Cyber Liability Insurance – Insuring the Intangible

Australian businesses are becoming increasingly reliant on digital technologies. At the same time, cyber crime is booming, costing the Australian economy an estimated $4,500,000,000 annually (yes, that’s billion with a B).

Security vendor Sophos has reported that in 2017 alone, 48% of Australian businesses were targeted by Ransomware. Was your business one of them?

Regulation in the area of data protection and privacy is rapidly developing to meet this changing threat landscape.

This February saw changes to the Privacy Act, introducing mandatory data breaching reporting obligations. See here for more.

More recently, the EU’s General Data Protection Regulation took effect, with penalties of up to €20,000,000 or 4% of a company’s global annual turnover, for breaches of data protection obligations. See our upcoming article on the GDPR for more.

As should be clear from the preceding, cyber-crime is already one of the leading risks to Australian businesses. Now add the risks from ex-employees stealing commercial data, current employees accidentally disclosing confidential information (it happens), and the potential for hardware failure with valuable data loss (when was the last time your system was backed-up?). This is all without even factoring in the potential financial implications of regulatory action.

So how do businesses go about mitigating some of this risk?

Cyber Liability Insurance

Cyber insurance is not exactly new, and policies are offered by most of the major insurers in Australia.

What has changed is the level of risk to which a business may be exposed without insurance protection. Cyber risk is one area in which businesses are often under insured or (worse still) not insured at all.

With the changing marketplace there have also been changes to the policies available on the market (largely providing more cover for more things). This makes it an ideal time to consider whether your business could benefit from such insurance.

Whilst policies vary, there are a number of benefits to look out for when considering insurance, including cover for:

  • losses from cyber-attacks
  • ransom/extortion demands;
  • investigation and data recovery costs;
  • business interruption costs;
  • hardware failure (though this may also be covered by other insurance you have in place);
  • regulatory penalties/fines; and
  • certain PR and crisis management costs.

This list is by no means exhaustive, and you should consult an insurance broker to discuss your particular requirements. Ensuring you have the most suitable product, providing the right type and level of cover, is essential. 


There is no such thing as perfect security, just ask Yahoo!, the Commonwealth Bank, or Facebook. A determined hacker need only succeed once, whilst your security needs to successfully defend against every attack every time; are you willing to bet your business on it?

Whilst mitigation and appropriate risk management strategies are important (and we have previously discussed this), businesses also need to plan a response for when, despite best endeavours, things go wrong.

Unfortunately, it is often a case of ‘when’ rather than ‘if’ when it comes to experiencing a cyber incident (be it malicious or accidental). Cyber insurance is now a mature product which can afford protection to businesses which other insurances may not.

Much like workers’ compensation and public liability insurance now, cyber insurance will, in the not-too-distant future, be indispensable protection for Australian businesses.

The information published in this paper is of a general nature and should not be construed as legal advice. Whilst we aim to provide timely, relevant and accurate information, the law may change and circumstances may differ. You should not therefore act in reliance on it without first obtaining specific legal advice.