July 2023 Market Update – Cyber Liability
Cyber insurance premiums are increasing and will continue to increase as cyber-attacks continue to rise. We observe that cyber awareness has increased across enterprises. There continues to be a strengthening of cyber security, privacy laws and regulations globally.
In 2023 and in the short term, insurers globally are expected to continue to narrow coverage and tweak underwriting standards to ensure the sustainability of the cyber insurance market. This approach is likely to remain present whilst insurers work on either increasing capacity or developing more innovative approaches towards underwriting cyber risks.
There is significant recent commentary on data breaches, especially within the financial and healthcare sectors. In this regard, media focus is supported by statistics – according to the latest ACSC Annual Cyber Threat Report, in Australia, a new cyber-crime is reported every seven minutes. During the last financial year, almost 700,000 businesses experienced a cyber-crime attack, and 60 per cent of targeted attacks struck small and medium size businesses.
Small businesses have rapidly digitalised in the past few years which has brought new opportunities but consequently increased vulnerability to cyber-attacks which can cause significant financial and reputational damage. These businesses are less likely to have developed ‘cyber maturity’ and lack sufficient in-house or third-party support across prevention, detection and response, usually due to a lack of resources and awareness.
High profile data breaches
Increased media focus drawing attention to the increasing number of high-profile data breaches and the magnitude of their impact has shifted the conversation among business directors from “if” a breach should occur, to “when” a breach occurs. Latitude, the Australian personal loan and financial service provider was one of Australia’s largest data breaches in recent history that impacted over 14 million people from Australia and New Zealand in March 2023. This follows the recent large-scale attack of Medibank in October 2022 where data of approximately 9.7M of its current and former customers was compromised, and more recently in June 2023 when one of Medibank’s property managers that uses file transfer software MOVEit was compromised. See our article on recent high profile cyber breaches here.
Targeted Government funding
The Federal Government has continued to direct funding and resources to data and cyber security. In the 2023-24 Federal Budget, the Government has responded with increased funding for this area to strengthen resilience against threat.
The Government is investing more than $2B in 2023-24 in digital and ICT “to deliver easy, accessible, and secure services for people and businesses”. Funding is targeted at small and large enterprise and government bodies. The budget will provide the following investments in cyber and digital:
- Commonwealth cyber security: $46.5M will be provided over four years to establish the Coordinator for Cyber Security 'to ensure that the Commonwealth's cyber security efforts are strategic, coordinated, timely and effective'.
- SOCI compliance: $19.5M in 2023-24 to support responsible entities owning critical infrastructure assets to respond to significant cyber-attacks. Recent attacks aimed at large enterprise have garnered much media attention (see our comments further below).
- SME cyber resilience: $23.4M will be provided over the next three years 'to support small business to build resilience to cyber threats'. In particular, the small business Cyber Wardens program (delivered by the Council of Small Business Organisations Australia) is expected to become Australia's first cyber safety workplace certification or micro-credential for the small business sector. Up to 50,000 cyber wardens will be trained over the next three years.
- Anti-scam and data breaches: $86.5M to establish a National Anti-Scam Centre, boosting ASIC's work in reducing scam incidents and establishing Australia's first SMS Sender ID Registry to prevent scammers imitating trusted brand names.
- Digitalisation and expanding DigitalID: $26.9M will be provided in 2023-24 to expand Digital ID to help 'increase efficiency and consumer protection, reduce fraud, and make it easier for people to access services online'.
The Australian government’s increased focus on cyber security in the 2023-24 budget highlights the growing threat landscape and is a reminder for businesses to prioritise their cybersecurity strategies.
Caution by Insurers
As a precondition to writing or renewing cover and determining a premium, insurers want to know how existing technology and internal standards are leveraged in pursuit of an effective risk management framework.
Overall, insurers are more critical when considering whether to accept a risk. This requires a proactive and organised approach from organisations. Underwriters are moving from a traditionally narrow focus on risk factors such as revenue, number of employees, record count, and industry class, to a wider scope, encompassing loss modelling tools and continual system scanning.
- Multifactor authentication (MFA) for remote access to networks and cloud
- Regular risk assessments
- An Endpoint Detection and Response (EDR) solution deployed across all endpoints
- Regular monitoring and updating of security systems
- A well-defined incident response plan
- Patching and cyber awareness training/simulated phishing attacks for employees.
Insurers are also increasingly looking at an organisation’s third-party arrangements. This requires visibility around supply chain and evidence that the organisation has considered the known risks of its supply chain, are actively managing these risks and have consistent monitoring in place. Insurers are looking closely at managing known risks through supply contracts with limits of liability, assurances regarding cyber security posture and right of audit. Quantifying systemic cyber risks like supply chain attacks will continue to be a focus for the insurance industry in 2023 and beyond.
Many Bellrock clients’ have benefitted from external cyber risk assessment that has been undertaken by our expert panel. Where clients have worked with our experts (see our cyber risk assessment guide here), they have had the benefit of far more favourable terms (as a result of the cyber assessment, subsequent mitigation plans leading to breach preparedness and overall “cyber maturity”) on the basis that more insurers were prepared to quote their cyber risk.
Continue reading our full range of market updates here:
For more in depth market updates by product class, profession and industry, please see our individual reports below: