Cyber insurance – key issues for insurers

With greater connectivity in every part of our lives – at work, home and socially – our devices and IT systems have never seemed more exposed. What is the role of cyber insurance in mitigating these risks, how has it evolved and where is it headed? While cyber insurance premiums have grown significantly in the past decade, it’s still a small class of business compared to more traditional liability coverages, with only a few insurers currently offering it in Australia. Despite take-up remaining low, especially among small-to-medium enterprises (SMEs), the market continues to grow, as cyber attacks gain in frequency and sophistication. Astute insurers will be exploring the many new ideas in underwriting and pricing to tackle their challenges now and in the future.

What is cyber insurance?

First things first – cyber insurance is an insurance product that protects businesses from financial risks relating to cyber incidents. Policies will usually cover:

• First party losses – These are losses suffered directly by the insured business
• Third party losses – These are costs incurred by the insured relating to a cyber event experienced by another party but where fault lies with the insured.

Cyber insurance is usually defined as a liability product and is often sold as an extension to an existing standard business liability product.

Cyber losses can also arise from traditional liability policies such as D&O if these policies do not explicitly exclude cyber risks. This is known as silent cyber or non-affirmative cyber cover. As cyber risks evolve over time, however, more insurers are clarifying cyber risk as a separate product and then excluding this risk from their standard liability policies. This means policyholders who require cyber cover need to explicitly take out a policy to cover this risk.

A brief history

Where did it all start? Insurance policies for cyber insurance were first developed in the late 1990s. Initially policies provided predominantly third-party cover for companies that provided IT services used by other businesses. As technology advanced and became integral for more companies, cyber insurance expanded, and insurers began offering first-party coverage to any company using technology.

The cyber insurance scene today

The growth in cyber policies has resulted in a range of coverage and exclusions in the products offered. Standard coverages for cyber policies, as distinct from more traditional liability coverages, include:

• Business interruption costs
• Network security costs
• Costs arising from theft or fraud
• Forensic investigation costs
• Costs related to data loss and restoration
• Extortion costs
• Costs associated with any information privacy penalties.

A changing landscape

Another point that differentiates cyber insurance from other classes is that the underlying risks the policies cover are rapidly changing over time. As technology becomes more powerful and essential for all organisations, this provides greater opportunities for cyber criminals.

One example is the increase in targeted ransomware attacks. Attackers using ransomware would previously target anyone they could trick into having a malicious payload delivered to install the ransomware. This was generally home users they would extort for a few hundred dollars to regain access to personal files and photos.

Go phish – a worrying trend

Now attackers are specifically targeting individual firms and blackmailing them for at least tens of thousands of dollars at a time. These attacks start with reconnaissance and then breaking into the company’s network, predominantly using targeted phishing attacks (otherwise known as spear-phishing). They then exfiltrate data from the company, downloading it to a remote location and encrypting as many files as possible using a scrambling algorithm – and only they have the key to it. They then demand a large sum of money to decrypt the file to restore network and system operations.

As well as an increase in the number of cyber threats, the cost associated with data breaches is also increasing. The average cost of a data breach for Australian organisations was estimated to be $3.35 million in 2020. This was an increase of almost 10 per cent from the previous year. This increase in risk and costs means cyber insurance is becoming more of a necessity for organisations.

Australia’s increasing regulatory focus

In Australia, the focus on cyber risks and cyber insurance is increasing. On the regulatory front, the Australian Prudential Regulation Authority (APRA) introduced Prudential Standard CPS 234 in 2019. This standard requires that APRA-regulated entities “take measures to be resilient against information security incidents” and inform APRA of any material information security breaches.

Under the standard, regulated entities must maintain an information security capability commensurate with the size and extent of threats to information systems to ensure continued operation. The standard does not mandate entities to hold cyber insurance.

Sharp eye on data collection

APRA is also currently consulting with insurers on extending its insurance data collection to separately collect premium and claims information for cyber insurance. Currently, cyber cover is included under the public liability class. The increase in cyber policies and limited availability of data for this class has been cited as the reason for the proposed change.

This increase in focus is not just limited to the financial services. In November 2020, the Australian Government announced that a cyber security cabinet role will be created. This move has been in response to an increase in attempted cyber attacks during 2020. Several of these attacks have been on critical infrastructure providers. Many high-profile cyber attacks also occurred last year in Australia, including:

• Toll Group, which had two separate ransomware attacks in January and April.
• Regis Healthcare, which had sensitive data stolen in a ransomware attack in August.
• Australian Defence Force recruiting system, which was taken offline for 10 days in February to contain a security breach.
• Levitas Capital, which had its email system compromised by a bogus Zoom invitation. This resulted in $8.7 million in fraudulent invoices being paid. While this money was recovered, Levitas was forced to close its business due to clients withdrawing their funds as a consequence of the attack.

Serious breaches ring in 2021

Most recently, the new year had barely dawned when the Reserve Bank of New Zealand disclosed on 11 January it had suffered a serious data breach of its file-sharing service provided by California-based data protection firm Accellion.

About two weeks later, Australian Securities and Investment Commission (ASIC) reported a cyber security breach, which had occurred on 15 January. The national corporate regulator said one of its servers used for transferring information, including credit licence applications, had been illegally accessed through the Accellion software.

These incidents highlight how a weakness in a single piece of software can result in cyber events for several different companies.

