Insurance companies are readying for an influx of demand from businesses for cyber indemnity products when mandatory data-breach reporting laws are come into effect at year’s end.
Mandatory data-breach reporting has already been legislated in the United States and Europe.
Cyber security experts believe Australians will be shocked by the amount of data stolen from individuals and organisations daily when it is introduced in Australia.
AIG national cyber liability manager Emma Osgood said when the laws were passed in Australia, businesses would realise how common data breaches were, and their cost.
“The issue we have in Australia at the moment is a lot of companies still think it isn’t happening, simply because it’s not being reported,” she said.
“With the introduction of mandatory reporting we’ll get some information about the breadth and depth of what’s occurring. This will spur companies into realising what’s happening in their sectors.”
AIG’s Cyber Edge product has been sold in Australia since 2012, but the company introduced cyber insurance in the US in 1999. In the past 12 months sales of cyber insurance policies have started to pick up.
Business insurance comparison website BizCover said there were 12 insurers and underwriters in Australia selling cyber insurance, with various policies targeting big and small business.
Untapped Opportunity
“[Insurers] view this space as a greenfield site, an opportunity to get involved in an area that’s really untapped,” Ms Osgood said.
In 2014 CERT Australia, the government’s main point of contact for businesses affected by cyber security issues, responded to 11,073 incidents.
Of these, 29 per cent were from the energy sector, 20 per cent from banks and financial institutions and 12 per cent from communications businesses, according the Australian Cyber Security Centre 2015 Threat Report.
BizCover managing director Michael Gottlieb said the website had a jump in inquiries following the recent attack on cheating spouses website Ashley Madison, but this was not the case for all insurers.
Allianz global corporate and speciality underwriting manager Max Broodryk said insurance companies were more likely to receive a jump in inquiries when businesses such as Target or Adobe were breached.
“Ashley Madison is an excellent example of an incident that’s raised people’s awareness, but it’s extreme and it was done for [the attacker’s] own, public, purposes,” he said.
“It does illustrate some of the consequences of having an online business model though.”
Growing Market
Allianz estimated that the current market for cyber insurance in Australia was between $12 million and $15 million, but tipped it to grow rapidly.
Globally ransomware attacks grew by 113 per cent in 2014, according to the Symantec 2015 Internet Security Threat Report.
Malware creation also jumped 26 per cent, with 319 million new pieces created.
In the past six months Australian email and web security firm MailGuard has been inundated by queries from businesses wondering how to protect themselves from CryptoLocker ransomware.
CryptoLocker first hit the internet in 2013. It gets into a system, usually via infected email attachments, and malware encrypts files on the computer. The business or individual is then asked to pay a fee for the files to be unlocked.
MailGuard chief executive Craig McDonald said there had been up to a 40 per cent increase in queries in the past six months about CryptoLocker.
“Two groups I chatted to last week had been hit twice in one week,” he said.
“It costs between a few hundred and thousands of dollars to unlock the files. These criminals are making hundreds of millions of dollars doing it. Most people just pay because once the files are encrypted you can’t do anything unless you have them backed up.”
Mr McDonald said cyber insurance was a good way for businesses to give themselves extra protection.
“It’s a great idea … One incident could cause a business to fail,” he said.
Source: Financial Review