Cyber Insurance and the Claims Environment: Considerations for Australia

In Australia, there has historically been limited concern with data breach liability impacts, with a major contributing factor being Australia’s lack of tort of ‘breach of privacy’. Whilst the liability aspect of cyber risk may be changing, driven by heightened regulatory scrutiny and the evolving nature of silent cyber, the dominating concern remains focused on operational impacts and incident response. For too many organisations, and for too long, this has remained an afterthought, with cyber insurance still being relegated as a ‘privacy’ styled insurance solution.

It cannot be overstated – organisations must ensure their cyber policy, critically the business interruption (BI) component, aligns to their risks. These are extremely complex and fast-moving matters, and regular assessment of risk, and potential losses, including where costs will accumulate, should be measured and assessed against cyber insurance policies.

A cyber attack is generally not a one-site incident and the onus is on the insured to aggregate their total global losses. A contributing factor to resolving business interruption losses is ensuring appropriate attribution of the incident is aligned to the organisation’s assets – this is often a missing ingredient when engaging with insurers.

Organisations should do a ‘deep dive’ on specific and dedicated scenarios and tie the losses to insuring clauses and definitions. This is particularly important given silent cyber challenges.

The evolving nature of cyber issues means organisations need to consider all factors to mitigate the risk and understand how, if an incident should happen, they can manage their cyber insurance claim as effectively and efficiently as possible.

A cyber insurance claim may share similarities with a more traditional first party property or third-party casualty claim, however the issues are more complex and there are pitfalls to navigate.

Delayed insurer notification can be a challenge for organisations, particularly if they underestimate the scale of the incident and try and deal with it inhouse before engaging insurer support. It is critical to keep insurers appraised in the immediate term to support the response, so all parties can work to reduce the cost burden. There can also be a question of knowing who to call which is vital in order to quickly mitigate any further damage.

Organisations should know well before an incident ever happens who its response partners are in critical areas like forensics, legal and public relations, and ideally have the key responders identified and pre-agreed with insurers.

The devil is in the detail, so it is crucial that organisations are thoroughly familiar with their policy, as BI losses are amongst the most challenging types of claims to adjust, and cyber BI is even more challenging.

Also, organisations should ensure their cyber policy aligns to operational exposures, of which a data breach is part, including computer systems, third party supply chains and their collective inoperability, all of which are leading risk factors in Australia.

In order to help organisations get prepared, take control and optimise recovery in the event of a cyber attack, Aon and Crawford cyber incident and claims experts globally have produced a new guide to successfully managing cyber claims. Download the guide for further insights. You can also tune into our on-demand webinar to learn more.

Find out more about Aon’s cyber risk management solutions.