The cyber insurance market in Australia is still quite immature and stakeholders are trying to answer the question about what can actually be insured in the cybersecurity space.
Ms Pip Wyrdeman, Senior Adviser at the Office of the Cyber Security Special Adviser, said: "There are many impacts from a cyber incident; some can be insured against and some can't.”
She said it's easy to see how the loss of one's computer systems due to malware destruction could be insured against, as could loss of income; however she said it starts to get unclear when it comes to customer data.
"You've not actually lost the data -- you still have it -- it's just that somebody else also has it. Presumably they've stolen it in order to monetise it or to do something otherwise nefarious with it."
There is a fundamental lack of data that is needed to enable insurers to determine what effective underwriting of cyber needs to be, she said. The government has to set the agenda and determine the priority areas for attention in cyber insurance, she said.
Individuals and businesses also have to understand what is at the heart of their business -- in particular where data lives and who has access to it, and how the business would survive should a cyber-related incident occur.
Separately, at the forum, ASIC Commissioner John Price said that the corporate regulator expects company boards to understand what it takes to improve an organisation’s overall cyber resilience so it can survive and recover from an attack as quickly as possible.
Mr Price also put the cyber insurance industry on notice that it was being watched by the national corporate regulator.
“We focus on conduct of insurers and distributors through the lens of fair outcomes for consumers and investors.”
He added: “We expect cyber risks to be a component of (a company’s) enterprise risk management framework. To that end, seeking out tailored cyber insurance would clearly be one of several management strategies that could be pursued to help manage that risk,” Mr Price said.