would assist businesses in complying with regulations and mitigating exposures.
Certain government bodies, big corporations, and commercial entities require their suppliers to have cyber insurance as a requirement in their contracts. Cyber insurance might thus increase your chances of being considered for a project or tender.
Information Security Expectations in the Financial Services Industry
Financial service companies have many information assets that include personal, identification, banking, and financial data. Therefore, they are attractive targets for cyber criminals.
The occurrence of a cyberattack may lead to financial, reputational, service delivery, and compliance issues.
Hence, bodies like the Australian Prudential Regulation Authority (APRA) and the Australian Securities and Investments Commission (ASIC) have intensified their efforts in the area of cyber resilience and information security.
APRA Expectations
According to APRA’s CPS 234 Information Security Prudential Standard, regulated entities, which include banks, insurers, and superannuation funds, should have sound information security policies.
Among other expectations, these institutions should:
- ● Guard information assets from cybersecurity threats
- ● Adopt measures that align with their information security risk posture
- ● Identify and assess their information security risks
- ● Report material information security events to APRA
ASIC Expectations
ASIC has also emphasised that cyber resilience forms a critical part of effective risk management. Licensed entities are expected to manage cyber risks under existing legal obligations, including those contained within the Corporations Act 2001.
This includes maintaining systems and processes capable of detecting, responding to, and recovering cyber incidents.
Although these requirements primarily apply to regulated financial institutions, they demonstrate the increasing importance of cybersecurity across Australian industries. Similar expectations may expand into other sectors over time.
Benefits of Cyber Insurance
Cyber insurance policies can offer a range of valuable protections and support services. While coverage differs between insurers, common benefits may include:
Customer Notification Support
Assistance with notifying affected customers when required under privacy and data breach laws.
Incident Response Services
Access to cyber security specialists who can help contain, investigate, and manage a cyber incident.
Data Recovery
Support for recovering lost, corrupted, or compromised data.
Business Interruption Cover
Financial assistance for lost income and additional operating expenses during periods of business disruption.
System Restoration Costs
Coverage for repairing and restoring affected systems, software, and networks.
Liability Protection
Cover legal claims arising from data breaches, privacy breaches, or cyber incidents affecting third parties.
Legal and Reputation Management Support
Access to legal advisors and public relations specialists to help manage regulatory obligations and reputational risks.
Choosing the Right Cyber Insurance Policy
Not all cyber insurance policies provide the same level of protection. When comparing policies, it’s important to assess your business’s specific risks and requirements.
Consider the following:
- ● What type of data your business collects, stores, and processes
- ● The sensitivity and volume of that information
- ● Whether the policy covers first-party losses, third-party liabilities, or both
- ● The insurer’s cyber incident response capabilities and support network
- ● Policy exclusions, limitations, and sub-limits
- ● How cyber insurance fits within your overall risk management strategy
Conclusion
Cyber risks are no longer confined to big organizations. All kinds of businesses today are at risk of cybercrimes and cyber-attacks, leading to data breaches and other disruptions.
Though there are no legal requirements in Australia for cyber insurance for any kind of organization, such coverage can be very useful to organizations that fall victim to cyber-attacks in order to reduce their loss of revenue and other damages.
