Sweeping changes to the way companies must manage data breaches may prove the catalyst for business to take up cyber insurance, and offers a fillip for brokers.

Until last Wednesday companies got off pretty lightly when falling victim to data theft and other breaches. There were no fines, penalties or adverse public fallout, so to speak.

Not any more. Companies with an annual turnover of at least $3 million are now duty-bound to inform people whose personal information has been compromised, as Canberra takes a hardline approach to cyber security.

Businesses must also report incidents to the Office of the Australian Information Commissioner, which oversees the Notifiable Data Breaches scheme that took effect last Thursday. Companies face fines of up to $2.1 million if they fail to comply.

“There is a lot of information now available on cyber security,” Law Enforcement and Cyber Security Minister Angus Taylor says.

“The onus is with business operators, with organisations and with government agencies, to put measures in place to reduce the risk of data breaches.”

Anecdotal evidence from the industry suggests more Australian bosses are getting their acts together on cyber security, conscious of the consequences should they run afoul of data protection laws.

Insurers and brokers have seen an uptick in calls from clients wanting to know more about the cyber covers that will protect their digital assets, and other forms of risk mitigation.

“From an insurance broker’s perspective, there has been a lot of conversations with our clients,” JLT Cyber-Security Specialist Samuel Rogers told insuranceNEWS.com.au. “It is not just about the fines and penalties.

“It is more of a requirement to investigate data breaches and the cost of reputational fallout. It ties in to all the internal costs that a company should be aware of.”

Now is the time for brokers to take the initiative and show clients the value they can bring to the table. Many businesses would no doubt have heard the terms “cyber risks” and “cyber protection”, but most still appear to be in the dark about what it specifically means for their companies.

“Cyber insurance is not well understood,” Mr Rogers says. “There are a lot of differences in insurance policies in cyber as well. 

“Any opportunity a broker has to speak to their clients about their business and what can be done to mitigate their risks, it shows their value.

“The value for clients in using a broker is that hopefully the broker will explain what is insured under a cyber policy and give them a solid understanding of what is involved. That’s why you hire an insurance broker.”

It’s a view shared by specialist cyber insurer Emergence Insurance.

“The cyber insurance market is still an emerging area,” National Head of Sales Gerry Power told insuranceNEWS.com.au. “There is a large difference in the type of covers and that is where insurance brokers can add value to businesses to make sure they secure the most appropriate cover for the industries in which they operate.”

According to Barry.Nilsson Lawyers, companies are best served when they have thoroughly considered their cyber needs.

“Any risk mitigation strategy should also include a careful consideration of the value standalone cyber-insurance policies bring to the table for organisations caught by the [privacy legislation],” Insurance and Health Special Counsel Megan O’Rourke told insuranceNEWS.com.au.

“These policies contain specific cover designed to assist insureds in data breach situations, and can not only significantly mitigate the costs and expense involved, but allow insureds direct access to privacy specialists who can help them navigate the minefield of legal, technical and public relations issues these situations can create.

“One of the great assets of these insurance products, if not their greatest asset, is the claims response expertise built in to the policies.”

Survey results from global law firm Minter Ellison’s Perspectives on Cyber Risk report on Australia point to a vastly untapped market.

The proportion of respondents who have bought some form of cyber insurance grew to 62% last year from 39% in 2016, but only 40% are prepared for the mandatory data breach reporting regime.

“Our survey results indicate many organisations still have work to do in preparing for these laws, as well as implementing the protocols, policies and procedures necessary to mitigate their exposure to cyber risk,” Minter Ellison says.

“Organisations considering purchasing or renewing cyber insurance products should seek specialist advice to avoid potential gaps in cover.

“For the moment, however, Australia’s uptake of cyber insurance still lags significantly behind that of the established markets in the US and Europe.”

If the US experience is anything to go by, demand for cyber insurance should take off.

“The take-up of cyber insurance in Australia is low simply because there was no requirement to communicate data breaches to individuals,” Emergence’s Mr Power says.

“The cost of managing a data breach can be expensive. Cyber insurance needs to be seen as an integral part of a business’s risk management framework.”