Research Review: What Your Company Needs to Know About Cyber Insurance
Widely publicised cybersecurity attacks—such as those affecting Optus and Medibank—only reinforce that cybercrime in Australia is growing in both frequency and sophistication.
In fact, during the 2021-22 financial year, cybercrime reports made to the Australian Cyber Security Centre (ACSC) increased by 13 per cent compared to the previous year, with online fraud representing the most frequently reported type of cybercrime.
Despite this, separate reporting from the ACSC revealed that roughly half of all small and medium-sized enterprises (SMEs) spent less than $500 on cyber security on average, and that nearly half rated themselves as having poor cyber security practices.
Knowing how to protect against a breach is challenging for organisations of any size, yet SMEs in particular can suffer due to their smaller size and more limited capacity. Cyber insurance is one innovation that can help bridge this gap, but it’s still a relatively new, grey area in many ways.
To help your company make sense of cyber cover, the team at Mangano IT reviewed a recent paper on ‘Cyber Risk and the Role of Insurance’ from the Actuaries Institute, the sole professional body for Actuaries in Australia. Here’s what you need to know:
What is Cyber Insurance?
Following the release of a market bulletin by Lloyd’s in 2019, business insurers have been encouraged to provide clarity around whether or not their standard business insurance products cover cyber-attacks. As a result, a growing number of insurers have begun explicitly excluding cyber cover from general policies, unless it is affirmatively included or purchased as a separate, discrete product.
In plain language, this means that your company’s standard insurance policy may not cover your losses, should you experience a successful cyber-attack or data breach. To ensure coverage, you’ll likely need a separate, standalone cyber insurance policy that will cover some or all of your liabilities.
That said, getting a policy like this may not be as easy as it sounds. That’s because insurers may not issue you a cyber insurance policy if your organisation has known security issues (if you do get a policy, your premiums are likely to be higher if issues exist). Interestingly, the Institute notes, the underwriting process can actually play a role in driving cybersecurity in this way, if its discovery process helps organisations understand where they’re falling short of current standards.
However, because cyber insurance is somewhat new, the Institute also emphasises a few key issues with its delivery:
- Market capacity is still limited for the product, which may make it less accessible to some organisations. But because there’s little appetite for new insurers to enter the market while it’s in its infancy, any significant changes in availability are unlikely in the near future.
- Amidst this low capacity, many insurers are reducing their available cover, while simultaneously increasing premiums. Not only does this risk locking SMEs out of the market, but it may also mean that the policies they’re able to purchase won’t sufficiently cover their losses in the event of an incident. One analysis cited by the Institute suggests that, of the claims reviewed, insurance covered just “44% and 37% of data breach and first party costs respectively”.
- A lack of clarity exists around the controls organisations must achieve and maintain to be covered. This could put SMEs in the difficult position of having to enforce a high level of cyber hygiene—whether or not they can find (or afford) the talent needed to do so.
Given these and other challenges, it is unsurprising that the Institute reports only 20% of SMEs currently hold cyber insurance.
Do You Need Cyber Insurance?
SMEs are particularly vulnerable to cyberattacks, as both a lack of resources to mount a sophisticated cybersecurity defence and a persistent ‘it won’t happen to me’ mindset make them appealing targets to hackers.
Cyber insurance may eventually prove to be the missing piece that closes these gaps. But although it’s evolving rapidly, it is still quite limited (and generic) in its current execution.
As a result, we believe that the best defence SMEs currently have is a cyber risk assessment that identifies existing vulnerabilities and prioritises their remediation, alongside regular investment into cybersecurity programs.
Reach out to our expert team for more information on getting a customised assessment of your company’s cyber risks.