In 2017 there were 4 billion individual data breaches globally¹, estimated to cost ~US$439 million.
Since then, the frequency and severity cyber risk has only increased. Ransomware attacks are increasingly sophisticated and more invasive, with sensitive data targeted and operating systems disabled.
Consequently, the cost to investigate, repair and recover has increased too.
What is cyber insurance?
While all products are different, the range of assistance provided under a cyber policy includes coverage for:
- forensic investigation
- data restoration
- customer notification and rectification eg call centres, and
- indemnification of penalties imposed by government regulators.
Where the data breach is due to the malicious acts of a foreign government actor or criminal gang coverage may include costs related to:
- the services of a negotiator
- legal advice to determine if any ransom payment is legal or reportable, and
- indemnification of the ransom the business decides to pay.
Challenges associated with cyber risk
Significant underinsurance for cyber risk. Estimates from 2017 indicate that less than 30% of data breeches were covered by insurance. This high level of underinsurance left impacted business, and ultimately their customers and owners, to bear the cost.
The unique challenges cyber risk poses to designing and providing affordable cyber insurance policies. All businesses use different programs and systems in different ways at different times, exposing them to different risks which makes it difficult to price premiums.
Opportunities associated with cyber risk
Helping businesses improve their cyber security health – when writing a cyber insurance policy, insurers need to access their client’s data, IT processes and potentially test their cyber defences to analyse and price the risk. In doing so, this provides an opportunity to identify weaknesses in the businesses’ data protection and cyber security practices, providing learnings to improve their cyber security health.
Developing improved data sets and improved risk modelling – cyber insurance products first developed in the United States of America (US) in the late 1990s and the US still accounts for about 90% of the global cyber insurance market². Consequently much of the readily available data relates to the US market, rather than Australia’s.
What action is the industry taking?
Cyber risk is rapidly evolving, and the Insurance Council is working with members and government agencies to provide relevant information where it can.
Since September 2021, insurers have started reporting details of separate cyber policies written to APRA to assist in the development of relevant policies.
In 2022 we intend to release a position paper of Cyber risk with additional insights.
Tips for businesses
For all businesses, particularly SMEs, the Insurance Council endorses the Australian Cyber Security Centre’s Essential Eight Maturity Model as a good first step towards improved cyber security health.