With cyber crime becoming increasingly common, as exemplified by a series of recent high profile breaches, will cyber insurance help organisations manage this escalating risk? We unpack the key considerations.
Cyber crime is on the rise. According to the Australian Cyber Security Centre, between July 2021 and June 2022, they received a nearly 13% increase in the number of cyber crime reports since the previous year. This equates to an astonishing rate of one cyber attack report every seven minutes.
The severity of cyber security incidents is also increasing Most recently, there have been multiple well-reported large scale cyber attacks on large organisations. There has been a commensurate increase in the impact on victims. Between July 2021 and June 2022, there was an increase in financial losses due to 'business email compromise' attacks, to more than $98 million in total. The average cost to large businesses per cyber crime report is now over $62,000, representing an average increase of 14 per cent since the previous year.
Businesses at all levels and across all industry sectors should consider cyber insurance as a possible avenue to manage the risk posed by cyber attacks. In this article, we address some of the key considerations for businesses exploring cyber cover or evaluating their existing cover.
What is covered by a cyber insurance policy?
Cyber coverage can be found as a standalone insurance product, or as a type of cover offered under a composite or combined insurance policy (policies covering a range of business risks such as management liability and professional indemnity).
Generally speaking, cover available under an insurance policy may be categorised as either 'first party' or ‘third party' cover. First party cover relates to the losses experienced by the insured business itself. This may include recovery costs related to the loss of or damage to data, forensic investigation and remediation costs, the costs of engaging public relations advisors, lawyers and other professional service providers, costs related to cyber extortion, and loss of business income due to loss of clients, customers or contracts as a consequence of a cyber attack.
On the other hand, third party cover relates to losses encountered by third parties for which a claim is made against the insured business. Key examples of this cover are compensation to third parties (such as customers) for failure to protect data, and regulatory fines and penalties. Depending on the particular policy wording, class actions commenced against the insured business may be covered as part of the third party cover.
A cyber policy is likely to have a range of exclusions and conditions that are applicable to the policy.
What are some key considerations when obtaining a cyber insurance policy?
If your business is considering obtaining a cyber insurance policy, or is evaluating its existing cover, some important considerations to bear in mind are as follows:
- As a condition of writing cover, insurers are increasingly requiring businesses to provide evidence of their cyber security and risk management frameworks, which allows the insurer to assess the risk being underwritten in the cyber insurance policy. Insurers need to evaluate the likelihood of an attack on the business and the potential impact of that attack. As a result of this process, insurers may introduce compulsory risk mitigants for a business to secure cyber cover.
- The types of coverages available under a cyber insurance policy can vary from policy to policy. The particular policy must be carefully considered to determine what coverages are available and circumstances in which cover may be excluded. Gaps may exist between cover under a cyber policy and a non-cyber policy that has a cyber exclusion.
- The cover under a standalone cyber insurance policy may have broader coverages and higher limits of liability than that found under a composite business insurance policy.
- In Australia, historically there have been a limited number of insurers willing to provide broad form cyber cover. The insurers currently participating in the market are now limiting their capacity, charging increased premiums, or introducing co-insurance requirements, because cyber risk has a rapidly changing profile with high claims activity. We expect that, with the withdrawal of some insurers offering cyber insurance, and a reduction in covers offered, that there will be opportunities for other insurers to enter the market – but whether they are prepared to offer broad form coverages and high limits is currently unknown.
Will cyber insurance help organisations manage risk?
Obtaining a cyber insurance policy may help your business to manage the consequences of the risk posed by cyber attacks. It should be considered alongside other risk management practices, such as development and frequent reviews of cyber risk management strategies, controls and risk assessments. Whether a cyber insurance policy will provide your business with cover in the event of a cyber attack will depend on the nature of the cyber attack and the particular policy.