The Maturation of Cyber Insurance in the UK and Australia: Tackling Coverage Gaps and Promoting Compliance
Over the past decade and a half, the dynamics of the cyber insurance industry have been rapidly changing. What began as a straightforward renewal process has now morphed into a complex system of risk evaluations, primarily due to the proliferation of cyberthreats such as ransomware. This change in the landscape has necessitated more exhaustive assessments during insurance renewals and subsequently led to an uptick in costs, a direct consequence of the intensifying risks.
Erik Decker, the Vice President and Chief Information Security Officer (CISO) of Intermountain Healthcare, recently delineated five pivotal controls essential for cyber insurance providers in determining an organisation's coverage qualifications. These controls include endpoint detection and response capabilities, multi-factor authentication, consistent backup maintenance, privileged account management, and both email and web filtering protection.
Drawing upon his extensive knowledge in security governance, risk mitigation, and incident response, Decker underlined the importance of crafting a compelling case for cyber insurance renewals. When presenting to underwriters, organizations demonstrating a low-risk profile may attract competitive rates, potentially driving down their premiums. For instance, while large entities often see figures around $5 million, through strategic negotiations, these costs might reduce to as low as $1 million, offering considerable savings in deductibles.
In a recent interview at Black Hat USA 2023, Decker also delved into several salient topics, such as the necessity to:
- Thoroughly understand one's security program;
- Extract maximum benefits from insurance providers through a robust cybersecurity framework;
- Consider vital questions security leaders should ponder as renewal periods approach.
- Delving deeper into the international perspective, the UK and Australia have both experienced noteworthy developments in cyber insurance.
In the wake of the General Data Protection Regulation (GDPR) implementation, the UK has witnessed a notable escalation in the adoption of cyber insurance. This trend stems largely from the rigorous penalties associated with GDPR non-compliance.
For Small and Medium Enterprises (SMEs) in particular, the ramifications of data losses might not always attract mainstream media attention. However, the subsequent financial implications and the potential damage to one's reputation following a cyber incident can be debilitating.
Given the ubiquity of threats – from sophisticated hacker attacks to inadvertent employee errors – it's imperative for businesses to possess dedicated insurance that addresses potential cyber events. Such insurance plays a pivotal role in mitigating the financial, reputational, and operational repercussions of a cyber incident.
The Changing Dynamics of Cyber Insurance in the UK and Australia: A Business Overview
A report sanctioned by the UK Government and subsequently published by HSB, a subsidiary of Munich Re, disclosed the frequency of cybersecurity breaches or attacks over the past year:
Shifting focus to Australia, leading financial institutions, such as the Commonwealth Bank of Australia, are intensifying their efforts to promote awareness regarding cyber threats and the importance of pertinent insurance. They advise businesses to meticulously review their operations, ensuring adherence to regulations and maintaining up-to-date insurance policies.
Per the Australian Cyber Security Centre’s Annual Report, the financial burden of cybercrime on Australian businesses saw a 14% increase from FY21 to FY22. On average, cybercrime incidents cost small businesses $39,000, medium businesses $88,000, and large enterprises slightly over $62,000 per event.
One of the primary challenges in combatting cybercrime is its volatile nature. Cyber adversaries continually refine their strategies, making them harder to detect and increasingly efficacious. Andrew Pade, General Manager of Cyber Defence Operations at CommBank, articulated the shifting paradigm of cybersecurity. In his view, the conversation has evolved from merely achieving a secure status to consistently maintaining it, thereby reducing the likelihood of devastating cyber incidents.
Andrew underscores that businesses should expect cyber-attacks and strategize accordingly. He states, "The real question isn't if a cyber-attack will occur, but when. Hence, it's vital to consistently evaluate and fine-tune the measures in place. Consider cybersecurity risks as you would any other business risk, identifying vulnerabilities and strategising on mitigation."
In an intriguing development in June, Amazon Web Services (AWS) proclaimed its foray into the cyber insurance domain, promising quotes to customers within a 48-hour window and potentially vast revenue avenues for partners. Commenting on this bold move, AWS’s Ryan Orsi, the worldwide head of cloud foundations for the AWS Partner Network, conveyed to CRN US, "This is a defining moment for the industry. At AWS, we've consistently ventured into sectors that beckon innovation, and undeniably, the cyber insurance sector needs reinventing for the cloud era."
