Company Directors Risk More Than Their Customer’s Data From Cyber Attacks

16 million data records breached in one month in Australia is putting corporate decision making concerning the use of cyber insurance under increased scrutiny[1].  Cyber events can be devastating to an organisation; share trading halts, loss of consumer confidence, regulatory scrutiny, all on top of the extremely expensive, often chaotic and time-consuming process of management of the event itself.

Consequently, company directors should be actively considering how to mitigate the financial impact of such incidents to protect data subjects and their shareholders.

Cyber insurance can be a very effective risk mitigation option available to organisations against cyber-attacks such as those that have recently occurred in Australia. The ability of a company to effectively demonstrate the reasons for procuring a cyber insurance policy – or not – as part of their wider cyber risk management strategy, is of critical importance.

This will no doubt become a key focus for regulators, shareholders and customers as the fallout from the recent cyber incidents continue.

While a decision to purchase insurance is something that all organisations need to carefully consider, the recent events make it worthwhile examining the current cyber insurance marketplace, and what an organisation may expect. Some recent reports[2] have incorrectly stated that cyber insurance is ‘not worth the paper it is written on’, so now is, in my opinion, an appropriate time to set the record straight.

There is little evidence to show that cyber insurers have been declining cyber claims; in fact, we are seeing the exact opposite. For example, Beazley, a global cyber insurance leader, recently announced loss ratios return to sub-100%[3]. This means that up until recently, Beazley was paying more in claims than they were collecting in premiums, illustrating that a substantial volume of claims are actually being paid. This is likely to be a similar experience for many cyber insurers.

While each cyber incident is relatively unique, there are some core insurance coverage options that are offered (subject to no specific exclusions), such as cover for ransomware events, data exfiltration events and extortion demands where such events impact the insured’s computer systems or data.

There is ample evidence of non-cyber insurers declining cyber claims[4], however this is often misreported for ‘affirmative’ cyber policies (dedicated stand-alone network security and privacy liability policies), and the reverse is rarely the case[5]. For organisations demonstrating a clear cyber security posture and roadmap, coverage is stabilising and even expanding. On the whole, most organisations that can demonstrate a focus on security will find coverage to address a majority of their cyber risks.

While it is true that cyber insurance premiums have undertaken a major correction in the last 24 months exacerbated by the significant deterioration in claims as mentioned above, data across our global and local portfolios show very clearly that premiums are currently decelerating, with our average premium increase now teetering around a 20% increase year on year.

Ultimately, as with all risk-based decisions, organisations need to measure the relative benefit of the cost of this insurance against the benefit it provides in hedging the balance sheet and shareholder equity from the associated downside risks.

Organisations will need to continue to focus on cyber risk culture at an enterprise level. This must involve all stakeholders within the business, such as risk, governance and security, and include detailed quantification exercises mapped against specific scenario analysis, as well as mitigation, of which insurance is an important component.

Ultimately, organisations must move away from a budget-driven insurance decision process to one led by risk management when information security management systems are acknowledged as a critical business enabling tools. The assets at risk impact the whole organisation, its customers and stakeholders, so everyone must be involved in understanding the risks, not just the security and IT teams.

Finally, the litigation and regulatory environment in Australia is robust, but to date there has been a lack of action in response to cyber security events, some of which may include class actions, regulatory fines and penalties and privacy liability suits.

It is anticipated that the recent security events will be the catalyst for more legal action by data subjects, customers, and shareholders. Accordingly, it will become increasingly critical that corporate directors adopt more robust decision-making to mitigate cyber risk within organisations in Australia.

The lack of appropriate insurance programs, and absent effective consideration, will no doubt see increasing customer and shareholder class actions which are likely to have dramatic – and justified – consequences across boardrooms in Australia.

References 

[1] https://www.bloomberg.com/news/articles/2022-10-28/great-australian-hack-sends-wakeup-call-to-complacent-companies?sref=Zz1gK6KP

[2] https://www.afr.com/technology/cyber-insurance-s-dirty-little-secret-it-s-useless-20220504-p5aig0

[3] https://www.insurancetimes.co.uk/news/abi-calls-for-cyber-breach-data-to-be-publicly-available-as-claims-payout-rates-hit-99/1431105.article /

[4] https://news.bloomberglaw.com/privacy-and-data-security/mercks-1-4-billion-insurance-win-splits-cyber-from-act-of-war; https://therecord.media/mondelez-and-zurich-reach-settlement-in-notpetya-cyberattack-insurance-suit/ ;https://www.insurancebusinessmag.com/au/news/cyber/federal-court-rules-on-chubbs-ransomware-dispute-416202.aspx

[5] https://www.abi.org.uk/globalassets/files/subject/public/cyber/the-value-of-cyber-insurance-to-the-uk-economy-november.pdf