Cyber danger: clear, present and more menacing than ever
Not that many years ago cyber risk was viewed as no more than just a mid-tier peril, not something that would give business executives too much to worry about.
But that has all changed. In the latest Allianz Global Corporate and Specialty’s (AGCS) annual Risk Barometer survey, cyber incidents topped the rankings for the first time, rising from second place last year and up from 15th spot seven years ago.
Among Australian respondents, the threat is seen as the second biggest risk behind legislation and regulatory changes.
The turnaround illustrates a growing awareness of the risk, particularly after the NotPetya and WannaCry ransomware attacks in 2017. Many estimates put the ransomware losses suffered by affected businesses in the region of at least several hundred million dollars.
Most recently, last year Capital One Financial Corp, the third-largest US credit card lender, suffered one of the biggest data breaches yet, after the personal details of about 100 million of its American customers were compromised.
Capital One has a $US400 million ($595 million) cyber policy in place, with a $US10 million ($14.9 million) deductible, which should probably go some way in helping the business shoulder a portion of the losses caused by the data hack.
But not many businesses, including in Australia, can claim to be as well prepared, insurance-wise, as Capital One. This is especially the case for smaller companies. Many are yet to fully understand the damaging consequence of a ransomware attack or another of the plethora of possible malicious cyber incidents.
A recent Chubb survey on SME preparedness in Australia shows almost half of the respondents are not aware of their regulatory obligations under the Notifiable Data Breaches Scheme and only 27% have cyber insurance. Worryingly, just 40% think revenue or sales would suffer from a cyber incident.
“The cyber conversations have been happening for a while at the top end of the market,” Axa XL Head of Cyber Australia Max Broodryk told insuranceNEWS.com.au.
“Where it’s lacking is in the middle market and its small companies, where they are just not there yet. They know it’s an issue; they see it in the papers and they know they have got some exposure.
“What they don’t understand is how to measure and understand that exposure and what to invest to try to reduce that exposure. And a lot of the market still doesn’t understand what cyber insurance is because it means many things to different people.
“Cyber insurance needs to be explained because there are a lot of insurance clauses covering different things.”
Mr Broodryk says this is an opportunity for brokers to demonstrate the value-add they bring to the table.
They are in a unique position to explain to this segment of the market the importance of cyber insurance and how it can be tailored to meet the specific requirements of a business.
“They understand their clients, the industries they are in and what kind of insurance they buy,” he says. “They should be having this conversation with every one of their clients.”
Axa XL says ransomware attacks are increasingly the most menacing form of cyber danger facing the business community.
The perpetrators behind the ransomware attacks are becoming more sophisticated in their techniques, and at the same time trying to extort large amounts of money from victims.
“The biggest claims trend right now is very much driven by ransomware,” Axa XL London-based Head of Cyber and Technology James Tuplin told insuranceNEWS.com.au.
“With ransomware, they are not trying to steal the data. What they realise is that data is your lifeblood. Without it, you cannot operate and they realise you are willing to pay to get it back.”
Five years ago an extortion demand would be in the tens of thousands of dollars, according to the AGCS Risk Barometer. Today it would not be out of the ordinary to see victims being blackmailed for millions of dollars.
Axa XL says it has been stepping up its cyber offerings, such as providing intelligence reports to medium and large-sized clients.
“We try to advise them prior to buying a policy with us," Mr Tuplin said. “We will use our knowledge in this arena about your industry and who you are and what you do to advise you on what we believe the key threats are to your business.
“We will advise on what you should be considering in your cyber insurance needs. We are trying to use our information in the back end from what we see in claims to help inform clients.
“It’s definitely a partnership in trying to increase the knowledge across the board for everybody.”