What's driving up cyber insurance premiums in Australia?

What's driving up cyber insurance premiums in Australia? | Insurance Business Australia

What's driving up cyber insurance premiums in Australia?

Cybercrime continues to be a scourge on Australian businesses, with almost four in 10 falling victim to a cyberattack last year, the latest data threat report from Thales Group has revealed.

The global tech giant surveyed around 2,800 IT executives from 17 countries – including 105 from Australia – and found that incidents of cybersecurity breaches remained “disturbingly high” throughout 2021.  

Australian IT leaders ranked ransomware (45%), malware (43%), and phishing or whaling (40%) as the three biggest cyber threats facing businesses. They also claimed that managing these risks requires a continuous effort as half of the respondents reported an increase in the volume, severity, or scope of cyberattacks in the past 12 months. In terms of targets, business leaders named on-premise legacy apps (48%), cloud-based storage (47%), and web apps (43%) as the top three.

With many employees still working remotely, more than three-quarters (76%) of those interviewed also admitted that they were concerned about the cybersecurity risks posed by work-from-home arrangements. 

Read more: Cyber resilience concerns intensify in Australia

The study also revealed that 35% of IT executives have around half of their workloads and data stored in external clouds, while 47% experienced a breach or failed an audit in their cloud environments. Despite this, the use of encryption to protect sensitive data remained low, with about half (52%) of respondents saying that only 40% of their sensitive data in the cloud has been encrypted, while just a quarter have more than 60% of theirs encrypted. This means many Australian businesses are exposed to significant cyber risks.

Brian Grant, ANZ director at Thales Cloud Security, warned that cyber awareness training, paying ransoms, and other outdated approaches do not mitigate risks among data-dependent organisations.

“Staff turnover and inconsistent skills, combined with advanced social engineering by attackers, make cyber awareness ineffective, while paying a ransom only fosters more criminal behaviour,” he said. “It's encouraging that many businesses have increased security budgets and devised cyber-incident response plans, but a worrying lack of effective data security continues to leave gaping holes for criminals to exploit.”

Read more: CISOs warn of gaps in cybersecurity strategies

Is cyber insurance becoming more difficult to secure for Australian businesses?

These “gaping holes” are among the reasons why cyber coverage is becoming increasingly challenging to secure for many Australian businesses, according to one expert.

“The cover offered by insurance providers has gained increased attention during the COVID-19 lockdowns,” wrote Scott Hesford, director of solutions engineering, Asia-Pacific and Japan at system software company BeyondTrust, in an article for Consultancy.com.au. “With many of their staff working from home, businesses are realising their pre-pandemic security measures are no longer providing the level of protection they require.

“A reliance on firewalls and other on-premise measures are simply insufficient. Home-based workers – thanks to insecure Wi-Fi, unpatched personal devices, and generally poor cyber hygiene – are more susceptible to everything from phishing campaigns to ransomware attacks and more.”

Read more: Ten ways to protect your business from cyber attacks

These situations, according to Hesford, have pushed cyber insurers to tighten underwriting guidelines and require customers to have certain security controls in place before they can access coverage. He added that insurance companies are becoming more selective about who they are willing to cover.

“Qualification for cyberattack coverage is being carefully assessed and potentially denied based on the answers of prospective and current customers to comprehensive security questionnaires,” Hesford explained. “Insurance companies are also increasingly hiring security professionals to help them navigate the path to insuring qualified customers and denying those who don’t qualify or otherwise pose too big a risk.”

Why are cyber insurance rates increasing?

The rise in the volume and gravity of cyberattacks has impacted insurance premiums significantly, according to industry experts. 

In an op-ed piece for The Australian, Chris Martin, corporate partner at Asia-Pacific advisory and investment firm KordaMentha, explained how the situation could make insurance unaffordable not just to Australian companies but also to businesses across the globe.

“Given the increase in number and severity of cyberattacks leading to higher claims, what was once a profitable line of business for insurers has quickly turned into a category with unsustainable financial returns,” Martin noted. “So serious is the financial outlook for insurers that S&P Global Ratings has warned of the potential for cyber risks to impact on insurers’ credit ratings. Lower credit ratings result in higher premiums across all insurance categories.”

Read more: Is insurance industry data really safe in the cloud?

A separate study by Marsh has revealed that cyber insurance premiums in Australia have surged up to 80% in the first half of last year, with claims numbers also increasing by 50% during the period.

The insurance giant’s mid-year update also warned that growing ransomware demands and climbing business rectification costs were causing cyber insurance providers to reassess.

“After a period of sustainable losses and steady growth in premium, the proliferation of the underlying ransomware threat has led to an unsustainable loss portfolio for insurers,” according to the report. “The worsening loss ratios have also led to corrective actions from the market, such as limiting capacity and co-insurance requirements, in order to maintain portfolio profitability. This trend is evident across all industry sectors in Australia.”

Read more: Ransomware attacks – should Australian businesses pay up?

How can Australian businesses boost their cyber insurability?

Hesford reminded businesses that if they are not taking “robust precautions” to protect against cyber threats, they cannot assume that insurance will bail them out once they fall victim to an attack.

“Insurers will increasingly hold firms accountable for their cybersecurity programs and levels of protection,” he noted. “They expect their customers to adequately uphold their end of the bargain with regard to mitigating risk, reducing attack surfaces, and having mature IT security strategies.”

Murray Mills, manager at computer support and services firm Tecala, meanwhile, listed two ways Australian businesses can remain insurable against the threat of cyberattacks.

The first one is by demonstrating a minimum standard of security and resiliency against an attack.

“[The Council of Insurance Agents & Brokers (CIAB)) notes that multi-factor authentication (MFA) on all enterprise accounts and proactive staff training are now considered a baseline standard by insurers,” Mills wrote in an article for Consultancy.com.au. “While not having MFA is unlikely to result in cover being refused, it is likely to affect the premium and excess associated with a policy. Being priced out of cover in today’s insurance market is a real possibility if security baselines are unmet.”

Read more: Online scams report: Australian cybercrime on the rise in 2022

Mills added that businesses must also be able to build a strong baseline for cybersecurity protections to stay insurable.  

“Some insurers are taking this concept further by incorporating elements of compliance-based security frameworks and standards like the ASD Essential Eight, NIST, or the Centre for Internet Controls (CIS) 18 into the tests they use to pre-qualify customers for cyber insurance policies,” he explained.

“This won’t be an issue for more forward-thinking organisations that already use these frameworks to guide their security activities. For organisations not already on this path, however, a cyber security review can be used to test your organisation against these standards. It can also be used to develop a strategic technology roadmap to bridge any gaps in capability or coverage that could have flow-on impacts for insurability.”