Key trends in the cyber insurance market and how your business should respond
6 min read
This is the first instalment of our Cyber Insurance Handbook Series.
The proliferation of cyber extortion and ransomware, together with the threat of state-sponsored, state-sanctioned and spill-over cyberattacks, has intensified an already heightened global cyber threat environment. Increased regulatory scrutiny and enforcement action, including in Australia, is also contributing to the steadily rising cost of cyber risk management and cyber incident response.
These developments have put additional pressure on insurers in an already hardening cyber insurance market, with insurers continuing to narrow the scope of available cover.1
How much does a cyber incident cost?
IBM’s recently released annual ‘Cost of a Data Breach’ report conducted by the Ponemon Institute found that the global average cost of a data breach in 2022 totalled US$4.35 million (in the US, it is even higher at US$9.44 million). For a ransomware attack, the global average cost is US $4.54 million, excluding the cost of any ransom.2
Cyber incidents cost many organisations orders of magnitude more than that. For example, T-Mobile will pay US$350 million to settle class action claims arising from a cyberattack, and has committed to an incremental spend of US$150 million for data security and related technology in the next two years.3
In Australia, self-reported losses from cybercrime totalled more than $33 billion in the 2020-21 financial year.4 Measurable costs are often only the ‘tip of the iceberg’ of total losses and reputational damage, which can persist long after the initial compromise.
The rising costs of cyber incidents mean it is becoming more common for companies in Australia to consider cyber insurance as an important (but not exclusive) aspect of their risk management ‘toolkit’.
Take-up rates are increasing, with Marsh reporting a 23% increase in organisations purchasing cyber insurance last year. However, overall rates are still low compared to more traditional forms of commercial property and liability insurance.5 This gap is most acute for small to medium-sized enterprises, which are less likely to take out insurance or may only be able to procure a relatively low level of coverage. Currently in Australia, only about 20% of SMEs and 35–70% of larger businesses have standalone cyber insurance.6
How is the insurance market responding to heightened cyber risk?
The market for coverage against cyberattack losses is now a significant class in its own right.7
However, as Lloyd’s of London has recently observed—in a word of caution to the market—cyber risks have the potential to expose insurers to systemic risks that they (and their reinsurers) may struggle to meet. This distinguishes cyber cover from the usual categories of insurance where, putting the COVID-19 pandemic to one side, losses can generally be relied upon to occur in one location at a time. By contrast, the potential losses associated with the possibility of a global cyber incident have the potential to greatly exceed what the insurance market is able to absorb.
The cyber insurance market continues to ‘harden’ in response to these risks. Specifically, insurers are taking the following steps to mitigate this exposure:
- Increasingly limiting, clarifying or excluding certain losses from cover – Having previously tightened cover on ransomware incidents, insurers are now focusing on war exclusions.
- Being prepared to walk away – Insurers are prepared to see their policy book decline (even at the expense of market share) if it means safeguarding their position, and are broadly agnostic to policyholders failing to renew in light of increasing premiums and restrictions.
- Raising premiums – Brokers continue to report an ongoing trend of steep, year-on-year price increases. Marsh reports that the cost of taking out cyber cover has doubled on average each year for the past three years.8
- Heightening risk management expectations – As a precondition to writing or renewing cover, or as a key determinant in setting companies’ policy premiums, insurers are increasingly requiring evidence of cyber hygiene and risk management culture. This includes:
- examining, in detail, information about organisations’ cyber strategy, governance arrangements, IT security spend, the volume and type of data held, the security controls applied to protect information assets and reliance on shadow IT;
- investigating third party arrangements, cyber-awareness culture, testing regimes, details of any prior data breaches, how prepared organisations are to respond to a cyber event and whether they have run any war-gaming exercises to stress test their arrangements; and
- focusing on executive level sponsorship of cyber security and resilience, including by making regular tabletop scenarios that include senior management participation a condition of coverage.
Without this, some businesses will not even be considered for cover.9
This trend is evident across all industry sectors in Australia. It means all organisations (including professional and financial services, healthcare, manufacturing, government, logistics and SMEs) should take note of the below steps.
What should you do to ensure insurance is an effective component of your cyber risk management?
Consider taking out cyber insurance if you have not already
Although cyber insurance should not be seen as a substitute for cyber preparedness, it can be a valuable component of your risk management strategy.
Against raising premiums, you may opt to take out a policy with a high deductible, so that you are at least covered for an attack of such severity that your organisation would not be able to absorb the entirety of the costs.
Know and implement effective cyber risk management
Insurers are increasingly focused on security culture and preparedness when assessing and pricing risk (or, indeed their willingness to offer cover at all). In order to be prepared to demonstrate a mature security posture when taking out or renewing your insurance arrangements, we recommend that, as a first step, you:
All organisations should be doing this regardless—and it may help reduce your premium, too.
Preapprove experts and third party breach responders
In the event of a serious breach, you may need to call on experts (including cyber forensic investigators and, if appropriate, ransom negotiators).
These vendors should be approved in advance by your insurer, and your insurer may have preferred suppliers. However, you should give thought to how these experts will fit within your broader incident response, regardless of the insurance position.
Know your policy and scenario test it against your risk exposure
What is your risk exposure? Consider the potential impact of various breaches on your business (including its systems and operations).
What will be covered? Understand what first-party losses and third-party liabilities the policy covers, and consider whether it adequately captures your risk exposure. Your broker will be able to help advise you on this.
What is excluded? Test the limits and exclusions under your policy. In the current climate be particularly mindful of the scope of war and cyber-terrorism exclusions. Consider any differences between your primary and excess policies, and discuss this with your broker.
What are the conditions of claiming? Study any notification or consent trigger points in the policy and plan ahead as to how you will engage with your insurer or broker in the event of an incident. Consider whether you are prepared to incur any expenses without prior approval in the event the insurer delays or withholds approval, such as where attribution is unclear. Build these requirements into your cyber incident response plans and playbooks.
Talk to your critical suppliers about their coverage
Consider whether critical suppliers and contractual counterparties have cyber insurance arrangements in place. Particularly where they have access to your data or systems—and a third-party breach may lead to your business incurring substantial liability—the insurance position of those counterparties may be important to mitigate the credit risk of that counterparty. If your supplier is hit, you are unlikely to be the only one seeking to claim against them.
If your suppliers are able to obtain insurance, this should also give you some comfort that they were able to demonstrate a mature security posture in the face of increasingly close scrutiny by insurers when taking out or renewing their policy.
Embed the role of executives and legal
There is a reason some insurers are insisting on organisations undertaking regular ‘tabletop scenarios’ involving senior management before agreeing to provide coverage. An actual cyberattack should not be the first time that your CEO, board and incident response team (including legal) practise their response plans, escalate issues and have discussions around engaging with threat actors.
An actual cyberattack should also not be the first time you consider the many complex legal and compliance ramifications of a breach, including the following: