As cyber attacks ramp up around the world, cyber insurance is becoming more crucial than ever – and insurers are racing to keep up with the latest developments
Cyber Insurance is a rapidly evolving field – and one that’s proving to be increasingly necessary in the modern business landscape. Events such as the spate of ransomware attacks in 2017 have helped shine a light on its increasing importance. Additionally, recent changes to Australian and EU legislation have brought in mandatory data breach reporting laws with stiff penalties for those who fail to comply. Whereas institutions might have previously been able to hide behind the pretence of impregnability, this is no longer the case.
It’s an oft-repeated cliché, but it’s increasingly evident that businesses must prepare for when a cyber attack or breach occurs, rather than if one might occur. Cyber insurance is an important tool in businesses’ lines of defence, yet in spite of a greater recognition of the necessity of protection, there is still a great deal of confusion surrounding the topic.
“The discussion between an insured and an insurer is often quite limited,” says Mark Doepel, partner at Sparke Helmore Lawyers. “The two speak to each other at the time when the policy is finalised and then hope that they never have a second discussion when a claim is made.”
This situation, Doepel says, is unsustainable. Rather, cyber insurance should present an opportunity for an ongoing dialogue between the insured and the insurer for the entire life cycle of the risk. Part of the reason this dialogue is not more heavily pursued by both parties is simply because cyber insurance is itself a relatively new field; prospective insureds are not always aware of key questions that should be raised until it’s too late.
“Insured parties should at least be asking: what benefits and services do I get during the period of pre-breach? What assistance do I get in triaging any breach which may occur? And what follow-up services are part and parcel of the policy?” Doepel advises.
There are definite benefits to fostering this conversation from the insurer’s perspective as well. The more active dialogue there is between an insured and the insurer before a breach, the more comfort an insurer can have that the client has an active risk management procedure in place.
Protection for everyone
One of the most common misconceptions surrounding cyber insurance – and cybersecurity in general – is that it is solely the domain of larger organisations. But Colin Pausey, a consultant at Sparke Helmore Lawyers, is adamant that this is no longer the case.
“In the early days of cyber insurance, there were some extremely complex proposals in the market,” he says. “That was very o‑ -putting – why would a small business fill out a proposal with 30 or 40 questions? But I think insurers themselves now have a better grasp on what’s a relevant question.”
Of course, insurance policies aren’t protection in themselves – they are supplementary to having an effective cyber strategy in place as well (see the box above).
“Small businesses can protect themselves as well,” Pausey says. “The Australian Cyber Security Centre has published the Essential Eight, which is a list of strategies to help prevent various cyber threats. If a small business follows those basics, makes sure they patch and uses proper authorisations, they can also create internal resilience.”
“Cyber threats aren’t just someone shutting down the Australian Census – they could potentially reach as far as someone turning off the traffic lights in the Sydney CBD” - Mark Doepel, Sparke Helmore Lawyers
Though cyber insurance remains a distinct field from professional indemnity insurance, it seems likely that there will be greater overlap between the two in the near future. Obviously data loss is problematic, but the reputational damage that can occur as the result of a breach can also be devastating, as it can severely undermine consumer confidence.
Mandatory reporting of data breaches is on the forefront of legislation, and other aspects might follow. For example, one cannot practice as a health professional without the relevant insurance in Australia; it seems entirely likely that this might eventually apply to certain digital service providers, too.
The world of insurance is built on the backbone of data – the more historical data the insurer has at hand, the better the policy that can be constructed. But because cyber insurance is not yet established as a mature market, much of the data is still being compiled. And in cyber insurance, risks can change far more rapidly than in other fields.
“Even within a short policy period of, say, one year, the actual nature of the risk can change drastically,” Pausey says. “The risk that you’re insuring on January 1 may be completely different by December, which is a key problem confronting insurers at the moment.”
The full impact of these factors on the market remains to be seen. However, it’s inevitable that both cybersecurity and cyber insurance policies will continue to evolve. New tech innovations will also help prevent or catch fraud; blockchain has presented a means of time-stamping files in order to provide evidence of unwanted access or interference from outsiders, for example.
“The risk that you’re insuring on January 1 may be completely different by December, which is a key problem confronting insurers at the moment” - Colin Pausey, Sparke Helmore Lawyers
Still, there are threats that have not been widely considered, particularly in relation to the Internet of Things. In the US, concerns have already been raised around the possibility of internet-enabled medical devices being targeted by ransomware.
“Potential incidents like this feed into the dialogue around the connectivity of devices in the world we live in,” Doepel says. “Cyber threats aren’t just someone shutting down the Australian Census – they could potentially reach as far as someone turning off the traffic lights in the Sydney CBD.”
As might be expected, insurers and brokerages alike have taken a broad range of stances on the increased presence of cyber insurance in the Australian market. Some are markedly keen to get involved at primary layers, while some are only willing to engage at an excess layer. Larger businesses have proved particularly divisive. Although larger companies are likely to have a more resilient IT strategy, theoretically reducing the chances of a major incident, they also hold the opportunity for some of the highest severity claims.
“To top this off, you also have some underwriters who’ve decided that they don’t fully understand all of the risks involved and are simply taking a ‘wait and see’ approach to cyber insurance,” Doepel says.
Additionally, certain insurers are already establishing themselves as being able and willing to pay out on cyber claims. Prospective customers will be able to leverage this data to determine which insurer they choose to provide their cyber insurance.
There are also potentially interesting coverage cases emerging that are likely to set precedents in the coming years, particularly in regard to educating clients on what measures to take to respond to shifting threats. Given all this, the next five to 10 years should prove to be a fascinating time in the field of cyber insurance.