A swathe of Australian businesses could soon be uninsurable for cybersecurity risks because too many company directors believe simply having cyber insurance is sufficient.
A lack of understanding means business leaders are failing to invest in preparation or protection and insurers are now taking action, because ransomware payouts and reinsurance costs for companies with a low security posture are soaring.
Global ransomware attacks are running rampant — spiking 170% in the past year — and the size of ransom demanded has also risen, with US payouts climbing 400% between 2019 and the first quarter of this year.
As a result, the Australian Prudential Regulatory Authority (APRA) is directing Australian insurers to review their cyber risk profile and reconsider whether insurers are themselves underplaying risk.
Get daily business news.
The latest stories, funding information, and expert advice. Free to sign up.
Insurers are now tightening their approach to covering the cyber risk of businesses that could not demonstrate they were taking appropriate measures to mitigate the threat of attack or data loss before an incident occurred.
Risk aversion among insurers covering cybersecurity has been recognised across the globe, with international insurance broker Howden last month estimating global cyber insurance pricing had risen 32% on the back of increased exposure and risks. There is a growing trend by insurers to increase premiums and cap cybersecurity limits. In Australia, premiums rose 20% in 2020.
There is a general understanding among Australian companies that cybersecurity is a growing risk, and that cyber insurance is something that might help.
But business leaders lack understanding about how far that insurance actually extends and Pitcher Partners is finding many companies don’t know exactly what they are buying, or where they sit on the risk spectrum.
Insurers lowering limits over ransomware spike
Directors know there is a gap in their security, but they don’t know how wide that gap really is, and see cybersecurity insurance as a way of plugging that hole. That mindset results in unrealistic expectations that holding cybersecurity insurance will mean they are covered for almost any event.
The reality is that when it comes to data loss, data theft, ransomware, malicious activity or even cyber terrorism, insurers increasingly highlight exclusions in the fine print and limits on their liability.
The standard approach of insurers in pre-assessing risk — sending companies questionnaires about their security posture to understand their threats, likelihood of an incident occurring and potential business impact — falls short when it comes to cybersecurity insurance.
There are a lot of companies that simply can’t answer these questions with any certainty, or they make mistakes that are not intentional but are based on a lack of understanding or knowledge.
The approach of insurers is often to go back and scrutinise those responses very carefully when a claim is made. Insurers are also increasing their premiums and lowering limits in response to the increase in ransomware payouts.
Some companies will find themselves uninsurable if they fail to address the cyber risks in their business or cannot adequately explain their mitigation plans to underwriters. Others will only find out their insurance is void when something goes wrong.
Directors at increased personal risk
The last thing a company needs is to realise they are not covered in the way they thought they were at the time of a claim.
Australian Directors may soon be at increased personal risk, with the Department of Home Affairs considering changes that could make company directors personally liable for cyber attacks.
APRA is already enforcing similar governance standards and penalties by requiring financial services companies to notify APRA as soon as possible of any information security incidents that materially affect, or have the potential to materially affect, the interests of customers.
In addition, a new Ransomware Payments bill proposes changes that could make disclosure of ransomware attacks mandatory. At present, there is no obligation for Australian organisations to disclose whether a company has been subject to a ransomware attack or if it has made any payments to hackers.
The proposed changes would require organisations to report both the attack, whether it paid the ransom and if so to whom. This in turn could expose them to anti-money laundering laws as many cyber criminals are listed as persons, entities or even terrorist organisations under sanction.
Directors are already on the hook for privacy breaches under Australia’s privacy legislation, but it is likely this will be broadened with a voluntary reporting system for cyber attacks at the very least.
Directors need to understand the exposure of their companies and satisfy themselves that both the organisation and they themselves are protected.
They also need to ensure that the insurance protection they have in place is the right policy for their situation and is going to cover both losses and remediation in the case of a claim.