Providing consumers with new pathways to sue for cyber breaches could increase claims costs and contribute to wider affordability issues, the Insurance Council of Australia (ICA) has warned.

A Department of Homeland Security consultation looking at measures to strengthen cyber security regulations and incentives has sought feedback on legal remedies available for consumers. It notes a direct right of action for personal information breaches is being explored as part of a Privacy Act review.

ICA says in a submission that affordability of insurance is an increasing concern in areas including directors’ and officers’, liability and professional indemnity insurance.

“We urge the government to approach with caution any measures that would place upwards pressure on these lines of insurance, which have faced significant increases in claims costs, and therefore premiums in recent years,” it says.

The Privacy Act proposal would likely increase associated risk for a business, introduce uncertainty in insurers’ risk assessments and increase claims costs, it says.

Currently businesses must write to affected individuals and post website notices in the case of serious breaches, with people able to follow up with the firm or complain to the Office of the Australian Information Commissioner.

“The Insurance Council views these existing remedies available to customers to be sufficient and proportionate and is concerned that calls for additional legal avenues for privacy actions are more reflective of perception rather than a compelling need demonstrated by available evidence,” it says.

The review is also examining governance standards for large businesses, following feedback that cyber security risk management needs to improve, and whether new voluntary or mandatory standards are needed.

ICA says the financial sector, including insurers, is subject to an Australian Prudential Regulation Authority standard and its focus on cyber resilience.

“We are conscious that any additional standards could be of limited, if any, value while potentially imposing significant additional compliance costs including continual monitoring, review and certification,” it says.

Any cyber security code adopted should have carve-outs for organisations covered by the APRA standard, while broadly any new standards should take account of existing sector-specific legislation and risk profiles, it says.

ICA supports measures to enable small and medium businesses to better protect themselves from cyber security incidents and says health checks proposed in the cyber security consultation may provide benefits.

Submissions on the discussion paper closed on Friday.