Australia’s evolving business conversation about cyber insurance

28 February 2023 Consultancy.com.au

It took a series of attacks, and a handful of legal cases, for Australian businesses to re-evaluate their cyber insurance policies and explore ways to improve their cover while lowering their premiums. Scott Hesford, a Director at BeyondTrust, walks through Australia’s evolving business conversation about cyber insurance.

An increase in high-profile cyberattacks and data breaches in Australia, and specifically the variable cost of remediation and recovery, has naturally led to a broader discussion on cyber insurance. It’s a conversation that’s overdue; less than a year ago, the Insurance Council of Australia still characterised cyber insurance awareness as being “low within the Australian business community”.

That lack of awareness plays out in the type of cover businesses held. It’s less common to find businesses with cyber specific cover.

Scott Hesford, Director Solutions Engineering APAC, BeyondTrust

According to the Insurance Council, currently in Australia only about 20% of SMEs and 35% to 70% of larger businesses have standalone cyber insurance. More often than not, businesses rely on more general insurance policies to also cover cyber incidents – a phenomenon known as ‘silent cyber’ – although the ability to make claims under such policies is often limited, and this is now even more constrained.

Businesses in this situation may face increased pressure - from executives, boards or outside influences like regulators – to buy more specific cyber insurance products that offer a higher level of insurance against risks associated with using the internet, as well as of storing and electronically processing data.

These products may include Data Breach Insurance, which covers the costs of leakage of confidential information, or a Ransomware Supplemental Addendum that is coverage specific to the circumstances of ransomware attacks.

However, access to this type of coverage depends on a few things: its availability, its affordability, and the ability of businesses to meet a growing list of prerequisites to prove they take security seriously and are an insurable risk.

On the issue of availability, as the Insurance Council notes, Australian businesses have traditionally had access to only a small number of providers able or willing to offer specific cyber insurance products.

On affordability, costs were already high, but the number of attacks in the past year means premiums have only gone up. It’s now more challenging and expensive to get a cyber insurance policy than before. In general, small businesses can expect to pay anywhere from a few hundred dollars to a few thousand dollars per year for a basic cyber insurance policy, while larger companies may pay tens of thousands of dollars or more.

On their ability to demonstrate insurability, businesses must meet an increasingly long list of requirements to demonstrate preparedness. This may include drawing up an enterprise risk management policy and implementing appropriate systems, controls and protections.

Cyber insurers consider organisations with poor security practices as an unwanted, and potentially dangerous, liability to their business model. For a business wanting standalone cybersecurity insurance, having strong cyber defences improves the chance of qualifying for coverage, as well as obtaining the best rates.

While there is no direct relationship between infosec controls and premium savings like a safe driver credit on car insurance, a judicious enterprise risk management strategy shows the business understands its risks and the risks of its customers.

This is the challenge that is currently garnering substantial interest from Australian businesses as they canvas the cyber insurance market for stronger cover.

Showing cyber maturity

While cyber insurance is an important instrument for managing risk, organisations must still focus on ensuring they are effectively and responsibly managing cyber risk. This entails implementing the right security controls and employee cyber awareness training.

There are five key controls that all businesses should strive to implement and demonstrate maturity in: multifactor authentication for email, remote network access, and privileged/admin access; backups that are encrypted and kept out of reach of ransomware; Endpoint Detection and Response; employee awareness training; and a cyber incident response plan (that has been tested).

Going beyond these baseline controls, the most insurable businesses are those that have a 24/7 security operations centre (whether in-house or third-party), have total control over their privileged accounts and service accounts, can show a proper patching cadence, and have no exposure to open ports.

Two sets of technologies can assist here.

First, threat intelligence systems can be used to detect threat indicators and early signs of attacks. Modern systems with machine learning and artificial intelligence are being used by businesses in this area to expand the breadth of their monitoring capabilities.

In addition, Privileged Access Management (PAM) solutions can be used to control, monitor, and audit all privileged access. Cyber insurers recognise that PAM controls are foundational security in every organisation, prevent many cyberattacks outright, and significantly minimise the damage of any potential breach. They are also one of the most effective defences against insider threats.

The must-have capabilities of a PAM solution include least privilege enforcement, privileged account and credential management, and remote access security – all of which are common criteria for cyber insurance approval.