It’s complicated and loaded with limits, but experts say cyber cover will become as common as car or home insurance

By Miranda Maxwell

Medibank Chief Financial Officer Mark Rogers recently played around the edges of describing cyber insurance as junk cover as he explained why the private health insurer had opted out of arranging a policy.

Speaking after the personal data of millions of customers was stolen by cybercriminals – costing Medibank an estimated $35 million and unquantifiable reputational harm – Mr Rogers questioned “the actual ability to make a claim” under a cyber policy.

He said there were limits on the amount of exposure insurers were willing to accept, on top of significant jumps in premiums over recent years.

“I wouldn’t expect that the majority of costs would have even been covered,” he said.

That an insurer valued at $8 billion couldn’t secure cyber cover it deemed appropriate or valuable sounds like a damning indictment on the state of the insurance market.

Yet it comes in stark contrast to optimism – even bullishness – from insurance industry sources closer to the issue than Mr Rogers.

Take as an example a report from Global Insurance Law Connect (GILC), a diverse global network of insurance law specialists that includes Sparke Helmore in Australia and Duncan Cotterill in New Zealand.

It says cyber insurance has the potential to become “as globally ubiquitous as car and home insurance,” with long-term growth assured.

GILC concedes that right now cyber insurance is expensive and sometimes provides limited coverage, particularly outside Europe and North America. It describes Australia’s cyber insurance market as “immature”.

The upshot appears to be that this very new insurance product is still searching for viability in the face of constantly changing risk levels that, at their worst, have the potential to seriously affect masses of connected entities all at once.
S&P Global Ratings says premium rises and wariness among cyber underwriters is “justified by the systemic risk” from interconnected digital services and infrastructure.

Swiss Re’s Head Cyber Reinsurance John Coletti concurs, saying says a single cyber attack could “potentially affect the entire portfolio of an insurer”.

Sydney-based cyber industry association CISO Lens, the peak body for cyber security executives from large organisations in Australia and New Zealand, says cyber insurers face the significant problem of “trying to ameliorate the risks, and associated costs, of a wicked problem which has no solution”.

Cyber catastrophes are a new phenomenon, and the modelling necessary to accurately predict losses doesn’t yet exist, with insurers missing the necessary tools and data to design competent insurance plans.

Ratings agency Fitch says the standalone cyber loss ratio last year was 65%, from 72% a year earlier.

Frequency now equates to a cyber attack every seven minutes in Australia. In a clear sign once-enthusiastic insurers have struggled to price correctly, cyber premiums, deductibles, obligations, exclusions, and the number of underwriters in a policy are all on the rise.

The enormity of the problem is resulting in the evolution of a unique product in which traditional cover is sold, but with insurers and brokers also playing the roles of educator and enforcer of cyber mitigation efforts. In a telling example, UK cyber specialist CFC now has a dedicated security division – and more security professionals than underwriters.

Medibank refused a $15 million ransom demand to prevent sensitive medical details of customers being published on a Dark Web site backed by Russian ransomware gang REvil. Weeks earlier, millions of Optus customers experienced the theft of their email and street addresses, birth dates and licence or passport numbers.

This has truly rammed home the gaping cybercrime risk to every Australian. A government “standing operation” to disrupt cybercrime syndicates has since been announced, and data breach penalties of at least $50 million are also in the works.

Jehan Mata

Melbourne-based Sparke Helmore Cyber Insurance Leader Jehan Mata says she has observed “some active realisation in the Australian community regarding cyber risks which is evident by legislative changes being undertaken”.

She calculates that 16 insurers in Australia offer cyber insurance, but more policies are being underwritten internationally, particularly in London.

Australian providers have either reduced their cyber coverage limits, substantially lifted premiums or removed themselves from the market entirely. Only a fifth of small businesses are estimated by Sparke Helmore to have adequate cyber cover.

The additional caveats and sophisticated pricing is a policy “review and reset” that is likely to see capacity constraints soon ease, and product innovation shared globally. Ms Mata says cyber insurance will become more mainstream with the continuing uptake of digital communication.

“This puts the likelihood of cyber insurance becoming as easily accessible and sought after as professional indemnity cover and more akin to fire cover.”

Despite Medibank’s Mr Rogers’ comments on the futility of having cyber cover, Ms Mata points to “integral value-adds” in cyber policies, including cover for breach response, legal fees and investigations and first-party losses.

Many of these policies offer a crisis management process with 24/7 assistance. A “breach coach” permanently on call can gauge and triage the nature of an attack and marshal forensic teams, loss assessors and public relations experts.

They will assess if any notification requirements are triggered, the options for recovery, and manage time-sensitive responses.

Insurers will inevitably increase their focus on facilitating behavioural change among customers, while Sparke Helmore says it assists with the pre-breach advisory phase, because having lawyers on board brings real-time experience “if and when” a breach occurs.

“Cyber does overarch various industries and areas,” Ms Mata says. “It is not limited to insurance and hence there has to be a real synergy between organisations and insurers to have a strategy when developing cyber resilience.”

Ratings agency Moody’s predicts cyber insurance market conditions will “tentatively improve” over the coming year as better returns attract more providers. Premium increases will moderate, though cyber insurance demand continues to outweigh supply, it says.

Moody’s says insurers are cautious about their exposure to systemic cyber risk, narrowing coverage and making underwriting standards stricter.

Globally, the average loss ratio for standalone cyber insurance – including direct costs for defence and cost containment – deteriorated to 73% at the end of 2020, prompting some triple-digit price increases last year.

Beazley, one of the largest global cyber insurers, reported a January-June cyber loss ratio of 49%, down from 69% at the end of last year.

“As profitability returns, more competition will enter the market, which will ease cyber capacity constraints and help stabilise prices,” Moody’s says.

“Nevertheless, insurers will likely remain highly cautious on pricing given the constantly evolving cyber threats.”

Marsh McLennan has also reported a moderation in the pricing of cyber, though New York-based Group President and Chief Operations Officer John Doyle says despite higher retentions and lower limits, “the cyber market is not near maturity”.

He says this indicates change – and growth – ahead.

“It’s been a difficult market. We’re still working to bring more capital to the market and better solutions to the marketplace. The cyber insurance market should be an area of growth for us for some time.”

Ms Mata predicts cyber attacks will be more prolific and sophisticated in the future, and as technology advances and more platforms become mainstream there is likely to be a shift to individual cyber insurance “like current home and content policies”.

“I believe there will be more policy options available, but the list of exclusions will also grow, which will look to shift the risk to the insured…to ensure that it has done its own due diligence.”

Lloyd’s recently mandated that managing agents exclude state-backed cyber attacks and war from standalone cyber policies, and CISO Lens argues that for now, cyber insurance should be viewed purely as a risk management mechanism of last resort during a “company-ending” event.

“If the worst risks a company can face cannot be insured against, it challenges the relevance of cyber insurance,” it says.

Even so, the association says insurance is still worth having as a backstop, and the “right answer is likely to be a complex combination of multiple factors,” with avoidance the first priority.

“The hard truth is that being able to make an insurance claim is a pyrrhic victory,” CISO Lens says.

It tells companies the “most pragmatic path forward in this market is to view cyber insurance as a safety net of last resort”.

“Lift your own deductibles as high as practical in order to minimise premiums, and then only seek to make a claim against your cyber policy in the event of a company-ending incident.

“Pay as little as you can, and plan to use it only once,” CISO Lens says.