Breach-shy boards may be turning to cyber insurance for protection, but insurers are still taking a slowly-slowly approach as a growing series of massively expensive cyber attacks force them to re-evaluate their assessments of potential losses under such policies.
Recent reports have suggested that US credit bureau Equifax only had $US100m to $US150m worth of coverage – well below the likely final cost of its massive data breach given that smaller incidents caused by the WannaCry and NotPetya infections have alone racked up massive bills.
FedEx, which has pegged the cost of its NotPetya infection at $US300m ($A379m), is only now looking into cybersecurity insurance but will find itself shopping from a much more sceptical insurance community that is taking its time in evaluating cyber risks – Cyber Plus took 5 years to design and underwrite an insurance package appropriate for Australian SMEs – and will look poorly on companies that are seen to be practicing inadequate cybersecurity.
Reports of market successes by some cyber insurers suggest that they are playing to a sector that is crying out for the right insurance proposition. However, rapidly raising expectations around cyber insurance – and the prevalence of massive damages bills that are sure to have actuaries wringing their hands over potential cybersecurity exposure – are likely to put more pressure on boards to be proactive about their data protections, if only to demonstrate to insurers that they are doing the right thing.
Recent IBM-Ponemon Institute research found the average cost paid by Australian companies was $2.51m last year, with per-record costs sitting at $139. Yet these figures are derived from just a few case reports, and the true extent of Australian companies’ financial losses won’t become clear until the Notifiable Data Breach (NDB) scheme kicks in next year.
“Hope is a lousy strategy and sunlight is the best disinfectant,” says Joshua Kennedy-White, Asia-Pacific managing director of Accenture Security, which recently released its own evaluation of the cost of cybercrime, flagging the average cost at $US11.7m ($A14.8m) and saw cybersecurity breach costs increasing 22.7 percent annually.
Given the fluid nature of cyber risk and its still indeterminate potential exposure, many may find the industry less than enthusiastic about taking on risks that are proving to be larger than many ever anticipated.
“Who needs to be insured for what?” NSW chief information security officer Maria Milosavljevic asked while calling for a “significant and systemic change” in the industry during a recent presentation at this month’s InnovationAus Cyber Insurance conference.
“You can’t outsource accountability,” she said. “So, you point to the company and say they are fully responsible, accountable and liable. You can’t point to the individual and say you shouldn’t have provided your data… [and] the harm may not be visible for years. We need… to start moving towards a world of mutual responsibility.”
Calls for mutual responsibility are likely to be heard more and more as high-value impact projections – such as a recent Lloyd’s of London-Cyence report projecting that a major cyber attack could cost from $US4.6b ($A5.8b) to $US121b ($A152.8b).
This risk, in turn, seems to have cooled many would-be cyber insurers: Capgemini’s recent World Insurance Report found that only 15.1 percent of insurance executives saw a high degree of benefits from capitalising on new opportunities around “emerging risks such as cyber risks”.
Fully 58.9 percent saw the sector as having low benefits – leaving cyber insurance ranked 7th out of nine potential drivers for business growth, well behind better customer service, personalisation of products and services, creating new business models, and catering for markets such as Millennials.
Given the massive losses being chalked up by high-profile breach victims, insurer expectations and board attitudes towards insurance may be levelling off for some time to come. Speaking at a recent VMware event, Nigel Phair, managing director for the Centre for Internet Safety, noted the “pretty nascent” state of cyber insurance in Australia and lamented boards’ generally knee-jerk responses to the increasing risks they face.
“I still see organisations saying that they’ll encrypt their data,” he told audiences at a recent VMware event. “You ask ‘why is that?’ and they say ‘because our insurance premium will go down.’”
Phair also flagged the challenges of a still-evolving industry, with a lack of insurance brokers that are “prepared to know organisations and know the markets they operate in, the type of technologies they are using, and the types of controls they have around their organisations.”