Australia’s new Notifiable Data Breaches laws will change the risk equation should an organisation suffer a cyber attack. Could cyber insurance help manage that risk? Nigel Phair looks at the state of the industry.

Soon, very soon, many Australian organisations will need to reconsider the potential cost of a data breach. The Privacy Amendment (Notifiable Data Breaches) Act 2017 comes into force on 22 February 2018. From then on, organisations covered by the Privacy Act will have to notify people when they’re likely to be at risk of serious harm following a breach.

Many existing risk models won’t work once data breaches have greater notoriety. They focus on security controls, rather than holistic risk management. Decisions are often based on an incomplete understanding of the cost of the vulnerabilities an organisation faces, and often fail to take into account all of the possible consequences

Focusing on revenue losses alone is imperfect. The challenge is to build a smart, well-designed cyber risk model that can analyse potential losses of direct revenue,  liability to stakeholders, and loss of reputation.

How much does a data breach cost?

Mature organisations are realising that a cyber breach can be expensive, but quantifying their cyber risk exposure really is difficult. That in turn makes it difficult to budget for the resources needed to mitigate the risk.  In every sector, every organisation will have a different risk profile, and probably a different risk appetite.

The Ponemon Institute estimated that in 2017 that the average cost of a data breach to an Australian company was $2.51 million, with the cost per stolen or lost record being $139. Their sample size was only 25 companies, though, so make of that what you will.

Could cyber insurance be the answer?

Cyber insurance is already the fastest-growing sector of the insurance market, according to Nick Abrahams, a partner with law firm Norton Rose Fulbright.

“The US has a massive amount of class actions in relation to privacy breaches, and the reason those class actions occur is because people know that there is insurance there to back it up,” Abrahams told the InnovationAus.com conference Cyber Security — the Leadership Imperative 2017 in Sydney in May. As ZDNet reported, he expects a “steep rise” in litigation.

Back in 2013, the Centre for Internet Safety’s first Cyber Insurance Research Paper (PDF) found that cyber insurance would need to be a tailor-made offering. It would have to provide comprehensive cover for liability and expenses a business may incur arising out of unauthorised use of, or unauthorised access to, physical and electronic data or software within an organisation’s computer network or business. Cyber insurance policies can also provide coverage for liability, costs and expenses arising from network outages, the spreading of a virus or malicious code, computer theft or extortion.

That’s what we need. But even though cyber insurance products are in demand, the market still can’t accurately calculate the risk, according to Pip Wyrdeman, Senior Adviser Cyber Policy for the Office of the Cyber Security Special Adviser at the Department of the Prime Minister and Cabinet (PM&C).

“The cyber insurance market in Australia is still quite immature, and there is a fundamental lack of data that enables insurers to determine what a more effective way to underwrite cyber-related matters needs to be,” ZDNet reported Wyrdeman as saying.

“There are many impacts from a cyber incident; some can be insured against and some can’t.”

Can we trust an immature cyber insurance industry?

When it comes to buying cyber insurance for risk transfer, trust is still lacking, according to Meena Wahi, a Cyber, Data, and IP insurance specialist.

“Questions linger. Would claim payouts meet executive expectations? Are policy wordings adequate? Does the broker understand the risk? Do insurers have very high expectation for security management?” Wahi told DirectorTech.

“Insurance companies have moved up the learning curve in managing their own exposures. Lloyds of London, for instance, now insures cyber risk for one-third of all US businesses. Specialist brokers can help in building the trust between the Insurers and executives who demonstrate cyber risk management.”

What we need is data, lots of data

Fixing the cyber insurance market will require a lot of data. It will require modelling on many differet loss scenarios

What does it mean to lose a percentage of customers? Or a percentage of the share price? Will margins on the sale of goods and services change? What is the cyber security posture of third-party vendors and suppliers? And what training do we give our staff?

It might seem easy to implement big, crunchy controls such as encrypting data, but how will this affect daily business operations, and what is the cost? Besides, having data encryption is useless if an employee accidently or maliciously releases this data to third parties in clear text format.

As the modelling improves, so will the margin of error.

The responsibility lies with the risk and audit committee to spend the time analysing the various data inputs, working with internal staff and leveraging external experts. Only then will cyber insurance premiums be suitably tailored for an individual organisations risk tolerance and rating.