A recent review of the Terrorism Insurance Act by the National Audit Office has opted to leave protection for cyber incidents off the table - for now.
The Act was established in 2003 after the September 11 terrorist attacks to address market failure in terrorism insurance coverage, as an interim reinsurance measure while the appropriate cover was unavailable on the private market.
Managed by Treasury’s Australian Reinsurance Pool Corporation (ARPC), the $13.4 billion fund covers losses involving commercial property, business interruption losses and public liability, with insurers paying premiums to the ARPC for the coverage.
Importantly, the scheme does not provide coverage for cyber terrorism incidents, despite mounting concern in both the public and private sectors of the dangers of targeted attacks.
Other notable exclusions from the scheme include nuclear attacks, acts of war, radiological damage and property owned by state or federal governments.
The latest review of the scheme by the Australian National Audit Office (ANAO), which happens every three years, did take into account the increased incidence of malicious digital activity.
It noted that while the issue an emerging one requiring attention, “there is yet to be a clear and evident market failure in relation to physical property damage from cyber terrorism requiring government intervention through the Act at this time”.
One thing complicating the issue is that cyber attacks are increasingly state-sponsored, or often for espionage purposes rather than causing outright damage.
Recent examples include the ANU, Marriott and the federal parliament data breaches, all of which China is suspected to have played a role in.
Even if the attacks had done more than steal data, the scheme may be hamstrung in the case of state-sponsored attacks due to the fact it doesn’t cover acts of war.
However, the ARPC is continuing to explore the issue ahead of the next review, engaging the OECD Directorate for Financial and Enterprise Affairs, along with the Cambridge Centre for Risk Studies, to undertake a 12-month study into the nature and cost of physical damage to commercial property (which includes interruption to business) caused by acts of cyber terrorism.
“The study will identify and explore current and prospective threats, likely scenarios as well as the practicalities of extending insurance coverage to include cyber terrorism in Australia,” the ANAO said.
The final report is expected by the end of this year, and will be shared with Treasury to inform the 2021 review of the terrorism reinsurance scheme, including whether there’s enough evidence to include provisions for cyber terrorist attacks.
Already, the Criminal Intelligence Commission estimates the direct costs of cyber attacks to directly cost the Australian economy at least $1 billion a year.
