Site search

INSIGHT

Backing up the backups: cyber insurance in a hardening market

By Jonathan Light, Valeska Bloch, Joshua Anderson, Robert Marsh, Emiliana Gallego 20 September 2022
Corporate Governance Cyber Insurance Risk & Compliance

Key trends in the cyber insurance market and how your business should respond 6 min read

This is the first instalment of our Cyber Insurance Handbook Series. 

The proliferation of cyber extortion and ransomware, together with the threat of state-sponsored, state-sanctioned and spill-over cyberattacks, has intensified an already heightened global cyber threat environment. Increased regulatory scrutiny and enforcement action, including in Australia, is also contributing to the steadily rising cost of cyber risk management and cyber incident response.

These developments have put additional pressure on insurers in an already hardening cyber insurance market, with insurers continuing to narrow the scope of available cover.1

Jump to

  1. How much does a cyber incident cost?
  2. How is the insurance market responding to heightened cyber risk?
  3. What should you do to ensure insurance is an effective component of your cyber risk management?

How much does a cyber incident cost?

IBM's recently released annual 'Cost of a Data Breach' report conducted by the Ponemon Institute found that the global average cost of a data breach in 2022 totalled US$4.35 million (in the US, it is even higher at US$9.44 million). For a ransomware attack, the global average cost is US $4.54 million, excluding the cost of any ransom.2

Cyber incidents cost many organisations orders of magnitude more than that. For example, T-Mobile will pay US$350 million to settle class action claims arising from a cyberattack, and has committed to an incremental spend of US$150 million for data security and related technology in the next two years.3

In Australia, self-reported losses from cybercrime totalled more than $33 billion in the 2020-21 financial year.4 Measurable costs are often only the 'tip of the iceberg' of total losses and reputational damage, which can persist long after the initial compromise.

The rising costs of cyber incidents mean it is becoming more common for companies in Australia to consider cyber insurance as an important (but not exclusive) aspect of their risk management 'toolkit'.

Take-up rates are increasing, with Marsh reporting a 23% increase in organisations purchasing cyber insurance last year. However, overall rates are still low compared to more traditional forms of commercial property and liability insurance.5 This gap is most acute for small to medium-sized enterprises, which are less likely to take out insurance or may only be able to procure a relatively low level of coverage. Currently in Australia, only about 20% of SMEs and 35–70% of larger businesses have standalone cyber insurance.6

Back to top

How is the insurance market responding to heightened cyber risk?

The market for coverage against cyberattack losses is now a significant class in its own right.7

However, as Lloyd's of London has recently observed—in a word of caution to the market—cyber risks have the potential to expose insurers to systemic risks that they (and their reinsurers) may struggle to meet. This distinguishes cyber cover from the usual categories of insurance where, putting the COVID-19 pandemic to one side, losses can generally be relied upon to occur in one location at a time. By contrast, the potential losses associated with the possibility of a global cyber incident have the potential to greatly exceed what the insurance market is able to absorb.

The cyber insurance market continues to 'harden' in response to these risks. Specifically, insurers are taking the following steps to mitigate this exposure:

  • Increasingly limiting, clarifying or excluding certain losses from cover – Having previously tightened cover on ransomware incidents, insurers are now focusing on war exclusions.
  • Being prepared to walk away – Insurers are prepared to see their policy book decline (even at the expense of market share) if it means safeguarding their position, and are broadly agnostic to policyholders failing to renew in light of increasing premiums and restrictions.
  • Raising premiums – Brokers continue to report an ongoing trend of steep, year-on-year price increases. Marsh reports that the cost of taking out cyber cover has doubled on average each year for the past three years.8
  • Heightening risk management expectations – As a precondition to writing or renewing cover, or as a key determinant in setting companies' policy premiums, insurers are increasingly requiring evidence of cyber hygiene and risk management culture. This includes:
    • examining, in detail, information about organisations' cyber strategy, governance arrangements, IT security spend, the volume and type of data held, the security controls applied to protect information assets and reliance on shadow IT;
    • investigating third party arrangements, cyber-awareness culture, testing regimes, details of any prior data breaches, how prepared organisations are to respond to a cyber event and whether they have run any war-gaming exercises to stress test their arrangements; and
    • focusing on executive level sponsorship of cyber security and resilience, including by making regular tabletop scenarios that include senior management participation a condition of coverage.

Without this, some businesses will not even be considered for cover.9

This trend is evident across all industry sectors in Australia. It means all organisations (including professional and financial services, healthcare, manufacturing, government, logistics and SMEs) should take note of the below steps.

Back to top

What should you do to ensure insurance is an effective component of your cyber risk management?

number_blue-80x80px-1.pngConsider taking out cyber insurance if you have not already

Although cyber insurance should not be seen as a substitute for cyber preparedness, it can be a valuable component of your risk management strategy.

