Cyber risk and cyber insurance continue to gain attention. Cyber attacks and data breaches was revealed as the number 5 risk for Australian businesses in Aon’s 2019 Global Risk Management Survey. Recently we have witnessed significant cyber claims manifesting, in some instances rapidly, both in Australia and around the globe.
The Australian cyber insurance market continues to grow. Aon estimates the local cyber insurance market now exceeds $100 million. Grand View Research estimates the global cyber insurance market is valued at US$4.3 billion .
- General Data Protection Regulation (GDPR) has wide ranging implications. Recently, we have seen a willingness of the regulator to impose significant fines against European and US headquartered organisations. For example, British Airways and Marriott were both fined £183 million  and almost £100 million  for recent data customer breaches. Australian companies could also be at risk.
- The Australian privacy regulator, Office of the Australian Information Commissioner (OAIC), has taken a more consultative and informative approach. The first annual report from Australia’s Notifiable Data Breaches scheme revealed that there were 964 eligible data breaches reported in the first 12 months of the scheme . However, there are proposed amendments to the Privacy Act which will increase the power and authority of the OAIC more closely aligning to the EU’s GDPR.
- Data breaches have resulted in some of large losses to the industry over the last 12 months. However, business interruption losses and the speed at which they manifest is causing the greatest concerns to insurers in 2019.
- Ransomware has received increased interest from insurers and the media given the frequency and severity of claims and incidents. Beazley’s recently reported that the number of ransomware incidents have increased by 37 percent .
- Looking ahead – silent cyber is likely to dominate the landscape for the following few years. Insurers will continue to grapple with the intent of existing policies. They will have to decide if their traditional policies will affirmatively respond or exclude cyber incidents.