Vehicle owners have car insurance, home owners have home insurance but should organisations get cybersecurity insurance?
With the number of cyber attacks growing, some businesses are considering cyber insurance to help mitigate some of the risks of being a 21st-century organisation.
According to the Insurance Council of Australia (ICA), cybersecurity insurance can cover forensic investigation, data restoration, customer notification and rectification (call centres, and indemnification of penalties imposed by government regulators).
One of the major challenges for cyber insurance is that there is significant underinsurance for cyber risk. The ICA reported that currently in Australia only about 20 percent of SMEs and 35 to 70 percent of larger businesses have standalone cyber insurance.
The market itself is on an upwards trajectory with the current cybersecurity market valued at US$9 billion and tipped to hit US$22 billion in three years.
With all this in mind, is it worth it for organisations to get cyber insurance?
Christophe Doche, academic dean at the Australian Institute for Business Intelligence said cybersecurity insurance isn’t like other insurance such as car or health.
“If you get in a crash, you know you will be covered. If you get breached you may not be covered because it’s impossible to cover. Changing the expectation in people and changing the understanding of what cyber insurance can do and cannot do,” he said.
“At the same time, cyber insurance companies, they have a bit of work to do as well in terms of not offering things that they cannot deliver, be a lot more realistic.”
Getter better at the basics
Looking at the last 12 months of high-profile breaches in Australia, Luke Barker, director and general manager, of BT Security APJ MEA said there is still a need to get better at the cybersecurity basics.
“The government, minister Clare O’Neill and her office are trying to do the right thing in terms of imposing requirements and compliance regulations for all businesses from a cybersecurity perspective to make Australia a more mature cyber market,” he said.
But that comes at a cost, Barker warns.
“The catch-22 that we are faced with at the moment is unattainable and cyber insurance at the moment is a premium for most organisations, because of the pure cost nature of and the complexity of obtaining cyber insurance cover that is meaningful,” he said.
At the moment, if you want large cover, you pay a significant premium, Barker explained. Recently discussing a client who had to step back from a cyber insurance policy.
“They’re stepping back from cyber insurance because for an adequate cover, they’ve tried to produce scenarios and they’ve had third-party consultants come in and do a number of exercises to get an adequate cover,” he said.
“Cyber insurance was going to be 30 percent of their overall cyber security budget. In terms of the magnitude, he said that this particular size is ridiculous.
“How can I ask for a 30 percent increase to my cyber budget so I can take out insurance? It still doesn’t give us the full coverage that we would need in the event of a breach. That’s where we are at the moment.”
The market may be emerging but Barker at BT Security said there are significant opportunities for cybersecurity insurance in Australia.
He said organisations are faced with three scenarios when they’re assessing business risk and then cyber risk.
“You either mitigate the risk, you can either transfer the risk, which is transferring it to insurance, or you accept the risk. Those three decisions are made by executives on boards around their cyber is where cyber insurance is starting to, to play a part right around that transfer of risk,” Barker explained.
The ICA noted two major opportunities cyber security brings for organisations, firstly it helps them improve their cyber security health and secondly helps businesses develop improved data sets and improved risk modelling.
Annette King, president of the Actuaries Institute said a vibrant cyber insurance market will do more than provide financial recompense for risks that break through the first line of defence.
She said, “It can also strengthen that first line, by offering clear signals and incentives to business – in the form of eligibility, pricing and sharing of insights – on best-practice standards.”
Cyber insurance won’t protect you from attacks
Cybercrime in Australia costs the country $42 billion a year, so how can cyber insurance protect organisations from bad actors?
Firstly, it doesn’t protect organisations from the risk of cyber attacks, Paul Furtado, VP analyst at Gartner said it is a 100 percent reactive product.
“I would argue that it does absolutely nothing to make you more secure. Yes, there are some requirements to qualify, but just qualifying doesn’t mean that you are a secure, mature organisation,” he said.
“It’s really about how those are implemented, how they’re governed, and what sort of controls you put around them, that’s the critical part.”
Win Li-Toh, principal of analytics and actuarial consultancy Taylor Fry said insurance isn’t the be-all and end-all for cybersecurity protection.
She said, “Importantly, good cyber hygiene and security – not insurance –are the first line of defence for an organisation.”
Toh said for cyber insurance to influence best practices in a major way, there are several gaps that need to be addressed by the government, businesses and insurers.
“Adding to these challenges are escalating cyber losses that have reduced insurer appetite for this class, a significant shortage of capacity to provide the levels of protection needed across the market, and premium hikes in the double/triple digits over the past two years.”
Alexandra Hordern, general manager, of regulatory and policy at the ICA said cyber insurance may not be applicable to every business in Australia.
“There will always be different levels of risk in different types of businesses, different types of organisations, and it may be that some businesses make the call which is valid for them to make that cyber insurance is not a priority for them. That’s ultimately fine,” she said.
The ICA has recently submitted to the federal government cyber strategy about the need for an uplifting understanding of cyber risks and how to mitigate those risks.
“There is work that can be done across government and also internationally recognising that this is an international market,” Hordern said.
“Often cyber risks come from outside the country, there is work that can be done to uplift cyber across the board and that may assist in many instances. But the businesses that are involved need to do that work to uplift their cyber capabilities.”
Will it be mandatory?
Currently, cybersecurity insurance isn’t mandatory but some leaders think the government needs to step in and make it mandatory for all organisations, similar to compulsory third-party insurance for cars.
Hordern at the ICA said there is a need to uplift security and capability across the economy before cyber insurance would become compulsory for all organisations.
“There would need to be a lot of work done in that space to ensure that businesses had the tools and the skills that they needed to manage their risks appropriately,” she said.
Doche at the Australian Institute for Business Intelligence said there needs to be a big push from the federal government to make this type of insurance compulsory.
“That will make such a big difference because then you have an understanding that every company needs to be insured. You have an influx of money from insurance companies,” he said.
“This money could be used to, tackle the [cybersecurity] problem very seriously, build models, invest in people, in talents, and then you have a product that you can sell worldwide.”
Doche added, “It’s a win-win scenario. We need a bit of courage from the government to realise that this is affecting the public and the government is in charge of protecting the public.”
A silver lining
While the major attacks on Optus, Latitude Finance and Medibank, have struck fear in all businesses in Australia, Furtado at Gartner said it has created a silver lining in terms of raising awareness for cyber insurance.
“The ‘good news’ about all the cybersecurity incidents that have happened, is it has brought [cyber insurance] to the forefront,” he explained.
Furtado said he is seeing more C-suite and boards of directors for cyber insurance.
“They want to understand how their organisations are protected, how well are they protected. In light of what’s going on right now with economic headwinds for a lot of organisations we’re seeing budgets being cut in all parts of the business,” he explained.
“One area where they’re staying flat or still increasing is cybersecurity because the business realises that they may have historically underinvested, so now they’re playing catch up, or they don’t want to reduce it there because it introduces additional business risk.”
Hordern said cybersecurity insurance is an interesting and emerging space in Australia.
“It’s still developing in the country, so it’ll be interesting to see how it develops. The cyber insurance space is constantly changing, so the risks aren’t stable and they’re not overly predictable because you never know when something new is going to pop up. It’s a fascinating area of work,” she ended.