The State of Cyber Insurance in Australia: why is it so hard to find?

Cyber insurance is becoming an essential element to many organisational responses to increased cyber risk – but why are coverage rates in Australia so low?

Cyber insurance has been around in various forms since the 2010s when it was relegated to SMBs looking to meet tender requirements or smaller banks mitigating the risks associated with entering the online banking world. The types of cover provided were inconsistent and depended on the provider.

However, in the modern world, there is increasing demand for cyber insurance, and it’s no longer considered a niche product that providers tailor to cover bespoke circumstances. Significant infosec breaches have made the public aware of the ongoing impacts of cyber events – and Australian consumers are now more wary than ever of having their sensitive information exposed.

Together, these factors make the demand for cyber insurance broader and the need for protection more vigorous. Today, Australia has a substantial cyber insurance market, with many providers offering solutions that specifically cover cyber events.

Most of these insurance products are “wholesale” by classification and need to be supplied by a licensed insurance broker. However, most general insurance brokers are not familiar with the technologies involved with cybersecurity. As businesses must ensure they have cover that matches their needs, they will only get insurance supplied by specialist brokers – leading to a perceived shortage of specialist cyber insurance.

It used to be said that cyber insurance was the insurance you couldn’t sell – now it’s the insurance that’s hard to buy.

High recent loss ratios from the market – with some underwriters paying out $1.20 for every $1 received.
Providers reducing the coverage – for example, ransomware attacks may be excluded.
Why is this? What are the driving forces shaping how the cyber insurance industry grows? And what can you do to protect your organisation from unseen cyber events?

What is cyber insurance?

In the same way house and contents insurance covers the cost of recovering, restoring, or replacing your worldly possessions, cyber insurance protects your organisation should your cyber assets come to harm.

Like many other types of insurance in Australia, standalone cyber insurance policies are divided between first- and third-person claims.

First-person claims:

the loss of or damage to data
content-related claims related to data
incident investigation and remediation
cyber extortion reimbursement (ransoms)
liability for denial of service from or access to electronically provided data
public relations and client communications related to cyber security incidents

Third-person claims:

fines and penalties imposed by industry regulators
compensation to third parties for failure to protect their data
legal defence costs

The kinds of coverage and the limits they impose vary by insurer, but property losses relating to data damage or corruption are typically excluded

What kind of cyber insurance is available in Australia?

In Australia, the available types of cyber insurance include:

1. Cyber event response costs, covering IT forensics, virus extraction, customer notification costs, and public relations costs.
2. Losses to your business, encompassing loss of profits, business impact costs, increased costs of working, and preventative shutdown expenses.
3. Contingent business interruptions, protecting against supplier outages and system failures.
4. Tangible property loss to others, including third-party litigation, regulatory investigations for notifiable data breaches, fines and penalties, Payment Card Industry liability, defense costs, and multimedia.
5. Criminal financial loss, addressing cyber theft, socially engineered theft, telephone phreaking, crypto-jacking, identity theft, and social engineering incidents.
6. Incident response solutions through joint ventures or consortiums, offering access to a breach coach, 24/7/365 hotline, IT investigators, forensic accountants, privacy lawyers, public relations consultants, crisis management consultants, and customer communications support.

What’s happening in the insurance world?

Since 2010, we’ve witnessed the growth of digitisation enable more connections between individuals, businesses, and governments than ever before. Then, the digital evolution experienced by the Australian economy during and after the COVID-19 pandemic expanded and compounded this interconnected growth.

These connections have, in turn, profoundly impacted how organisations run daily operations – usually for the better. However, this interconnectedness has also been accompanied by significant (and growing) informational security risks for both organisations and their stakeholders – as they also present new avenues for bad actors to engage with these organisations.

Tim Stephinson from cyber insurance brokers SherpaTech said they are seeing increased sophistication from bad actors targeting individual companies.

These attacks aim exclusively at specific organisations and often feature multipronged attack vectors tailored to reach their targets.

This shift in the cyber risk spectrum has increased the frequency, complexity, and severity of cyber attacks. Cybercriminals aren’t just teen hackers plugging away in the depths of their parents’ basement – they’re organised criminal gangs and even nation-states that are explicitly targeting Australian businesses.

