Earlier this year, a report co-written by Lloyd’s of London and Cyence found that the average cost of a major cyber attack could soon reach $67.1 billion.
And that's not counting the reputational damage organisations face from compromising customer’s data.
With the cyber threat now so enormous, what measures are in place to protect businesses and minimise damage?
Enter cyber insurance.
Speaking at a special cyber insurance event on Thursday, Managing Director at FTI Consulting, Dawna Wright described cyber insurance as, “quantifying what might at first seem unquantifiable.”
Cyber insurance is a fast-emerging and still immature industry that looks to protect businesses from cyber-based risks.
Senior Adviser for Cyber Policy in the Department of the Prime Minister, Pip Wyrdeman, has only been in her role for just over a year, but has already been submerged into the murky world of cyber insurance.
“There are many impacts from a cyber incident, some can be insured against and some can’t,” she said.
“It’s easy to see how the loss of one’s computer systems can be insured against, and it is possible that loss of incomes might be insured against.
“But it starts to get confusing in situations where you’ve stored personal or financial data about customers or clients, and that gets exfiltrated.”
This is exactly what happened in the United States in 2013, when the credit card and personal information of 110 million Target customers was compromised, thanks to a major breach.
The impact from this attack was widespread on a personal, financial and organisational level, but ultimately unquantifiable, illustrating the difficulty cyber insurance underwriters face.
There is also confusion around who should be insured in such a scenario.
“Who needs to be insured for what?” asked the Chief Information Security Officer for the NSW government, Maria Milosavljevic.
“You can’t outsource accountability. So, you point to the company and say they are fully responsible, accountable and liable.
“And you can’t point to the individual and say you shouldn’t have provided your data.
“And what exactly is the harm? The harm may not be visible for years.
“We need a significant and systemic change and to start moving towards a world of mutual responsibility.”
Taking responsibility around cyber, may take shape in the form of mitigation.
Companies that invest in their cyber security programs will be better equipped to withstand an attack, and therefore less dependent on cyber insurance.
And this might create a change.
“We can raise awareness and teach people until the cows come home, but I believe people need to be motivated to act, and while we could go down a heavy regulation path, I believe cyber insurance could be a tool to drive good cyber behaviours,” said Wyrdeman.
“If we can assist insurers to define what ‘good’ cyber looks like, which we can do by using the advice provided by the Australian Cyber Security Centre, insurers can put in place systems that reward these good behaviours.”