Compulsory cyber insurance to change the status-quo

Road safety

The first car manufactured in Australia came in 1896. By 1927, a quarter of all Australian families owned a car. This ratio continued to steadily increase and reached a level, which forced the government of the time to pass the Motor Vehicles (Third Party Insurance) Act 1942. This new law introduced the Compulsory Third Party (CTP) scheme. It provided a minimal level of protection for road users and allowed the car insurance industry to grow and mature. Insurance companies drove change. For instance, they innovated by offering premiums, which took into account the drivers' record. Before a vehicle could be registered, it had to pass a compulsory safety check (pink slip), safety ratings appeared. Government further contributed to road safety by introducing breath testing in 1968. and the seatbelt became compulsory in 1973.

As a result of these continuous and concerted efforts, the death toll decreased by almost a factor seven in close to 50 years (30 per 100,000 people died on the road in 1970 in Australia, as opposed to 4.4 per 100,000 people in 2021).

The role of government when it comes to the protection of the cyberspace

Just like for road safety, a fundamental duty of the government is to protect its citizens in the cyberspace. And just like with road safety, government cannot tackle cybersecurity issues alone. This task is far too complex.

Everybody agrees that collaboration across the sector is crucial. Every roundtable, every keynote, every workshop in cyber security has been reinforcing this point at nauseam. What is missing is a concrete mechanism to bring all the different actors together: government, managed security service providers, security vendors and insurance companies.

I claim that the most single useful measure that any government could take is to introduce compulsory cyber insurance for any company handling third-party data. Let us call it the Cyber Compulsory Third Party, or CCTP insurance scheme, for short. CCTP is the concrete mechanism that brings all the actors together.

How would a CCTP scheme transform the cybersecurity landscape in Australia?

1. The scheme would apply to all the companies. It would raise the bar for all the organisations simultaneously. This will certainly help improving the security of the supply chain that we know is so critical to the security of the entire ecosystem. Of course, the implementation of this scheme should be progressive and start with the largest companies, which tend to have anyway, a better grasp of their security. But eventually, all companies would have reached a minimal level of maturity, in relation to their size and requirements.

2. Every single organisation that has fell behind would face a simple choice: lift its security posture by properly investing in cyber security or pay a large premium. Either way, it will cost them. But very importantly, there is now an incentive to fix the existing issues and improve over time, so that the premium next year is lower.

3. Create a mature cyber insurance industry that would lead the world. Cyber insurance is hard for a number of reasons. Lack of relevant and accurate data, lack of standardisation of cyber incidents, adversarial and asymmetric nature of the threats, etc. However, introducing a CCTP would create a strong and reliable market for cyber insurance and send a strong signal to insurance companies that it is worth investing in developing better models and innovative products.

4. Create a pot of money that could be used to immediately help the victims of a data breach. For instance, We have seen last year, after the Optus breach, that it was not clear who was going to bear the cost of renewing documents such as passports and driving licences. Having a common fund would have solved the problem.

Unique opportunity for Australia

Instead of following whatever measures that the U.S. or the U.K. are going to adopt, Australia has a unique opportunity to lead the way, create a strong industry and develop a know-how that could translate into economic growth and exports. This requires a bold and maybe unpopular move from the government. However, I don't see how the current situation is going to improve without a radical change in the way the government approaches the issue.