The imposition of Australia’s first civil penalty for a data breach is a wake-up call to check fines and cost cover in cyber policies, experts at Willis say.

Australian Clinical Labs was fined $5.8 million plus legal costs this month over its handling of a 2022 cyberattack, marking the first civil penalty imposed under the Privacy Act.

Privacy commissioner Carly Kind labelled it “an important turning point” in enforcement.

Penalties of up to $50 million – or up to 30% of turnover or three times the benefit derived from misconduct – have been in place since late 2022, and Willis technology, cyber and privacy risk Pacific consulting leader Leah Mooney is urging policyholders to check they have sufficient cover for fines.

“This is an underutilised cover in Australia, but last week we had a civil penalty. So if you have cyber insurance – and you have got that fines and penalties cover – check that the scope will cover that,” she told attendees at CyberCon in Melbourne.  

Willis senior associate Tom Hosking says fines and penalties may traditionally have been subject to exclusions, but cover for legal action is now more often in play as part of overall cyber policies.  

“Increasingly, we’re seeing cover for those kinds of losses, not just for the defence costs and the investigation costs and the cost to respond,” he said.

At a session titled Where Does Cyber Insurance Go in 2025 and Beyond? WTW cyber and technology industry leader Ben Di Marco said after swinging from a hard market to two years of large rate reductions, the cyber insurance space has stabilised.

“[We think] we’ll stay in this type of stabilising state for the next 18 to 24 months, but then we suspect that towards the end of next year, or another year after, we’ll see the market start to harden.”  

Insured losses in cyber are dominated by supply chain events, healthcare and education claims, he says, and settlement costs, fines and business interruption are large contributors. 

From the latest Insurance News magazine: How to unleash the power of AI without hallucinating your way into a scandal