Cyber insurance is becoming an essential element to many organisational responses to increased cyber risk – but why are coverage rates in Australia so low?
Cyber insurance has been around in various forms since the 2010s when it was relegated to SMBs looking to meet tender requirements or smaller banks mitigating the risks associated with entering the online banking world. The types of cover provided were inconsistent and depended on the provider.
However, in the modern world, there is increasing demand for cyber insurance, and it’s no longer considered a niche product that providers tailor to cover bespoke circumstances. Significant infosec breaches have made the public aware of the ongoing impacts of cyber events – and Australian consumers are now more wary than ever of having their sensitive information exposed.
Together, these factors make the demand for cyber insurance broader and the need for protection more vigorous. Today, Australia has a substantial cyber insurance market, with many providers offering solutions that specifically cover cyber events.
Most of these insurance products are “wholesale” by classification and need to be supplied by a licensed insurance broker. However, most general insurance brokers are not familiar with the technologies involved with cybersecurity. As businesses must ensure they have cover that matches their needs, they will only get insurance supplied by specialist brokers – leading to a perceived shortage of specialist cyber insurance.
It used to be said that cyber insurance was the insurance you couldn’t sell – now it’s the insurance that’s hard to buy.
High recent loss ratios from the market – with some underwriters paying out $1.20 for every $1 received.
Providers reducing the coverage – for example, ransomware attacks may be excluded.
Why is this? What are the driving forces shaping how the cyber insurance industry grows? And what can you do to protect your organisation from unseen cyber events?
In the same way house and contents insurance covers the cost of recovering, restoring, or replacing your worldly possessions, cyber insurance protects your organisation should your cyber assets come to harm.
Like many other types of insurance in Australia, standalone cyber insurance policies are divided between first- and third-person claims.
First-person claims:
the loss of or damage to data
content-related claims related to data
incident investigation and remediation
cyber extortion reimbursement (ransoms)
liability for denial of service from or access to electronically provided data
public relations and client communications related to cyber security incidents
Third-person claims:
fines and penalties imposed by industry regulators
compensation to third parties for failure to protect their data
legal defence costs
The kinds of coverage and the limits they impose vary by insurer, but property losses relating to data damage or corruption are typically excluded
In Australia, the available types of cyber insurance include:
Since 2010, we’ve witnessed the growth of digitisation enable more connections between individuals, businesses, and governments than ever before. Then, the digital evolution experienced by the Australian economy during and after the COVID-19 pandemic expanded and compounded this interconnected growth.
These connections have, in turn, profoundly impacted how organisations run daily operations – usually for the better. However, this interconnectedness has also been accompanied by significant (and growing) informational security risks for both organisations and their stakeholders – as they also present new avenues for bad actors to engage with these organisations.
Tim Stephinson from cyber insurance brokers SherpaTech said they are seeing increased sophistication from bad actors targeting individual companies.
These attacks aim exclusively at specific organisations and often feature multipronged attack vectors tailored to reach their targets.
This shift in the cyber risk spectrum has increased the frequency, complexity, and severity of cyber attacks. Cybercriminals aren’t just teen hackers plugging away in the depths of their parents’ basement – they’re organised criminal gangs and even nation-states that are explicitly targeting Australian businesses.
Got cyber insurance?
Our friends at SherpaTech offer a professional insurance health check that compares your business activities and risks to your insurance coverage to ensure you’re protected where it counts.
Learn more about cyber insurance with Sherpatech.
Historically low awareness – amongst the Australian business community, awareness of cyber insurance was historically quite low. Many organisations did not consider it necessary, while others believed the coverage provided by other business insurance policies to be adequate. In the past, this low level of awareness translated to low demand – and Australia was left with a low number of insurance providers that offered cyber insurance. However, times have changed, and insurers have adjusted their offerings based on recent experiences. This adjustment includes increased availability – with new players entering the market. For Australian businesses, the cyber insurance takeup is only 25% (source SherpaTech Aug 2023).
Growing rate and cost of claims – the Australian Cyber Security Centre (ACSC) reported that it received over 76,000 cybercrime reports during the 2021–22 financial year – an increase of nearly 13 per cent. The average loss per report also increased by 14 per cent over the same period last year. Self-reported losses from these cybercrimes are estimated to be A$33 billion, with medium-sized businesses experiencing the highest average financial loss per cybercrime reported (A$33,442). This cost outweighs the $19,306 for larger organisations and A$8,899 for small businesses.
Premium changes – As noted in a previous article on the 7% CPI curve, we saw how many industry costs are growing due to inflation and other factors. In the insurance world, these “other factors” include the rate and volume of claims. The fact is that the sophistication and maliciousness of many cyber-attacks have grown – and in response, many insurers are now increasing their premiums.
