Different approaches to covering cyber threats have created confusion in the insurance market, according to Deloitte Cyber Risk Services Partner Tommy Viljoen.

He says organisations do not understand what is covered.

“There is a lack of understanding of how these products work and how business can try and transfer risk,” he told insuranceNEWS.com.au.

There is also a level of scepticism towards cyber insurance.

“I think the insurance industry is going to have a really large task to try to conduct business around cyber insurance.”

Mr Viljoen says some insurers are seeking limited information about businesses, while others examine risk profiles and want to know how a client has prepared for a cyber attack.

Australia lacks data on security breaches that would inform insurers and clients about likely losses.

The average cost of a data breach in Australia is estimated at $2.5 million, and that will rise if Federal Parliament passes a bill to make notification mandatory.

“Given there is no legislation for breach notification in Australia and that most organisations are focused on prevention as opposed to detection, there is significant under-reporting of cyber breaches in Australia,” Mr Viljoen said.

James Nunn-Price, who has joined Deloitte Australia to expand its Cyber Intelligence Centre, says Australian companies operating abroad in jurisdictions such as the US are required to report breaches. This has happened without any notification to customers at home.

He says the risks are evolving faster than businesses can react. Several insurance forums are working on standards for cyber insurance, but the traditional compliance method of “ticking the box” on a checklist will not work and a more proactive approach is needed.