Thursday, November 10, 2022

Return to listings

Major changes to data breach penalties proposed: Why it could be time to revisit your cyber insurance limits

Attorney-General, Mark Dreyfus has introduced a bill to amend Australian privacy rules following a series of highly publicised data breaches impacting consumers. The proposal includes increased penalties for serious or repeated data breaches, and it aims to ensure companies uphold strong data security measures.

What is the proposed regulatory change?

Under the current Privacy Act (1988), the maximum fine for serious or repeated breaches of privacy is just $2.2M for companies that exceed $3M in revenue. Under the proposed bill, penalties would increase to the higher of the following:

  • $50M;
  • Three times the value of any benefit obtained through the misuse of the information; or
  • 30% of a company’s domestic revenue in the relevant period.

In addition to increased penalties, the proposed bill would hand the Australian Information  Commissioner (AIC) greater powers to resolve privacy breaches.

What does this mean for your cyber insurance limit?

For companies with existing cyber insurance, pleasingly, most policies will respond to third-party claims arising from a cyber-attack, as well as fines and penalties from regulators.

Based on a review of the cyber insurance limits purchased by our clients, the average cyber limit for companies under $100M in revenue is approximately $2.5M. For companies over $100M in revenue, the average limit is closer to $4M.

Whilst there are various factors to consider when estimating the maximum foreseeable loss a business could face due to a data breach, one thing we know is the proposed maximum fine for serious or repeated breaches. Currently, fines are generally sub-limited or capped by insurers and a $50M limit may not be feasible or attainable for all companies. Having said this, there is certainly merit in reviewing your current limits as the risk of cyber incidents has increased.

NEXT STEPS

In light of the proposed changes, we have held discussions with several clients about the appropriateness of higher limits and believe this is something all companies should consider in preparation for their next insurance renewal.

We will continue to provide updates on the proposed changes as the situation evolves. If you’d like to discuss the adequacy of your current limit, or if you are considering Cyber insurance for your business, please reach out at any time.

Nathan Mauriello

Senior Client Executive – Professional and Executive Risks

Nathan.Mauriello@honan.com.au

Return to listings