Rate hikes, misconceptions about insurance risks, skills shortages and poor returns and risks for insurers are among the factors behind low take-up of cyber insurance in Australia, according to a new green paper released this week by Australia’s peak body for actuarial professionals.
The Actuaries Institute paper, ‘Cyber Risk and the Role of Insurance’, states that cyber insurance represents only $200 million, or about 0.4 percent of the $53 billion insurance market across all classes.
Only 20 percent of small to medium enterprises have cyber insurance, compared with 35 percent to 70 per cent for larger organisations.
Boards have limited understanding of the role of cyber insurance and are questioning the value of buying it, according to the paper.
In addition to identifiying some of the reasons for their scepticism and the low take-up, the Institute also questioned whether the Australian market will have capacity if cyber insurance becomes more popular, because that would make cyber risk “the largest, or one of the largest, lines of business.”
But it also sees cyber-insurance growth potential, including by improving awareness of cyber insurance and its potential value.
A vibrant cyber insurance market could do more than provide financial recompense for companies that suffer breaches, according to the Institute. It sees cyber-insurance strengthening the first line of defence by “offering clear signals and incentives to business – in the form of eligibility, pricing and sharing of insights – on best-practice standards.”
Insurance should be one part of a risk management framework and infrastructure for cyber risk, stated the paper's lead author Taylor Fry principal Win-Li Toh. Though she noted that "good cyber hygiene and security – not insurance – are the first line of defence.”
Insurers already have a track record in setting best-practice standards, noted the Institute, referring to plimsoll line in marine insurance and smoke detectors/sprinkler systems in commercial property insurance.
“An insurance approach to assessing risk would focus organisations on the bare minimum needed to obtain protections – the first year may be hard for them, but processes will be easier to maintain once implemented and will be an important step towards the maturity of cyber security across the nation,” the paper states.
What’s holding businesses back from taking cyber insurance?
Businesses are increasingly turning to insurance for additional protections, the Actuaries Institute paper states. Front-of-mind risk for risk professionals is business interruption following a cyber event, according to the Airmic 2021 survey cited by the Institute.
But increasing underlying risk is making it harder to get cover as insurers look to limit their exposures and increase premiums, the paper states.
The Institute also identified a widespread assumption among SMEs that hackers were more likely to target larger organisations because they can afford bigger ransom payments. But in 2021, “75 percent of ransomware attacks were on companies with fewer than 1,000 people,” the paper notes.
A disincentive for larger organisations to take out insurance is the belief that board directors will have to relinquish control to insurers during a cyberattack, the paper also notes. It disputes this, arguing that the insurer may provide access to additional vendors in the event of a claim, but key decisions such as payment of a ransom, communications to stakeholders, or disclosure of an incident to the ASX, remain in the board’s control.
Another reason organisations are reluctant to take out cyber insurance, according to the paper, is the belief that being a client of cyber insurance makes an organisation a bigger target for ransomware gangs. The concern is that the attacker will first target the insurance company to find out which businesses are insured and able to pay the ransom, and then target the insured companies.
There are examples of large commercial insurance providers, such as Tokio Marine, CNA Financial Corporation and AXA, being hit by ransomware gangs, but the Actuaries Institute found no conclusive evidence that companies with cyber insurance are targeted more frequently.
Lack of security skills also has “far-reaching effects for insurance” the paper states – “not only for insurers but also for organisations seeking cover. As insurers increase their underwriting controls and look to sharpen risk management standards, organisations are having to respond to achieve adequate cyber protection."
Insurers challenged
Cyber insurance policies typically protect companies from six risks: data breaches, network security liability, communications and media liability, technology disruptions, cyber extortion, cyber fraud and theft.
“Historically, losses arising from cyber incidents have also been covered by standard insurance policies where these policies have not explicitly excluded cyber risks. This coverage is known as silent cyber or non-affirmative cyber,” the paper stated. More insurance providers are explicitly writing out cyber risks to get rid of silent cyber.
But there have been significant reductions over the past year in capacity offered, and increases in premiums, according to the paper. “Reductions in policy limits from $50 million to $10 million are reasonably commonplace,” it states.
“Recent poor returns and significant downside risk have deterred new entrants to the cyber insurance market and led current insurers covering cyber liabilities to reduce their capacity.”
And no wonder, considering the frequency and costs of attacks on Australian organisations. The number of reports to The Australian Cyber Security Centre increased by 13 percent between the 2020 and 2021 financial years. In 2021 in Victoria, 436 victims of business email compromise paid $31.9 million.
The Actuaries Institute noted the challenges for insurers created by the unpredictable and dynamic nature of cyber security and its entanglement with other problems, including war. It reported that Lloyd’s recently directed underwriters to exclude liability for losses arising from state-backed cyber attacks.
Calculating how much and how fast breaches and attacks will grow is difficult for insurers both because of patchy actuarial data about cyber risks in Australia and because of what Toh called “accumulation risk.”
A computer virus can spread quickly around the world and results in many companies making a claim under their cyber insurance policy.
“This is the accumulation risk challenge for an insurer,” Toh stated. “The potential for a single event to trigger losses across business lines and global borders.”
There have been recent steps to accelerate the collection of actuarial data that would make insurers more confident in entering the cyber market.
In March 2021, following consultation with the insurance industry, The Australian Prudential Regulation Authority expanded its data collection to include cyber insurance and management liability as a separate class of business in the National Claims and Policies Database.
Insurers are also yet to have the backing of reinsurers. For example, last year the Australian Reinsurance Pool Corporation considered an extension covering physical property damage arising from cyber terrorism, “but this was rejected on grounds that cyber insurance is an evolving market.”
The Australian Reinsurance Pool Corporation chief executive officer Christopher Wallace has said that “the development of a sustainable private cyber re/insurance market to cover the full scope of cyber risks will ultimately be contingent on the development of some form of public-private partnership or government backstop.”
That can’t come sooner for the business leaders, risk managers and IT partners watching the fallout from the recent Optus data breach.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
