The need for bespoke cyber insurance for cyber
In the face of growing e-commerce and cyber-attacks, costs to
address information breaches, and increasing legislation
(particularly in the area of privacy law), it is not surprising
that attention is turning to insurance as a tool for managing cyber
risks. Insurance policies for cyber risk have been used for some
years in the USA, but are gradually gaining exposure in
Most traditional property and liability insurance policies are
unlikely to be triggered by cyber risk events (which do not involve
traditional risks such as physical damage to tangible property or
physical injury to persons). There may be some limited cover for
certain cyber risks through extensions and endorsements to
different types of policies. However, that cover may be disjointed
or inadequate. It is not uncommon for the policies which form the
traditional foundation of a company's insurance protection to
exclude expressly loss, damage or liability arising from cyber
The most well-known example of the disconnect between
traditional insurance policies and the risks associated with
cyber-attacks involves Sony. Sony incurred a range of liabilities
and costs as a result of hacking activity that compromised data
held by the corporation. Sony ended up in litigation with its
insurers over whether its liability insurance responded to its
losses. Relevantly, Sony faced the difficulty of proving that the
cyber-attacks constituted damage to property within the scope of
the traditionally worded policy terms.
The features of cyber risk insurance
Cyber risk insurance policies are structured to remedy the
inadequacies of traditional insurance by dealing with cyber risks
specifically and broadly. The nature and extent of coverage can
vary significantly. This may reflect different appetites for the
risks, but could also signal the fact that the market for this
insurance in Australia is relatively new.
Often the underwriting process requires prospective insureds to
demonstrate a certain level of security to protect against
cyber-attack and data breaches. The purchase of this insurance will
not only provide some protection, but may also require a company to
review and update its own internal policies and procedures.
Cyber risk insurance products may differ. Typically, they have a
number of triggers for cover which may include:
Failures in data security processes;
Acts of employees (negligent or intentional);
Acts by third parties;
Virus infections; and
Breaches arising out of incorrect procedures used by host or
cloud service providers.
Although it is difficult to generalise about all available cyber
risk policies, the insurance is usually divided between first party
loss (losses incurred by the insured itself) and third party
liability (liability of the insured to third parties). In respect
of first party loss, coverage may extend to:
Damage to property, both physical and electronic;
Investigation and notification costs;
Repair and replacement costs;
Public relations costs; and
General business interruption costs.
In terms of third party liability, available coverage may
Compensation or settlement of claims involving breach of
Compensation or settlement of claims for infringement of
Compensation or settlement of claims associated with
Compensation or settlement of claims of misleading or deceptive
Fines and penalties imposed by law and regulation; and
Legal costs for such actions.
The new risk management environment
The increasing use of electronic media has provided businesses
in every sector with both greater commercial opportunities and
greater exposure to exploitation. Without awareness of the wide
range of risks facing companies operating in cyberspace, the cost
to business of an attack or a breach can be significant. These
costs will increase further if mandatory data breach reporting is
adopted in Australia.
By planning ahead with a risk management strategy involving
cyber risk insurance, companies that grow more dependent on their
electronic systems can prepare to limit the damage to their
networks, their customers and their reputations.
Clayton Utz communications are intended to provide
commentary and general information. They should not be relied upon
as legal advice. Formal legal advice should be sought in particular
transactions or on matters of interest arising from this bulletin.
Persons listed may not be admitted in all states and
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The issue of recording telephone calls was recently considered in the Federal Court in Furnari v Ziegert  FCA 1080.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).