Insurance organisations accounted for 9% of 483 reported cyber incidents in the second half of last year, making them the third most targeted industry in Australia.

The Australian Information Commissioner says it received 45 insurance industry notifications in the half. That was topped only by finance groups, which had 49, and health service providers on 104.

There were 24 insurance sector notifications for malicious or criminal attacks, 15 for human error, and six for system fault.  

“Health service providers and the finance industry have consistently reported the most data breaches of all sectors since the Notifiable Data Breaches scheme began,” the commissioner said.

Some 18% of breaches in the insurance sector took more than 12 months to be reported to the commissioner – a significantly higher proportion than other frequently attacked sectors.

The overall number of breaches was up 19% from first half of last year. There were an additional 121 secondary notifications, up from 29 in January to June last year.

Commissioner Angelene Falk says an increase in incidents that affect multiple parties is “seeing data breaches grow in complexity, scale and impact”.

“Organisations need to proactively address privacy risks in contractual agreements with third-party service providers,” she said.  

“This includes having clear processes and policies in place for handling personal information and a data breach response plan that assigns roles and responsibilities for managing an incident and meeting regulatory reporting obligations.” 

The commissioner is cracking down on failure to comply with reporting requirements or take reasonable steps to protect personal information, and organisations holding onto data longer than is necessary.  

In two determinations made last year the commissioner ordered entities to include details of insurance coverage, including the extent of the coverage and contact details of the insurer, in their data breach response plans. 

See the report here.