While Australia's cyber insurance market is still quite immature, the government needs to set the agenda and determine the priority areas for attention, according to Pip Wyrdeman, Senior Adviser Cyber Policy for the Office of the Cyber Security Special Adviser at the Department of the Prime Minister and Cabinet (PM&C).
Speaking at the InnovationAus Cyber Insurance 2017 conference in Sydney on Thursday, Wyrdeman said government cannot do it alone, and in addition to partnering, it will require individuals and businesses to understand what is at the heart of their business -- in particular where data lives and who has access to it, and how the business would survive should a cyber-related incident occur.
Wyrdeman said her department has had many discussions with those providing and seeking cyber insurance and the fundamental that always comes up is what can actually be insured in the cybersecurity space.
"There are many impacts from a cyber incident; some can be insured against and some can't," she explained.
She said it's easy to see how the loss of one's computer systems due to malware destruction could be insured against, as could loss of income; however she said it starts to get "murky" when it comes to customer data.
"It starts to get murky in situations where you've stored personal or financial data about customers or clients and that gets exfiltrated," Wyrdeman explained.
"You've not actually lost the data -- you still have it -- it's just that somebody else also has it. Presumably they've stolen it in order to monetise it or to do something otherwise nefarious with it."
According to Wyrdeman, that's where some "very good minds" need to engage on what that means for the cyber insurance industry.
"The cyber insurance market in Australia is still quite immature and there is a fundamental lack of data that enables insurers to determine what a more effective way to underwrite cyber-related matters needs to be," she said.
But she said first there is a need to increase the feeling of trust and security in the masses to allow businesses to move safely into the future.
"The best way forward is to go back to the fundamental principal of the cybersecurity strategy and work in the partnerships space, with the partners each taking on the different tools that are available to us to achieve what we're trying to do," she said, speaking of Australia's AU$240 million Cyber Security Strategy.
She said the government is trying to increase awareness, in areas such as upskilling the population and increasing cyber hygiene.
"What we really need to do is increase the knowledge and capability of those who engage in the online world to ensure resilience," she said.
"People need to be motivated to act, and while we could go down a heavily regulated path, I think cyber insurance could be a much better tool to drive good cyber behaviours.
"If we can assist insurers to define what 'good' looks like, which we can do by utilising the advice provided by the Australian Cyber Security Centre, insurers could put policies in place that reward those good behaviours."
Wyrdeman said it's up to the government and the insurance industry to keep working at a solution.
"Keeping the conversation going between government and the insurance industry -- that information sharing piece -- is going to be crucial to achieve what we are all trying to achieve which is a secure, vibrant, digital economy," she concluded.