Cyber threats: will businesses become uninsurable?

Cybersecurity has increasingly taken over headlines in mainstream media. Australia has seen a spike in cyber attacks in recent years, but it was the two high-profile breaches last year that finally rocked the boat and put data protection at the forefront for Australian consumers and businesses.

Cybercrime, now a very modern problem, is seeing many organisations and business leaders seeking additional protection in the form of cyber insurance. As the rate of cyber incidents increases with severity and consequences, there has also been an uptake of cyber insurance in Australian business in the last 18 months.

The Australian Cyber Security Centre (ACSC) says that over 76,000 reports of cybercrime were made through its ReportCyber platform during the 2021–2022 financial year — that’s an increase of nearly 13% from the previous year and equates to one cybercrime report made roughly every seven minutes!

If the purpose of insurance is to act as a safety net for unforeseen circumstances, surely it is a worthy investment, right?

But wait, what is cyber insurance?

Lloyds of London first released the first modern cyber insurance policy at the turn of the millennium. It sought to cover the costs of repairing and replacing software, online extortion costs and revenue that was lost as a consequence of a malicious service interruption.

While cyber insurance has seen an increase in uptake since its early days, it is still struggling to find its place in a crowded cybersphere. In its March 2022 cyber insurance report, the Insurance Council of Australia reported that only 20% of small to medium-sized businesses, and 30–70% of larger businesses in Australia, have standalone cyber insurance.

Cyber insurance, like cybersecurity, continues to evolve

With cybercrime as an ever-changing challenge, taking a traditional insurance model and adapting it to fit into the cybersphere is an uphill task. Gauging how at-risk a business is to a cyber attack is hard to determine as the factors to consider are innumerable and largely unsubstantiated.

Compared to traditional insurance such as home and contents, cyber insurance is still in its infancy. While conventional insurance lines have libraries of data, insights and years of experience to help form a sustainable business model for today, the cyber insurance industry is still evolving and learning.

One such example is the changes to the proposal form that cyber insurers use to make an assessment and provide a quote. In 2019, an Australian mid-market cyber insurance provider would ask seven questions as part of the assessment. Today, the same cyber insurance provider has nine pages’ worth of questions relating to business turnover, email security, network security, access management and the availability of multi-factor authentication (MFA), data protection and encryption, and business continuity.

The barriers preventing businesses from getting cyber insurance

The threats facing our organisations are continuing to evolve. Cybercrime can have severe consequences and is therefore high risk. In response to this, cyber insurers are proactively utilising additional tools, data, methods and processes to determine the risk profile of an organisation. A company’s risk profile impacts how cyber insurers decide not only how much the premiums will cost, but if the organisation can be insured. Major providers of enterprise cyber insurance usually assess the types of business applications used within an organisation, and the purpose and criticality of each application, including the maximum outage period before impacts on one’s business. Insurers also examine the organisation’s information security policy and risk management, protection technologies and processes implemented. Data protection policies are also considered, including if the organisation collects or holds any personal data.

As cyber insurance providers continue to mature, we can expect that the level of detail required to make an assessment will become more thorough. Organisations that do not invest in cybersecurity, information systems protection and data security could find themselves at risk of not only higher premiums, but also becoming uninsurable.

So, how can the situation be improved?

Firstly, organisations need to evaluate their current processes, technologies and skills to determine if they are equipped to protect and defend themselves against cyber threats. They also should assess whether they can recover from a potential scenario where their systems could be compromised.

Understanding the current gaps will be the first step in working towards a better security posture and eligibility for cyber insurance. Businesses can look at what security measures they currently have in place to help them better understand what additional measures they can implement. For instance, does the business have Identity Governance and Administration (IGA) or Privileged Access Management (PAM) measures in place? For businesses wondering where to start, there are various frameworks and guides available, such as the ACSC Essential Eight or the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework.

There is an opportunity for increased collaboration between insurers and cybersecurity professionals. In working together, they would be able to find a baseline from which they can measure risk factors and find the basic steps needed towards improving security posture.

This collaborative approach between cybersecurity experts and insurers for a pre-policy vulnerability assessment means insurers could gain further levels of insight into how cyber secure an organisation is. Businesses benefit from the assessment with actionable information as to how they can bring down the cost of insurance, or become eligible for cyber insurance, and improve the organisation’s security posture.

While cyber insurance has its challenges as it continues to evolve and mature, in the long term it will help to save businesses from bankruptcy, and serves to bolster the security posture of the wider economy. And with a collaborative approach, cyber insurance can have a significant and positive impact.

Image credit: iStock.com/FotoMaximum