In brief
Cyber insurance has emerged as a multibillion-dollar global industry, safeguarding businesses against financial losses from the explosion of cyber risk. We caught up with Chris Mackinnon, head of Lloyd's in Australia, to discuss the state of the cyber insurance market in Australia, the challenges of understanding risk exposure, and why responsibility for cyber security should rest with boards.
Key takeaways
The cyber insurance market has ballooned
The size of the cyber market globally is now around US$4 billion. While, historically, US-domiciled risk made up the vast majority of the market, there has been a $200 billion increase in cyber premiums outside of the US in the past five years. In Australia, Lloyd's has seen 100 per cent growth year on year over the past three or four years.
Cyber insurance products aren't one-size-fits-all
It can be challenging to determine the specific risk exposure of your organisation and the potential consequences of a cyber attack for your business. Rather than taking out a cyber insurance policy as a reactive measure following a specific incident, it's important to look longer term, to ensure the product is fit for purpose and covers your specific exposures.
Accountability for cyber risk is poorly understood
There is still a real lack of awareness and understanding of cyber exposure among senior business leaders. In 2016, Lloyd's surveyed 350 European business leaders on what their businesses were doing about cyber exposure. Ninety-two per cent of those businesses had experienced some form of cyber attack in the previous five years, but only 42 per cent of those CEOs felt it was something they needed to worry about in the future.
According to Chris Mackinnon, responsibility for cyber is now a business risk, not an IT risk – it should rest with the board, at the top level of the board.
Unknown risk is a challenge for the industry
The biggest challenge the insurance industry faces regarding cyber is the unknown nature of its risks and consequences. Insurance has historically analysed past events to model prospective future losses. There is a real lack of data on cyber attacks and data breaches.
However, mandatory breach notification regimes in the US, Australia and (soon) the EU are now allowing the industry to capture that data, and use it to model scenarios to better inform, structure and price insurance products, based on known exposures and quantifications.
There are two nightmare scenarios for cyber insurance
Lloyd's has done a lot of modelling around disaster scenarios – in particular, the aggregation exposures for:
- a mass vulnerability attack on a global operating system; and
- a malicious attack on a cloud service provider.
The big difference between a cyber exposure and a normal physical risk exposure, or national catastrophe, is that there is no geographic containment of a cyber event.
Lloyd's modelled the cloud attack as being in the order of US$67 billion in economic loss but only around $30 billion in insured loss. The mass vulnerability attack on a global operating system was considered to be around US$37 billion in economic loss but only $2.5 billion in insured loss.
Indemnity from insurance is a last resort
Your indemnity from cyber insurance products should be a product of last resort. You need to conduct a risk analysis of your business's systems, processes, and training and education of staff at all levels. Make sure your systems are as well protected as possible, by penetration testing and identifying weaknesses in your system.