January 2023 Market Update – Cyber Liability
Cyber insurance has continually solidified itself as a high-risk class throughout 2022 due to an increasing number of cyber-attacks pertaining in particular to ransomware. New business premiums have thus risen by roughly 70-80 per cent over the past 12 months, with insurers revaluating their appetite and capacity for coverage in light of worsening loss ratios.
Larger companies are more at risk from ransomware attacks since hackers recognise the potential for much more lucrative theft. This has disproportionately affected the cost of premiums for these larger businesses relative to small to medium enterprise. Business email compromise (BEC) has also emerged as an increasingly popular method used by hackers to attain confidential business information and steal money. In some cases also leading to larger ransomware attacks.
The Australian Cyber Security Centre estimates that the average national loss per incident resulting from BEC is roughly $64,000. State-sponsored cyber crime is another area which has become a much larger threat in the wake of the Russia-Ukraine war, as Russian hacking organisations and agencies seek to manipulate the networks of private businesses for the purposes of theft, or to use them as vectors to conduct espionage against specific targets. The Australian Federal Police (AFP) claimed in early November that Russian cybercriminals are responsible for the Medibank data breach, where customers’ health data was stolen and is gradually being released online in stages as hackers attempt to scare Medibank into eventually agreeing to pay the $15 million ransom. This more recent high-profile cyber ransom comes after the September Optus breach, which resulted in disclosure of millions of pieces of personal data and consequently prompted 10 per cent of customers to seek other telco providers. See our article here for further details.
We also observe that Lloyds itself has now implemented multi-factor authentication (MFA) for accessing accounts and applications as part of an on-going effort to improve the overall security of data and applications to improve customer experience.
Insurers are continuing to insist that insureds implement and review cyber security measures and updates on an ongoing basis to ensure renewal terms are provided for the subsequent period. Some insurers offer free phishing and risk penetration testing as part of their service as insurers look to improve their service offerings albeit improving the cyber risk of their insureds.
Conditions placed on proposers by Insurers are becoming more onerous. It is imperative that proposers have at least a requisite level of cyber maturity or preparedness, absent this, appropriate cover is out of reach.
- Regular penetration/vulnerability testing
- Implementing multi-factor authentication (MFA) for external access to networks
- Arrangements with third parties holding data and information
- The number of personal identifiable information records held and accessibility to them
- For larger enterprise: Business continuity plans and disaster recovery plans in the event of a cyber incident. Plus steps to ensure compliance with legislation and regulatory requirements as regards notification such as the SOCI Act.
Where these measures are in place and insureds show good cyber hygiene multiple markets are keen to quote the risk.
Stabilisation of premium is unlikely in the short term and extrinsic events continue to hamper the market. Continued instability and uncertainty is likely see the current narrow appetite carry through to 2023 with premium and excess uplifts predicted.
Many Bellrock clients’ have benefitted from external cyber risk assessment that has been undertaken by our expert panel. Where clients have worked with our experts (see our cyber risk assessment guide here), they have had the benefit of far more favourable terms (as a result of the cyber assessment, subsequent mitigation plans leading to breach preparedness and overall “cyber maturity”) on the basis that more insurers were prepared to quote their cyber risk. Absent such assessment there remains little appetite for cyber risk.
Continue reading our full range of market updates here:
For more in depth market updates by product class, profession and industry, please see our individual reports below: