Australia's cyber insurance market 'immature'

Report proposes 'self-funding' insurance model for export industries

The local cyber insurance offering is underdeveloped and reduced underwriting appetite and tougher terms has left most Australian businesses underinsured or not covered at all, industry law firms say.

A new report from Global Insurance Law Connect (GILC) says 16 insurers currently offer cyber cover in Australia, and more policies are being underwritten in London.

While increased demand has led to growth of capacity in the global market, the severity of cyber attacks means insurers are becoming warier about the risks they are willing to insure.

Melbourne-based Sparke Helmore Cyber Insurance Leader Jehan Mata says the appetite of Australian insurers is decreasing due to significant losses stemming from increasing cyber-attacks and ransomware payouts.

Many have either reduced cyber coverage limits, substantially increased premiums or have “removed themselves from the market entirely”. As a result, only 20% of small businesses currently have adequate cyber insurance coverage.

“The Australian cyber insurance market is relatively immature,” she said. “The majority of Australian businesses are underinsured or without cover.”

The report comes after a data breach last month exposed millions of Optus customers to identity theft.

During the last few years there has been a record rise in catastrophic cyber attack losses, dominated by ransomware. The number of state-sponsored cyber-attacks is also escalating, and all this places at risk the “integrity, availability and confidentiality of the information we digitally capture, analyse and exchange,” GILC says.

In the US, S&P calculates the average direct loss ratio for standalone cyber insurance was 42% for 2015-2019, rising to 65% last year on the tougher underwriting terms.

See also  Report highlights rising cyber threats in Australia and New Zealand for 2023

GILC expects insurers to include more caveats relating to supply chain attacks and silent cyber in policies going forward, and Ms Mata says cover providers need to be mindful of what is and isn’t covered in the wording of polices.

“If insurers wish to ensure that government-sponsored cyber-attacks are not covered, then the exclusion clause wording needs to be updated to reflect the risk that is included and also what is excluded.”

She also warns it’s not always possible to prove the relationship between cyber criminals and their government sponsor when relying on an exclusion.

Insurers will in future adopt more sophisticated pricing techniques and have an increased focus on educating policyholders, GILC says, though “this is likely to be outpaced by the increasing sophistication of cyber-attacks”.

As networks grow and organisations become more reliant on IT systems, it will become increasingly difficult to protect and defend individuals and organisations from cyber risks, Ms Mata says.

“Cyber criminals will continue to capitalise on people’s fatigue and lack of focus. The cyber risks associated with the metaverse – which is unregulated – are yet to be addressed and privacy issues associated with a virtual world are likely to have a substantial impact on the cyber landscape,” she said.

The report says cyber insurance has potential to become “as globally ubiquitous as car and home insurance,” but cyber catastrophes are a new phenomenon and the modelling necessary to accurately predict losses does not yet exist, and the scope of coverage is not yet comprehensive and detailed enough to cover all practical losses in many markets.

See also  WTW, university team up on volcanic eruption risks

“Insurers are missing indispensable tools to design competent insurance plans, such as actionable risk assessment, applicable risk monitoring tools, and plainly, more practical data,” Buren Partner Jan Holthuis, who is based in China, said.

The policy “review and reset” already undertaken by many insurers, plus market growth, suggests capacity constraints should soon ease though, and product innovation is likely to be shared globally.

“The future may be that cyber insurance will be more akin to public liability and/or professional indemnity insurance,” the report said. “We can be certain that cyber insurance is a market that has the potential to become as globally ubiquitous as car and home insurance.”