The battle to stay ahead of cyber criminals is being fought on many fronts

By Claire Heaney

Barely a day passes without a new sinister cyber security threat. Some are ingenious, some merely cunning. All can be ruinous to their victims.

From ASX-listed companies to small businesses facing crippling disruption, no one is safe from violations that ignore laws and geographical borders.

Jeff Gonlin, from specialist cyber security underwriting agency Emergence Insurance, warns that cyber threats are evolving exponentially and becoming more targeted and sophisticated.

“We now have generative AI language models, and organised crime will use them,” he said.

Mr Gonlin, who is the agency’s Head of Underwriting and Product Development says cybersecurity should not be “set and forget”.

“You’d be reluctant to locate a high-end jewellery store in a run-down slum. But with cyber everyone is just a click or two away. From a cybersecurity perspective, that means we all live in a bad neighbourhood. The threat is already asymmetric, and the cyber-crime industry keeps growing in size and sophistication.

“Just as there’s talk of a digital divide between countries, there’s a growing divide between companies that invest in cybersecurity and those that don’t.”

Governments, regulators and private companies are all working to prevent and manage malicious attacks by bad actors or accidental events.

The Insurance Council of Australia (ICA) has called for an improvement in public-private mechanisms for cyber threat sharing and enhancements to data sharing to increase understanding and coverage of cyber risk.

“Where the insurance industry can understand risk, it can engage with customers to mitigate and insure against that risk. While data sharing raises challenges around privacy and commercial-in-confidence requirements, the Insurance Council welcomes the opportunity to further engage with the Government on working through these,” it said in its submission to the 2023-2030 Cyber Security Strategy which closed in April.

For businesses, cyber resilience is a tenet of good corporate governance. In June, the Australian Prudential Regulation Authority (APRA) increased Medibank’s capital adequacy requirement to $250 million, reflecting weaknesses identified in the health fund’s information security in a major October 2022 breach. It is a warning to businesses to address gaps and weaknesses in controls.

In August, Aon’s Cyber Insurance Market Insights report found a drop in claims in 2022 following record years in 2019, 2020 and 2021.

Aon’s Australian data says frequency has dropped by 33% in 2022 for all claims and incidents or 39% if looking at claims in isolation.

“This downward trend aligns with global data including the Chubb Cyber Index reporting a 43% reduction in incidents from 2021 to 2022,” the broker says.

Emergence’s Mr Gonlin says it’s a shared responsibility, but cyber insurers also need to step up. “There’s a growing expectation that cyber insurers will do more to help insureds manage and reduce the risk.”

He says smart brokers partner with forward-looking companies to deliver added value.

“Cyber add-ons in package policies are better than nothing but, if they’re not giving a business the protection it needs. They’re not good value.”

While cost is cited as a barrier for take-up of cyber insurance, Marsh’s June quarterly Global Insurance Market Index points to a levelling-out.

“Cyber is also moderating with rate rises slowing sharply to 8% from 25% in the prior quarter. Insurers are providing more options for clients as competition heats up, but risk information remains important, particularly around an organisation’s ability to mitigate ransomware threats,” Marsh says.

Emergence’s Chief Operating Officer Colin Pausey says new capital has entered the market and many providers are now offering cyber insurance.

In its Federal Government submission, ICA says cyber insurance, like other insurance products, uses price signals and risk selection to encourage risk mitigation and minimise losses for policyholders.

“As part of the underwriting process insurers often examine an organisation’s cyber defences, identify vulnerabilities and provide guidance on how to strengthen cyber security.”

Aon warns the proposed reforms could increase the risk, complexity and cost of responding to cybersecurity incidents and data breaches, raising the average cost of cyber insurance claims.

It says organisations aligning their security measures to insurers’ expectations will benefit more rapidly from the improving market conditions, while those yet to meet insurers’ expectations will face challenges with insurance coverage.

The treatment of ransomware remains problematic for both insurers and the insured, with third-party contractors sometimes the gateway for hackers.

Aon suggests the number of businesses paying ransoms almost halved in the past two years, down from 70% in 2020 to 41% in 2022.

“As profitability diminished, threat actors became more ruthless with more re-extortion (double-dipping for a second ransom payment), higher ransom demands – the average ransom payment increased 58% in Quarter 4 2022 – and increased targeting of healthcare and software companies, as such industries are lucrative targets.”

