Insurance Council urges next Fed Govt to establish cyber risk-sharing forum

ICA Cyber Risk

The Insurance Council of Australia (ICA), the peak body for the general insurance sector, has called on the next Federal Government to establish a whole-of-government cyber risk-sharing forum, enabling government stakeholders, the insurance sector and the tech industry to collaborate to help manage system risk and improve cyber hygiene.

In its latest report, Building a more resilient Australia: Policy proposals for the next Australian Government, the ICA urged for Australia’s next Federal Government to create a “robust policy framework” to manage cybersecurity concerns impacting the insurance sector as well as the wider Australian economy – with ICA acknowledging the impact of increasing cyber risk on businesses’ insurance premiums.

The framework would be supported by the creation of a new cyber forum comprising industry and government stakeholders.

Such a forum would serve to improve dialogue on cybersecurity concerns and give voice to the insurance industry to help shape policy settings that “manage system risk and support good cyber security health for business”.

“From a broader business perspective, the collaborative development of real-time, two-way threat data sharing between government and industry has the potential to reduce the incidence of cyber-attacks and also help insurers more accurately quantify risk,” the ICA wrote.

“This, in turn, will help bring more capacity into the cyber insurance market and generate downward pressure on cyber premiums, which increased significantly in 2021.”

“Australia needs a vibrant and innovative insurance sector to provide relevant cyber insurance products and services to its small and large business sectors.”

Recognising the increasingly devastating impact of cyber-attacks and the growing costs borne by businesses to not only secure their businesses but also maintain adequate cyber insurance, the ICA further called on the Government to collaborate with the insurance industry to help improve cyber risk reporting by businesses.

This, it said, would “help insurers identify risk mitigation opportunities for their customers and provide the most effective way of reducing cyber premium costs over time”.

“Where the data breach is due to the malicious act of a foreign state actor or criminal gang, coverage may include costs related to the services of a negotiator, legal advice to determine if any ransom payment is legal or reportable, and indemnification of the ransom if the business decides to pay the ransom.”

These costs can be considerable for businesses.

According to Oxera, an economics and financial consultancy, cyber-crime was estimated to cost the global economy $600 billion in 2018, equivalent to 0.7 per cent of global GDP, representing around 14 per cent of the worldwide internet economy. Lloyds of London estimates that only about a third of those losses were covered by insurance.

At home, Home Affairs Minister Karen Andrews estimates the Australian economy loses around $3.5 billion to cyber-crime each year.

Australian organisations have seen a 200 per cent increase in reported ransomware attacks alone over recent years, costing the economy around $1 billion.

In a recent survey, security researcher IDC reported that around 60 per cent of Australian companies – desperate to free their data from captors – would be willing to pay a ransom.

“Ransomware attacks are now increasingly sophisticated and more invasive, with sensitive data targeted and operating systems disabled,” the ICA wrote.

“Consequently, the cost to investigate, repair and recover has also increased.”

‘Amend the Privacy Act’

The ICA has also further called on the Government to move to amend the Privacy Act 1988 to ensure insurers and relevant government authorities have the best information at hand to respond to disasters.

The peak body argued that current provisions to enable increased levels of data sharing during disaster situations – Section VIA (Emergency Declaration) and Section 16A (Permitted General Situations) – are “are insufficient”, preventing critical data from reaching key stakeholders – whether government authority or insurer.

A suitable amendment would, it argued, help to “support community recovery by improving the practicality of an Emergency Declaration by expanding the criteria and consequences of an approval”.

This could be achieved through the introduction of a new “intermediate category of data-sharing”, or through “expanding the scope of Section 16A”.

The recommended changes to the data-sharing framework, would, the ICA argues, support better assessment of claims and improved provision of services by governments and NGOs following a disaster.

Current data sharing arrangements have resulted in “poor outcomes for community members”, ICA said, citing a number of examples of the Government being unable to identify candidates for resilience grants, an inability to determine the authority responsible for disaster recovery, and vulnerable individuals living in disaster-ravaged and dangerous habitations due to government bungling.

The Council said it is currently collaborating with the National Resilience and Recovery Agency to develop policy that will enable the sharing of hazard-related data for improved planning, analysis, investment, and disaster response.

While yet to announce the election date, pundits expect the Morrison Government will settle on 14 May, exactly one week before the final date the Government can feasibly, and constitutionally, hold an election.