Beyond data breach notification laws

While Australia will see the introduction of mandatory data breach notification legislation in February 2018, it is not the “be all and end all” of cyber risks that brokers should be focusing on.

In fact, data breach accounted for 25 to 30 per cent of all claims that CFC Underwriting, a Lloyd’s Managing General Agent, saw globally in the last 12 months; and a “majority” of that were from the US which has “robust” breach legislation, notes James Burns, Cyber Product Leader with the specialty underwriter.

“Globally 70 per cent of all claims are not data breach related and if you take the US out of the equation … an even bigger proportion of claims that we are seeing are not data breach related,” he tells IRP.

“Cyber-crime is an area where we are seeing one of the biggest increases in the volumes and quantum of the claims – and it’s far outstripping data breach claims at the moment. In the SME market specifically, we are seeing a lot of cyber-crime, such as threat of funds, social engineering, the CEO or President fraud style claims, anything involving a company being tricked into wiring funds to the fraudsters’ account.”

Burns adds that in the large corporates, business interruption claims from cyber breaches, including system failures and outage of principle systems resulting in the business being unable to transact with customers thus losing revenue and profit, are on the rise.

Take the NotPetya ransomware attacks early this year as an example, shipping giant Maersk experienced a two- to three-day outage but the operational impact was felt for weeks. Maersk CEO Soeren Skou has now said it is going to cost the company between US$200-$300m.

“So this is much more than data breach, and privacy. It is about operational impacts on business,” Burns emphasises.

“What I think we need to be careful of is overstating the potential impacts of the new data breach legislation,” he points out.

“There are all these other issues, such as BI, cyber-crime, etc and the challenge in the Australian market is making sure those messages get communicated to clients.

“We need to make sure that our discussions around cyber aren’t all about these new breach notification laws because many companies in Australia don’t necessarily collect personal data, for example, large manufacturing companies, logistics companies. The challenge is in showing them that cyber insurance is important for them too, and overcoming the thinking that because they don’t collect personal data … they don’t have a cyber risk, when they do, as we’ve seen with NotPetya.”

Burns says brokers are critical to insurers in this space to help insurers understand what the client’s business looks like, including what the impact could be of an event such as NotPetya, or another ransomware event occurring; what is that going to mean to the business’s ability to transact with customers; what is it going to mean to their ability to generate revenue; and if they do hold data, where are they holding it and what is the cost going to be like of a breach.

For more from CFC Underwriting’s James Burns and the data breach notification legislation, look out for the February issue of your member magazine Insurance Adviser.