Against raising premiums, you may opt to take out a policy with a high deductible, so that you are at least covered for an attack of such severity that your organisation would not be able to absorb the entirety of the costs.

number_blue-80x80px-2.pngKnow and implement effective cyber risk management

Insurers are increasingly focused on security culture and preparedness when assessing and pricing risk (or, indeed their willingness to offer cover at all). In order to be prepared to demonstrate a mature security posture when taking out or renewing your insurance arrangements, we recommend that, as a first step, you:

  • adopt a risk-based approach to cyber security, informed by regular cyber risk assessments undertaken by a qualified expert for the technical analysis and legal counsel for regulatory mapping; and
  • implement and maintain a cyber security strategy, along with a documented roadmap outlining (on a prioritised basis) the actions you will take to address any gaps identified in cyber risk assessments.

All organisations should be doing this regardless—and it may help reduce your premium, too.

number_blue-80x80px-3.pngPreapprove experts and third party breach responders

In the event of a serious breach, you may need to call on experts (including cyber forensic investigators and, if appropriate, ransom negotiators).

These vendors should be approved in advance by your insurer, and your insurer may have preferred suppliers. However, you should give thought to how these experts will fit within your broader incident response, regardless of the insurance position.

number_blue-80x80px-4.pngKnow your policy and scenario test it against your risk exposure

What is your risk exposure? Consider the potential impact of various breaches on your business (including its systems and operations).

What will be covered? Understand what first-party losses and third-party liabilities the policy covers, and consider whether it adequately captures your risk exposure. Your broker will be able to help advise you on this.

What is excluded? Test the limits and exclusions under your policy. In the current climate be particularly mindful of the scope of war and cyber-terrorism exclusions. Consider any differences between your primary and excess policies, and discuss this with your broker.

What are the conditions of claiming? Study any notification or consent trigger points in the policy and plan ahead as to how you will engage with your insurer or broker in the event of an incident. Consider whether you are prepared to incur any expenses without prior approval in the event the insurer delays or withholds approval, such as where attribution is unclear. Build these requirements into your cyber incident response plans and playbooks.

number_blue-100x100px-5.pngTalk to your critical suppliers about their coverage

Consider whether critical suppliers and contractual counterparties have cyber insurance arrangements in place. Particularly where they have access to your data or systems—and a third-party breach may lead to your business incurring substantial liability—the insurance position of those counterparties may be important to mitigate the credit risk of that counterparty. If your supplier is hit, you are unlikely to be the only one seeking to claim against them.

If your suppliers are able to obtain insurance, this should also give you some comfort that they were able to demonstrate a mature security posture in the face of increasingly close scrutiny by insurers when taking out or renewing their policy.

number_blue-100x100px-6.pngEmbed the role of executives and legal

There is a reason some insurers are insisting on organisations undertaking regular 'tabletop scenarios' involving senior management before agreeing to provide coverage. An actual cyberattack should not be the first time that your CEO, board and incident response team (including legal) practise their response plans, escalate issues and have discussions around engaging with threat actors.

An actual cyberattack should also not be the first time you consider the many complex legal and compliance ramifications of a breach, including the following:

  • Your notification obligations, especially if your business is in a highly regulated industry (such as financial services or critical infrastructure).
  • Whether or not you may be prepared to meet a cyber-extortion demand—a difficult legal question, ahead of time.
  • How to respond to requests by insurers for privileged documents (such as legal advice) following a claim, and the arrangements or protocols you may wish to have in place.
Back to top

Footnotes

  1. We have described hardening of the cyber insurance market as a key cyber trend to watch this year. See our snapshot here.

  2. IBM, Cost of a Data Breach 2022 Report (Report, 27 July 2022).

  3. United States Securities and Exchange Commission, TMobile (Current Report pursuant to Section 13 OR 15(d) of The Securities Exchange Act of 1934, 22 July 2022).

  4. Australian Cyber Security Centre, ACSC Annual Cyber Threat Report 1 July 2020 to 30 June 2021.

  5. OECD, Insurance Coverage for Cyber Terrorism in Australia, February 2020, 13.

  6. https://insurancecouncil.com.au/issues-in-focus/cyber-risk/.

  7. Lloyds, 'State backed cyber-attack exclusions' (Market Bulletin, 16 August 2022).

  8. Sally Patten, 'Cyber insurance premiums soar 80pc as claims surge' Australian Financial Review (online, 12 September 2022). 

  9. See comments by Honan Insurance Group CEO, Andrew Fluitsma. Ibid.

Cyber Insurance Handbook Series

When silence is no longer golden: the demise of 'silent cyber' and the need for dedicated cyber insurance

Recent high-profile cyberattacks and the Federal Court's Inchcape decision provide a timely reminder of the need for suitable cyber insurance coverage.

Insurance in a time of (cyber) war

The cyber insurance market reckons with the state malware threat.

'A ticking time bomb': limitations in cyber cover for known vulnerabilities and end of life hardware

Monitoring your systems and addressing vulnerabilities may be essential to preserving insurance coverage,

Explore further

INSIGHT

New industry standards for online safety: what service providers need to know

06 Feb 2025

INSIGHT

Meta's $50M settlement with the OAIC fails to clarify the Privacy Act civil penalty regime

20 Dec 2024

INSIGHT

First tranche of privacy reforms bring progress but no long-term clarity

05 Dec 2024

INSIGHT

New cyber incident response obligations for Australian organisations

04 Dec 2024

Stay informed

Subscribe to our insights and updates

Subscribe now