Got cyber insurance?

Our friends at SherpaTech offer a professional insurance health check that compares your business activities and risks to your insurance coverage to ensure you’re protected where it counts.

Learn more about cyber insurance with Sherpatech.

Key factors affecting cyber insurance

Historically low awareness – amongst the Australian business community, awareness of cyber insurance was historically quite low. Many organisations did not consider it necessary, while others believed the coverage provided by other business insurance policies to be adequate. In the past, this low level of awareness translated to low demand – and Australia was left with a low number of insurance providers that offered cyber insurance. However, times have changed, and insurers have adjusted their offerings based on recent experiences. This adjustment includes increased availability – with new players entering the market. For Australian businesses, the cyber insurance takeup is only 25% (source SherpaTech Aug 2023).

Growing rate and cost of claims – the Australian Cyber Security Centre (ACSC) reported that it received over 76,000 cybercrime reports during the 2021–22 financial year – an increase of nearly 13 per cent. The average loss per report also increased by 14 per cent over the same period last year. Self-reported losses from these cybercrimes are estimated to be A$33 billion, with medium-sized businesses experiencing the highest average financial loss per cybercrime reported (A$33,442). This cost outweighs the $19,306 for larger organisations and A$8,899 for small businesses.

Premium changes – As noted in a previous article on the 7% CPI curve, we saw how many industry costs are growing due to inflation and other factors. In the insurance world, these “other factors” include the rate and volume of claims. The fact is that the sophistication and maliciousness of many cyber-attacks have grown – and in response, many insurers are now increasing their premiums.

Changing legislative requirements – while insurance for accidents and incidents related to physical property are reasonably well covered by Australian legislation, the relative recency of cyber insurance means that the laws surrounding them have yet to catch up to industry changes. At the same time, software and hardware products in Australia are not presently required to meet any minimum cyber security requirements to protect against cyberattacks. At the time of writing, changes to the Privacy Act 1988 are currently before the Australian Parliament. These changes may impact how organisations interact with the data they hold and may have implications for both cyber security and cyber insurance.

Ransom payments aren’t banned but aren’t welcomed – the Australian Government’s Ransomware Action Plan formally states that the government does not condone ransom payments – a position consistent with many governments worldwide – but does not ban the victims of ransomware attacks from making ransom payments. Currently, the government prefers to use other legal controls to reduce the incidence of ransomware attacks. Insurers may include terms in their policies that refuse to pay cyber insurance ransom payments if the actor involved is state-based or the incident is deemed an act of war.

Mandatory reporting – amendments made to the Security of Critical Infrastructure Act 2018 (SOCI Act) have made cyber incident reporting mandatory across eleven sectors – communications, finance services and markets, data storage and processing, defence, higher education and research, energy, food and grocery, health care and medical, space technology, transport, and water and sewerage. This reporting includes any ransomware amounts demanded during a cyber security incident.

Ransoms are not the highest cost – according to the Insurance Council of Australia (ICA), ransom payments by businesses that fall victim to cybercrimes do not make up the most significant part of cyber insurance claims. Instead, the IAC says their member organisation mainly receives claims for “forensic analysis” and “business interruption costs.”

We understand from members that any actual payment of ransom by the victim business comprises a small proportion of most claims. Instead, considerable funds are expended looking at what the hackers did when they were inside the compromised system.

One key element to be aware of when considering cyber insurance is that the insurer controls the processes related to forensic analysis. They pay for any forensic services required after a cyber attack, so they determine what services they will pay for. It’s also important to note that organisations that experience a cyber incident need to notify their insurer in line with their policies to access these services.

How are these factors shaping cyber insurance?

Together, these factors influence the cost, accessibility, and prevalence of cyber insurance in the following ways.

A young industry – in Australia, cyber insurance is only now becoming a standalone product in its own right, and the market does not widely understand the premiums, conditions, and exclusions involved. As such, cyber insurance is not highly sought after, with the IAC noting that only about 20% of SMEs have standalone cyber insurance. With larger organisations, that number starts at 35%.

Pressure on providers – as noted earlier, the frequency and impact of cybercrime is growing – and so are the claims made under cyber insurance. As there are few standalone cyber insurance providers in the Australian market, they are under pressure to provide packages that meet the needs of their clients while also delivering value to both the customer and the provider. And with each successful claim, the costs go up.