Aon says healthcare has been increasingly targeted throughout 2022 with a spike in Q3 2022 reaching almost 20% of all incidents in Australia, and 10% of claims globally.

While they make headlines, Emergence says only a small number of claims involve reimbursement of a ransom payment.

“However, the cost of ransomware claims, even without paying a ransom, is significant. The objective is to have the business up and running as fast as possible. The keys are data restoration from back-ups and data security,” Mr Pausey says.

Anecdotal evidence suggests the incidence of ransom payments is greater than the figures reflected in Emergence’s claims data.

“In our more recent experience, ransom demands are generally only paid by a company and reimbursed by an insurer to save the company from collapse,” Mr Pausey says. “An example is when the ransomware has encrypted data and the company’s back-ups are ineffective. The solution is to pay the ransom, obtain the decryption keys and get the business running again. That’s most likely to occur with small businesses.”

Emergence says while ransomware attacks slowed in 2023, the frequency is now picking up.

Business email compromise is the largest claim type by volume and continues to account for a significant proportion of claims costs.

Marsh’s New Zealand based Cyber Speciality Head Jono Soo says how businesses react is important.

“Ransomware remains the king and queen of cyber-criminal tactics.

“If they can cripple your operations and exploit your critical data, they will find that pain point and try their very best to get an extortion payment out of you.”

The average downtime in 2022-23 was 22 days, according to Marsh.

Mr Soo says businesses need to be doing cyber-attack simulations in the same way they do fire drills that include robust and tested incident response plans.

Insurers engage legal, forensics and public relations experts in the earlier stages, which are specialist costs. The second phase will see digital forensic teams rebuilding the data from back-up.

If the stolen data has been sold on the dark web there are costs for credit and identity monitoring services. Legal cases and settlement costs could ensue.

Mr Soo says Australian and New Zealand businesses generally don’t pay ransoms and tend to be more combative, meaning they will often incur more costs due to disruption.

Marsh Head of Cyber Speciality Pacific Kelly Butler says that only 3% of Marsh claims were declined outright. She says disputes make headlines because they are the exception, but people who have had breaches and had an insurance settlement tend to keep it confidential.

“The reality is that most claims get paid,” she said. “There are various examples of insurer good faith in 2022.”

She says there has been proactive collaboration between insureds and insurers, as insurers understand the importance of mitigating business interruption in a timely manner.

Emergence’s Mr Gonlin says personal cyber insurance is a new frontier. The underwriting agency recently launched a group personal cyber product that employers can provide as an employee benefit.

The policy, the Australian market’s first, will provide cover of up to $20,000 per employee for cyber events including hacking, ransomware, malware, cyber espionage, and denial of service attacks.

The cover costs less than $1 per week per employee with no excess for the employer.

ICA has called for a simplification of reporting. “In line with the Insurance Council’s call for a simplified regulatory regime, the Government should implement a single reporting portal for cyber incidents.

“Notifying and communicating with multiple government entities, including re-supplying the same information, after a cyber incident take resources away from responding to the incident.”

Hicksons Lawyers Partner Persia Navidi says a single reporting portal for cyber incidents would streamline the process.

“Mandatory reporting should include instances of ransomware. That data would be invaluable for the government in assessing trends and the overall threat landscape. The debate remains as to whether ransomware payments should be prohibited by law,” she says.

“The decision to pay the ransom is not black and white; that decision should rest with the victim of a cyber-attack, until such time as there is more clarity on policy.”

She says cyber resilience is a team effort.

“All relevant stakeholders need to collaborate to achieve the best outcome on cybersecurity.”

Tackling the cyber challenge

The Federal Government is developing the 2023-2030 Cyber Security Strategy to build resilience to cyber threats and address the consequences of cyber incidents. Submissions closed in April.

Australia chairs the International Counter Ransomware Task Force, which is part of the US-led Counter Ransomware Initiative. The Australian Federal Police and Australian Signals Directorate work to disrupt and offensively attack groups behind ransomware incidents.

In April 2022, the Security of Critical Infrastructure Act 2018 was amended to enhance the cyber security obligations framework for Australia’s most critical infrastructure assets. The amendments expand the Act’s reach, including mandatory cyber incident reporting obligations within certain timeframes and development of a risk management program.

And that is just the tip of the iceberg.