Brought to you by:

No time to lose as cyber threats grow: ICA CEO

The Insurance Council of Australia (ICA) has urged the Federal Government to act quickly on fixing the “patchwork” of policies, laws and frameworks that are hobbling the country’s cyber deterrence. 
 
ICA CEO Andrew Hall also pressed for more government support to bridge the cyber protection gap facing Australian businesses, specifically in the form of a “public-private cooperation” model that is currently under consideration in the US and the UK. 
 
“The immediate priority for the Government must be cleaning up the existing regulatory framework around cyber security,” Mr Hall said. 
 
“Navigating this patchwork creates not only an impost on business, but uncertainty. Business leaders should have a clear understanding of what obligations they must meet. Regulatory complexity serves our adversaries, not our defence.” 
 
He says he understands the Government is considering a new cyber security act but cautions the process will take time, which businesses and individuals do not have. 
 
“The process of creating new legislation is a long one. The national project that is improving our cyber posture, cannot wait for a new Act,” Mr Hall said. 
 
“To this end, we encourage further clarity on existing definitions in the Security of Critical Infrastructure Act.” 
 
Mr Hall, who was speaking at a Clyde & Co cyber summit last week, says the industry alone cannot manage the growing cyber danger, such as “catastrophic” cyber-attacks from hostile state actors or terrorist groups.  
 
There is a need for a “public-private” response to the cyber protection gap, similar to the ones that the UK and US are considering. 
 
“We want to improve the accessibility of cyber insurance across the Australian economy,” he said, adding “there are limitations to the market’s risk appetite”. 
 
At present many insurers are reluctant to provide cyber insurance, or instead provide limited cover, given the high cost and difficulty in pricing cyber risk due to its rapidly changing profile. 
 
“Insurers alone cannot accept the risk associated with catastrophic cyber-attacks, such as those that involve a state or terrorist actor, or those that significantly restrict or even bring down critical infrastructure,” Mr Hall said. 
 
“In the United Kingdom and the US, governments are exploring how public-private cooperation can bridge this risk gap. 
 
“The insurance industry would welcome a local opportunity to partner with the Government on a similar solution.” 
 
UK media reports say insurers in the country have had initial talks with Treasury over whether the Pool Re terrorism reinsurance scheme could be expanded to include state-sponsored or war-related cyber attacks. 
 
In the US the Government Accountability Office last year recommended Treasury’s Federal Insurance Office and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency jointly assess the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response.