Varied corporate view of cyber insurance

From an insurance perspective, cyber insurance take-up has been limited, particularly in the SME market. The Chubb 2019 Cyber Preparedness Report found only 27 per cent of Australian SMEs have cyber insurance. Some reasons for this low take-up by SMEs may be due to the belief that their existing liability insurance will cover any cyber risks, or a view that cyber risk is a relatively low risk.

For larger corporates, cyber security is a key focus. As businesses have become more reliant on their IT systems with the increase in people working from home due to the COVID-19 restrictions, this has increased focus on the risks.

Challenges in pricing for cyber

Traditional insurance products such as motor, property and liability are generally priced by analysing past claims data against various rating factors. This analysis then allows insurers to estimate the expected future costs for their customers based on their declared rating factors, and this is used to set premiums. It’s an approach requiring a large amount of past claims and rating factor data. It also assumes the underlying risk associated with the product is not changing significantly over time.

For cyber insurance, there is a limited amount of past data, given it’s a relatively new product, and the underlying risk is rapidly changing over time as technology advances. Cyber is different from other insurance products in that the risks transcend geographical borders, highlighting an urgent need for global solutions. Insurers are also generally protective of the exact approach they use for pricing, which adds an extra challenge.

Some transparency in America

In the United States, however, pricing structures are more transparent, and insurers are required to file policy details with state regulators. These filings include policy details and rating structures used to determine premiums. A 2019 study analysed these filings for cyber insurance policies in New York, Pennsylvania and California. This study found there were three main rating structures:

• Flat rates – This is the same rate for all policies, or flat rates based on a small set of hazard groups. These rating structures tend to be used for policies offered to smaller companies.
• Base rates with multipliers based on rating factors – This is a standard insurance rating structure used for other classes of insurance. The base rate is usually calculated as a function of the size of the insured (for example, based on revenue, assets or number of employees). The rating factors reflect the industry the insured is operating in, and may include retention limits and risk ratings.
• Base rates with security questions – This is a more advanced version of the rating factor approach, where the rating factors reflect the cyber security measures the insured has in place. Under this rating structure, a company with more advanced cyber security would pay a lower premium than a company with less advanced cyber security measures, if all other features for the two companies were the same.

Are these approaches sufficient to keep pace with evolving cyber risks? While they go some way to addressing current issues, it’s clear the industry needs to be agile if it’s to keep pace with the evolving cyber environment and looking at what might be next in adequately assessing risk.

Australia’s increase in cyber crime

In its latest cyber threat report, the Australian Cyber Security Centre (ACSC) has noted that “malicious cyber activity against Australia’s national and economic interests is increasing in frequency, scale and sophistication”. The report notes that “Australia’s relative wealth, high levels of online connectivity and increasing delivery of services through online channels make it very attractive and profitable for cybercrime adversaries”. Over the year to 30 June 2020, the ACSC responded to 2,266 cyber incidents, and also noted an increase in spear-phishing campaigns during the COVID-19 pandemic.

The need to evolve

This increasing underlying risk suggests traditional insurance pricing techniques also need to evolve to accommodate cyber insurance, so that insurers continue to adequately price the risks and that insured parties understand their specific vulnerabilities and what they can do to reduce their risk of being victims of cyber crime.

Traditional insurance pricing and underwriting techniques are based on an annual review of an insured’s risk. Individual adjustments for the insured’s risk are often based on an underwriter’s knowledge of the insured, combined with the recent claims experience for the insured. The speed at which risks change for cyber perils means it’s important insured entities understand what controls they need to implement to reduce the risk and also what actions they could take to mitigate the risks if an attack occurred.

Assessing risk – the new ways forward

Recently, insurers have begun using scanning tools to assess the individual vulnerability for each insured entity. Companies such as UpGuard, BitSight and Security Scorecard provide scores that measure a company’s cyber security posture based on automated tests of the company’s online systems. These tools formulate a score based on system vulnerabilities, reputation risk, phishing and malware, email security and network security. As well as providing a measure of overall risk, the tools can also provide feedback on areas an insured company can address to improve its cyber resilience.

In New Zealand, IAG recently launched a cyber security tool for SMEs, which has been developed in partnership with UpGuard. Brokers such as Willis Towers Watson and global network TechAssure are also developing similar services designed to assist companies to assess their cyber risks.

Other tools insurers could use in their pricing and underwriting of cyber insurance include:

• Dark web scans – These can be used to look for any mentions of the insured company that may indicate it’s a potential target, has been previously compromised or suffered a data breach.
• Penetration testing – This is similar to the scanning tools mentioned above, but more intensive and targeted. The insurer’s security analysis team attacks the insured company’s systems to exploit vulnerabilities and effectively assess the strength of their security.
• Managed service partnerships – By partnering with security service providers, the insurer could provide outsourced security management and monitoring services bundled into the policy.

Proactive insurers for the win

Cyber insurance is a rapidly evolving class of business, in terms of the underlying risks and the information available to insurers for pricing and underwriting. Forward-thinking insurers will be looking to supplement their traditional approaches with this new information. The standard bearers in this market will be the proactive insurers able to also provide advice to their customers on weaknesses in their cyber security, and respond dynamically, by way of improved terms or prices, to actions taken by their customers to mitigate these vulnerabilities.