Cyber risk and cyber insurance continue to gain attention. Cyber attacks and data breaches was revealed as the number 5 risk for Australian businesses in Aon’s 2019 Global Risk Management Survey. Recently we have witnessed significant cyber claims manifesting, in some instances rapidly, both in Australia and around the globe.
The Australian cyber insurance market continues to grow. Aon estimates the local cyber insurance market now exceeds $100 million. Grand View Research estimates the global cyber insurance market is valued at US$4.3 billion.
- General Data Protection Regulation (GDPR) has wide ranging implications. Recently, we have seen a willingness of the regulator to impose significant fines against European and US headquartered organisations. For example, British Airways and Marriott were both fined £183 million and almost £100 million for recent data customer breaches. Australian companies could also be at risk.
- The local privacy regulator, Office of the Australian Information Commissioner (OAIC), has taken a more consultative and informative approach by releasing quarterly and yearly reports on the types of breaches and attacks being reported in Australia. The first annual report from Australia’s Notifiable Data Breaches scheme revealed that there were 964 eligible data breaches reported in the first 12 months of the scheme. However, there are proposed amendments to the Privacy Act which will increase the power and authority of the OAIC more closely aligning to the EU’s GDPR. The proposed amendments will increase the maximum financial penalty for breaches to $10 million (up from $2.1 million). The OAIC will also be granted another $25 million in additional funding to investigate and respond to breaches.
- Data breaches have resulted in some of large losses to the industry over the last 12 months. However, business interruption losses and the speed at which they manifest is causing the greatest concerns to insurers in 2019. There is no requirement to notify business interruption incidents to the OAIC that haven’t involved a data breach, so it is highly likely that losses to the insurance industry will not align to the facts reported by the OAIC.