A long way to go before the cyber gap is closed
Australia remains acutely exposed to cyber attack, and a string of measures – including consideration of a reinsurance pool – are required to shore up defences, risk experts say.
The Federal Government is consulting on the nation’s 2020 Cyber Security Strategy, and risk modeller Risk Frontiers has published its response, stressing the importance of insurance but highlighting how far government and industry still have to go.
The global cyber insurance market is estimated at between $US4 billion and $US5 billion, with the US accounting for more than 80%, and Australia just 2%.
Risk Frontiers urges significant work on data collection and sharing, the regulatory framework, insurance policies and premiums, and education and awareness.
GM Ryan Springall told insuranceNEWS.com.au the need for action is urgent, as Australia is an attractive target and its defences are down.
“Australia has been quite lucky so far – we haven’t had a cyber attack on the scale of those overseas,” he said. “But it will happen.”
Risk Frontiers’ submission explains that to accurately price risk, insurers require a “robust quantitative understanding” of the frequency and severity of events.
“In the case of cyber risk, this understanding is currently lacking,” the submission says.
“Overcoming this deficiency will require strong and pragmatic leadership from the government to ensure a cyber-risk resilient Australian economy.”
The establishment of the Notifiable Data Breach Scheme is “a positive step”, but “more information on breach frequency and severity needs to be shared with the insurance industry”.
The submission also urges collaboration between academia and the industry to better understand and model cyber risk.
The Government must develop “a compelling regulatory framework”, Risk Frontiers says, and promote cyber risk management with particular emphasis on cyber insurance.
It should also work with insurers to assist in the attribution of attacks and consider establishing a cyber reinsurance pool.
“A cyber reinsurance pool is one form of funding that the Government should explore to improve confidence in the cyber insurance market, increase the resilience of the economy and community to cyber attacks and, more generally, as a signal to build market confidence,” it says.
It points out that in the UK, terrorism scheme Pool Re was last year extended to cover cyber terrorism.
But while Australian Reinsurance Pool Corporation (ARPC) CEO Chris Wallace has previously said cyber terrorism is a “real gap” in insurance coverage, the last Treasury review snubbed suggestions to expand the scheme.
Risk Frontiers says traditional commercial insurance policies are increasingly excluding cyber risk, with insurers “looking to provide explicit policies that are accompanied by robust risk management processes”.
“This means that cyber insurance is emerging as a stand-alone coverage and insurance companies with ‘silent cyber’ built into their products are exploring ways to isolate that component.”
Current cyber policies typically cover direct costs associated with a post-breach response. But less tangible losses such as reputational damage are usually excluded.
Attribution of an attack can be hard to confirm, and policy terms drive a “lack of certainty” around claims.
“Since cyber insurance products are still young compared to property & casualty insurance, the policy terms are constantly being tested in court and usually contain explicit exclusion clauses for cases such as ‘act of war’,” Risk Frontiers says.
Another barrier to the growth of cyber cover in Australia is that it “is not well understood” within the insurance industry.
“Brokers and underwriters lack the training and tools to quantify this emerging risk efficiently as the tools to assessing cyber risk (and hence pricing and policy construction) are different from traditional property and casualty insurance.
“In fact, current approaches to assessing cyber security risk rely heavily on manual assessments that greatly impede the scalability and application to small and medium enterprises.
“Unlike other mature risks such as those arising from natural catastrophes, cyber security risk is extremely hard to quantify due to its dynamic nature, the scale, the lack of physical boundaries upon which accumulations are analysed and the aggregate expertise required to produce a good model of the risk.
“This gap in cyber risk modelling has a major impact on pricing where premium prices become unsound or unaffordable for SMEs.”
Click here to read the Risk Frontiers paper, and here to see the Government’s discussion document.