No centralised requirements – while some different cybersecurity frameworks enjoy popularity amongst the infosec industry, Australia lacks the kind of mandatory security requirements for software and hardware that could reduce organisational vulnerability to a range of cyberattacks. There is also little in the way of third-party certifications that are widely accepted.

Is cyber insurance mandatory for Australian businesses in 2023?

At the time of writing, cyber insurance is not mandatory for Australian businesses. The Australian government has yet to implement any specific legislation or regulations that require organisations to have cyber insurance coverage.

However, it’s important to note that the regulatory landscape can change quickly, and new laws or industry regulations may come into play over time. Given the growing frequency and impacts of cybercrime on Australian organisations, there may soon be a push to legislate changes in this area.

Do I need cyber insurance?

This kind of binary question tends to devolve into an answer that rhymes with “it depends on your business needs,” and this section is no different. However, whether your organisation actually requires cyber insurance is increasingly leaning towards the positive. Sure, it’s a complex question that requires careful consideration, and the answer depends on the cybersecurity measures and risk management strategies you already have in place. But there are several other factors you need to consider before you can answer conclusively.

Here are a few key questions to consider when determining the need for cyber insurance:

1. Do you handle PII? Personally identifiable information (PII) is an attractive target for cybercriminals, as it allows them to broaden their target range further or sell the information to other cybercriminals for use in identity theft and other criminal activities. The Office for the Australian Information Commissioner (OAIC) states that organisations that handle any volume of PII need to take steps to protect this information, and that can include cyber insurance.
2. Do you manage business-sensitive data? This data differs from PII because the information is relevant to organisations rather than individuals. Examples include bank statements, financial records, legal records, and other commercial information that is sensitive in nature. Organisations handling information of this nature are also bound by law to protect the data entrusted to them – and cyber insurance plays a role in that.
3. Do you process or store client info? The critical difference is that the handling of PII and business-sensitive data is accommodated by law, whereas client data is less regulated. That being said, a breach involving client data can do just as much reputational damage as any other breach, so cyber insurance is a good idea.
4. Is your annual turnover more than AUD2 million? The turnover of an organisation can make it a target for cybercriminal activity. If your organisation handles yearly turnover above $2 million, cyber insurance makes sense.
5. Is your house in order? How much work has gone into shoring up your organisation’s cybersecurity posture, and how does that translate to your overall vulnerability? At a minimum, you want to be able to demonstrate basic steps taken to mitigate the threats posed by cybercriminals, such as regular user training and implementing MFA. If you don’t have the minimum safety standards in place – or you don’t adhere to popular cyber security frameworks like the Essential Eight or NIST – then it will be difficult for you to obtain insurance.
6. Do your stakeholders need reassurance? As awareness of the impact of cybercrime increases, more and more businesses and clients are hesitant to work with other entities that do not take the risks seriously. Review your contracts with clients, partners, and vendors to identify any cyber insurance requirements or obligations they may have in place and keep tabs on consumer sentiment to make sure your cybersecurity actions are received positively – with insurance playing a part where it makes sense to do so.

Ultimately, your decision to obtain cyber insurance should be based on a comprehensive assessment of your organisation’s circumstances, risk appetite, and financial capabilities.

Conclusion

As cyber threats continue to evolve and pose significant risks to Australian organisations, cyber insurance is starting to play a more prominent role in holistic cybersecurity strategies. As we’ve seen, awareness of standalone cyber insurance is low in Australia due to changes in costs, diverse coverage, and the absence of any legislative requirements.

That being said, the driving forces behind cyber insurance’s evolution and adoption are only set to accelerate. With a growing rate of claims, low legislative requirements, and the complex dynamics surrounding ransom payments, Australian organisations still face unique challenges in navigating the realm of cyber insurance.

However, by staying informed about the ever-changing landscape and working closely with insurance providers, IT managers can proactively manage cyber risks, protect their organisations’ valuable assets, and ensure financial resilience in the face of potential cyber incidents. When in doubt, it always pays to investigate the risks your IT environment faces with a thorough cybersecurity assessment.