Organisations making false claims about their cybersecurity are a growing problem and insurers can “act as a check” on the practice, according to a Monash University report.

The paper says “cyberwashing” creates a false sense of security that can lead to serious consequences for consumers and businesses.

Some organisations are keen to promote their IT security credentials to satisfy regulators, stakeholders and consumers, Monash notes.

“Cyberwashing refers to the practice of organisations misleadingly promoting their cybersecurity measures or data privacy practices to appear more secure or responsible than they actually are. This can involve overstating the effectiveness of their security protocols, downplaying past data breaches, or using vague language to create a false sense of security among consumers and stakeholders.”

The report says there are ways – aside from a properly functioning enforcement framework – to combat cyberwashing.

“Insurers could deny coverage if it is found that the company failed to maintain its stated level of cybersecurity or misled them in the underwriting process,” the report says. “In this sense, cyber insurance can act as a check on cyberwashing by holding companies accountable for accurately reporting their cybersecurity efforts when seeking coverage.”

Cyber insurance policies require organisations to meet certain security standards and accurately report their cybersecurity practices.

“Failure to do this may void a policy. If a company has misrepresented its security posture through cyberwashing, it may face difficulties in making successful claims.”

Cybersecurity expert Nigel Phair, the report’s lead author and a professor at Monash’s Faculty of Information Technology, says while the notifiable data breach scheme has a good framework, “it is not enforced sufficiently often enough”. He told insuranceNEWS.com.au the Australian Securities and Investments Commission can do more to clamp down on cyberwashing.

“If it is unhappy with how companies greenwash their credentials, it should be equally broadening enforcement to how companies are cyberwashing their credentials,” Professor Phair said.

“I would like it as part of its industry supervision to look at how organisations are espousing their cyber credentials and use the tools ... at its disposal to do something about it.” 

ASIC has acted against corporate greenwashing, and the regulator listed inadequate cybersecurity among its enforcement priorities for this year.

At a cyber conference last September, ASIC commissioner Simone Constant said: “We don’t want to see the rise of cyberwashing. When companies make disclosures, public statements and give assurances about their cyber safety ... they need evidence.”