About one in three cyber incidents causing insured losses are the result of human error, a senior actuary told yesterday’s Insurance News cyber seminar.  

Mistakes such as sending a document to the wrong person also make up about one-third of reported cyber incidents, and they are generally included in policy terms, Taylor Fry principal Win-Li Toh said.

While the number of cyber breaches is growing, Ms Toh said this may be in part due to greater awareness of the Privacy Act and the need to report them.

“Not all these breaches are due to malicious or criminal attack. Only two thirds of them are – human error cause caused the rest,” she told more than 100 attendees at the seminar in Sydney yesterday.  

“I don’t mean clicking on phishing emails, because that’s malicious attack. It can include things like erroneously sending a spreadsheet to the wrong recipient with personal data – who's never done that before, and then it’s retracted?

“That sort of thing is actually covered by a lot of cyber insurance.”  

Last financial year, more than 1000 incidents were flagged under the notifiable data breaches scheme. 

Ms Toh said high-profile cases such as the Medibank hack “really put Australia on the map for cyberattackers”, and small businesses are now targeted due to their weaker defences.

Significant cyber incidents can produce a long-tail insurance claim, she warned.

“Even as an actuary, I had to dig quite deeply to see what it really cost Medibank ... and what I saw was that the cost can go on for years. A spectrum of fines, penalties and other surprising costs can arise from a breach.

“If Medibank was insured, which it was not, a lot of this would have fallen on the insurance industry.”

That breach came when an employee of a third party synchronised their Medibank credentials onto their personal internet profile on a work computer. They were then stolen.  

“I can see how that can happen quite easily. How many people’s Teams, emails are on your mobile device? So it can happen quite easily – many [businesses] might have all these thick walls, but does your mobile device?  

“Medibank is still paying for it and will do so for some time.”

The first year cost $40-$50 million, or 5% of Medibank’s annual operating expenses, for heightened security, legal and other costs, regulatory investigations and litigation. Another $40 million is budgeted in the year to next June, associated with lifting business resilience and restoring customer trust. 

“There’s more to come yet,” Ms Toh said. “It is quite important to cyber insurers to know, what else are you covering, other than just the legal and forensic investigations?”  

She said Medibank is facing five legal actions, which are not yet on the balance sheet as management have said it is not practicable to estimate the financial impact.

Ms Toh recommends boards be better prepared.  

“A cyber incident is a long tail, you don’t see the cost disappear in three or six months, even in three years. So the kind of analysis you have to do stretches out years,” she said.

See next Monday’s Analysis for more on the cyber seminar.