Changing legislative requirements – while insurance for accidents and incidents related to physical property are reasonably well covered by Australian legislation, the relative recency of cyber insurance means that the laws surrounding them have yet to catch up to industry changes. At the same time, software and hardware products in Australia are not presently required to meet any minimum cyber security requirements to protect against cyberattacks. At the time of writing, changes to the Privacy Act 1988 are currently before the Australian Parliament. These changes may impact how organisations interact with the data they hold and may have implications for both cyber security and cyber insurance.
Ransom payments aren’t banned but aren’t welcomed – the Australian Government’s Ransomware Action Plan formally states that the government does not condone ransom payments – a position consistent with many governments worldwide – but does not ban the victims of ransomware attacks from making ransom payments. Currently, the government prefers to use other legal controls to reduce the incidence of ransomware attacks. Insurers may include terms in their policies that refuse to pay cyber insurance ransom payments if the actor involved is state-based or the incident is deemed an act of war.
Mandatory reporting – amendments made to the Security of Critical Infrastructure Act 2018 (SOCI Act) have made cyber incident reporting mandatory across eleven sectors – communications, finance services and markets, data storage and processing, defence, higher education and research, energy, food and grocery, health care and medical, space technology, transport, and water and sewerage. This reporting includes any ransomware amounts demanded during a cyber security incident.
Ransoms are not the highest cost – according to the Insurance Council of Australia (ICA), ransom payments by businesses that fall victim to cybercrimes do not make up the most significant part of cyber insurance claims. Instead, the IAC says their member organisation mainly receives claims for “forensic analysis” and “business interruption costs.”
We understand from members that any actual payment of ransom by the victim business comprises a small proportion of most claims. Instead, considerable funds are expended looking at what the hackers did when they were inside the compromised system.
One key element to be aware of when considering cyber insurance is that the insurer controls the processes related to forensic analysis. They pay for any forensic services required after a cyber attack, so they determine what services they will pay for. It’s also important to note that organisations that experience a cyber incident need to notify their insurer in line with their policies to access these services.
Together, these factors influence the cost, accessibility, and prevalence of cyber insurance in the following ways.
A young industry – in Australia, cyber insurance is only now becoming a standalone product in its own right, and the market does not widely understand the premiums, conditions, and exclusions involved. As such, cyber insurance is not highly sought after, with the IAC noting that only about 20% of SMEs have standalone cyber insurance. With larger organisations, that number starts at 35%.
Pressure on providers – as noted earlier, the frequency and impact of cybercrime is growing – and so are the claims made under cyber insurance. As there are few standalone cyber insurance providers in the Australian market, they are under pressure to provide packages that meet the needs of their clients while also delivering value to both the customer and the provider. And with each successful claim, the costs go up.
No centralised requirements – while some different cybersecurity frameworks enjoy popularity amongst the infosec industry, Australia lacks the kind of mandatory security requirements for software and hardware that could reduce organisational vulnerability to a range of cyberattacks. There is also little in the way of third-party certifications that are widely accepted.
At the time of writing, cyber insurance is not mandatory for Australian businesses. The Australian government has yet to implement any specific legislation or regulations that require organisations to have cyber insurance coverage.
However, it’s important to note that the regulatory landscape can change quickly, and new laws or industry regulations may come into play over time. Given the growing frequency and impacts of cybercrime on Australian organisations, there may soon be a push to legislate changes in this area.
Do I need cyber insurance?
This kind of binary question tends to devolve into an answer that rhymes with “it depends on your business needs,” and this section is no different. However, whether your organisation actually requires cyber insurance is increasingly leaning towards the positive. Sure, it’s a complex question that requires careful consideration, and the answer depends on the cybersecurity measures and risk management strategies you already have in place. But there are several other factors you need to consider before you can answer conclusively.
Here are a few key questions to consider when determining the need for cyber insurance:
Ultimately, your decision to obtain cyber insurance should be based on a comprehensive assessment of your organisation’s circumstances, risk appetite, and financial capabilities.
As cyber threats continue to evolve and pose significant risks to Australian organisations, cyber insurance is starting to play a more prominent role in holistic cybersecurity strategies. As we’ve seen, awareness of standalone cyber insurance is low in Australia due to changes in costs, diverse coverage, and the absence of any legislative requirements.
That being said, the driving forces behind cyber insurance’s evolution and adoption are only set to accelerate. With a growing rate of claims, low legislative requirements, and the complex dynamics surrounding ransom payments, Australian organisations still face unique challenges in navigating the realm of cyber insurance.
However, by staying informed about the ever-changing landscape and working closely with insurance providers, IT managers can proactively manage cyber risks, protect their organisations’ valuable assets, and ensure financial resilience in the face of potential cyber incidents. When in doubt, it always pays to investigate the risks your IT environment faces with a thorough cybersecurity assessment.