Insurance giant Aon says it has brokered more cyber insurance policies to Australian organisations already in 2016 than it did in the whole of 2015, as increasingly high-profile incidents including this month’s online census failure spur businesses to think about protection.
The company’s cyber global practice leader Kevin Kalinich said his firm claimed oversight of a quarter of the Australian cyber insurance market, and business had picked up notably this year.
He said it had grown from writing just five policies in 2013, when the insurance category first emerged in Australia, to 440 last year. However, so far this year 750 cyber risk policies and $5.25 million in premiums have already crossed its books.
But Mr Kalinich said that only one in 10 major Australian businesses had cyber insurance coverage compared to 70 per cent of big businesses in the US. Fergus Brooks, Aon’s practice leader for cyber risk in Australia, said that overall only one in 50 local organisations had any form of cyber insurance.
He predicted a 10-fold increase in premiums written in the next three to four years, driven by the prospect of mandated data breach notification, and spurred by the ABS’ census debacle.
“We couldn’t have had better marketing than that,” Mr Brooks said. He said he had a slew of meetings since the ABS failure, characterised by: “Much more resolve that they need to move forward and do this quickly”.
The government’s proposal announced earlier this year that the nation’s 100 largest listed entities be required to have a cyber security health check will also keep the issue on the agenda.
Potential impact of breaches
While governments, and hence the ABS, tend to be self-insured, Mr Kalinich said private sector organisations needed to explore the “financial statement impacts” of a potential breach.
Mr Kalinich, who will be presenting at Aon’s cyber security events being held around Australia this week, said that at some point, “There is diminishing value from additional investment in cyber security and greater marginal protection from insurance”.
Rob McMillan, a Gartner Research director who is presenting at the analyst’s own security and risk management summit in Sydney this week, acknowledged there was a trade-off between securing systems and ensuring they could be used.
“You could throw vast amounts of money at security and make it so secure it becomes unusable,” he said.
Instead, companies needed to balance protection and defence with detection and response, with insurance falling into the latter category.
Mr Kalinich said the financial impacts of a breach included being sued, lost revenues through business interruption, the cost of investigation and remediation – all of which could be covered by cyber risk insurance – and damage to brand and reputation.
“Brand damage from these events remains very hard to measure and insurance has not worked out how to cover that yet,” he said.
IBRS analyst James Turner, meanwhile, said that Australia’s early adopters of cyber insurance had a fine-grained understanding of the risks they were facing, and had used that to negotiate the insurance protection they wanted.
However, he said in some cases it had taken two years to negotiate appropriate coverage.
Mr Kalinich said underwriters had improved their ability to assess and price cyber risk in recent years – particularly in the mid-market, but his colleague Mr Brooks acknowledged that companies needed to carefully assess what they were offered.
“Some policies out there are absolute rubbish and not matched to the needs of the customer,” he said.
Mr Turner also warned that it was dangerous for an organisation to believe that buying insurance meant offloading its responsibility to properly secure its systems and networks.
Insurance companies would not “roll over” on every claim, he said, but would carefully assess the cyber hygiene in any company that made a claim to ensure a breach wasn’t the result of negligence.
“You’ve got to read the fine print,” he said.
Source: Australian Financial Review 2016