Staying insurable for your cyber security insurance policy
As the risk of cyber threats and its impact continues to rise, insurance companies are tightening their policy conditions. Murray Mills, a Manager at Tecala, outlines what Australian organisations can do to stay insurable against the threat of ransomware and other attacks.
Growing increasingly tired of the operating environment, and in particular, the never-ending flood of ransomware infections, are the insurers whose role it often is to help victim organisations pick up the pieces and pay for much of the damage done. In 2022 changes to how insurers assess risk and determine premiums and coverage could become a problem for some organisations.
So which organisations are most at risk, and why? It’s worth examining what is driving insurance companies to change their collective tune on cyber security protections and payouts.
First, too many organisations are being compromised. Nearly 500 reports were received by the Australian Cyber Security Centre last financial year, an average of more than one per day.
Second, these breaches are increasingly costly. IBM puts the average cost of an infection at US$4.62 million (A$6.45 million). This excludes any ransom payment, which is often an additional six- or seven-figure amount, and which – by some accounts – the majority of infected businesses wind up paying on the quiet.
Third, insurers don’t want to pick up the bill for this never-ending stream of compromises indefinitely.
In response, payout limits have halved in some cases, while premiums have skyrocketed; industry body the Council of Insurance Agents & Brokers (CIAB) saw cyber premiums rise 27.6% in the three months to September 30, on top of increases of 25.5%, 18% and 11.1% in the prior three quarters.
The types of attacks covered by cyber insurance policies may also become narrower: exclusions on cyber policies are being tested before the courts, and this could have ramifications for future cover.
It’s fair to say that organisations remain acutely aware of the financial and reputational risks associated with being successfully targeted. And with proposals on the table to make company directors personally liable for cyber security incidents, organisations want to do what they can to mitigate risk and remain under insurance cover.
Staying insurable
Two efforts that organisations can take to make themselves more insurable:
1. Keep pace with minimum qualifying standards
Insurers expect organisations seeking cover to be able to demonstrate a minimum standard of security and resiliency against an attack. That requirement has steadily increased over time. When insurers mandate strong baseline security protections, everyone wins, because it raises the bar that almost every organisation must meet. As a former White House administration said, “With widespread take-up of insurance, these requirements become de facto standards.”
CIAB notes that multi-factor authentication (MFA) on all enterprise accounts and proactive staff training are now considered a baseline standard by insurers. While not having MFA is unlikely to result in cover being refused, it is likely to affect the premium and excess associated with a policy. Being priced out of cover in today’s insurance market is a real possibility if security baselines are unmet.
2. Build to a stronger baseline
Some insurers are taking this concept further by incorporating elements of compliance-based security frameworks and standards like the ASD Essential Eight, NIST, or the Centre for Internet Controls (CIS) 18 into the tests they use to pre-qualify customers for cyber insurance policies.
This won’t be an issue for more forward-thinking organisations that already use these frameworks to guide their security activities. For organisations not already on this path, however, a cyber security review can be used to test your organisation against these standards. It can also be used to develop a strategic technology roadmap to bridge any gaps in capability or coverage that could have flow-on impacts for insurability.