July 2022 Market Update – Cyber Liability

In a hard insurance market, insurers look to deploy capital to less exposed classes. Cyber is considered a ‘high risk’ class due to increased claims activity. The explosion of ransomware attacks in the past 18 months has meant steeper and more frequent losses for insurers and has shunned appetite for this still emerging class.

There have been notable developments as regards cyber security risk with in the past 6 months:

Globally, the threat of an increasing frequency of cyber attacks as Russia responds to global sanctions. See our article on this topic here.

The outcome of ASIC’s test case. in the Federal Court against a financial services licensee as regards its failure to maintain adequate cyber and IT security risk measures.

Broadening the net of those now required to comply with the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act).

In March 2022 the Insurance Council of Australia (ICA) released a paper on cyber insurance calling for minimum security requirements and third-party certifications for software and hardware to be made mandatory to reduce vulnerability to cyber attacks.

The ICA also called for the Government to develop and issue an Australia cyber security standard. It observed that the combination of a small premium pool and increasing sophistication and maliciousness of some cyber attacks has put even more pressure on insurers and businesses alike.

Claims management costs for forensic investigation, first and third party losses, legal and regulatory fines have been banded per figures below:

Typical SME claims costs $30 to 40K

Typical Mid Tier claims costs $500K to $1M

Typical listed or large client claims cost $5M and upwards.

The number of claims for ransomware, comprise close to 30 per cent of losses, over the last 18 months. Insurers have sought to review their cyber appetite, policy wording and reduce capacity. Insurers have begun to sublimit cover for ransomware for medium to large enterprise.

Insurers are continuing to place more onerous conditions on proposers (such as obligations for firewalls, regular penetration/vulnerability testing and implementing multi-factor authentication for external access to networks). It is imperative that proposers have at least a requisite level of cyber maturity or preparedness, absent this, appropriate cover is out of reach.

Branded the new “D&O” given the uplifts in premium, tightening of cover and reduced appetite for the class, we are seeing premiums increase by up to 300 per cent. On average the uplifts are between 50 and 75 per cent across our book: excess structures are increasing in some instance four fold.