Plan of attack: industry outlines cyber strategy
The signs have been there for a while that cyber insurance is heading for trouble.
Increasingly it is seen as a crucial product for businesses in the digital age, as ransomware attacks spiral and global stability unravels.
But for those same reasons insurers are becoming more cautious about offering the cover, with terms tightening and premiums rocketing.
Today, the Insurance Council of Australia (ICA) warns we could be one major event away from cyber insurance becoming “financially unviable”.
In a detailed discussion paper, Cyber Insurance: Protecting our way of life in a digital world, ICA outlines a series of steps to help create a sustainable market.
Here we highlight some of the key topics and recommendations.
Acts of war
State-sponsored cyber-attacks that stop short of outright military conflict pose “a particular challenge” for insurers, the report says.
“Traditional policy exclusions for war or war-like incidents might fail to capture situations where nation states are suspected of being behind an attack, or providing a safe harbour for the hackers, especially if the motives for the attack are unclear.
“Such issues of attribution and characterisation create significant contractual uncertainty for insurers, which has only added to the recent tightening in cyber insurance market conditions.”
Recommendation: The Government should continue to consider expanding the current Terrorism Risk Insurance Pool to include extreme cyber incidents “to ensure the viability of a private market for cyber insurance and boost economic resilience”.
The industry should consider encouraging insurers to review current policy wording regarding acts of war and consider developing model wording to ensure cyber incidents are excluded where intended.
Data analysis
The report points out that using data to predict cyber risk is difficult, because cyber-crime is evolving rapidly and current data is incomplete.
Current reporting requirements rely on “subjective judgement regarding materiality and specific criteria”, so do not provide the full picture of the number and nature of cyber-attacks that insurers need.
Recommendation: Further work is required to increase the sharing of data around cyber incidents, both from industry to government and from government to industry.
Accumulation
The impact of an “accumulation event” is of underlying concern to many insurers, the paper says.
“A major cyber event or a smaller series of connected successive attacks could render cyber insurance financially unviable.
“Unlike for other events such as cyclones or floods, catastrophe modelling by government and industry to estimate the losses that could be sustained due to a catastrophic cyber event in Australia is not well developed.”
Without such modelling, insurers could underestimate exposure, leading to “substantial negative financial impacts”.
Recommendation: Industry to collaborate with Government and relevant agencies to facilitate and create incentives for the development of cyber risk modelling.
Ransomware
The insurance market has evolved to cover ransomware, which continues to grow as a cyber security threat.
But the report makes clear this coverage includes more than just indemnification of ransoms paid.
“In many cases, the ransom payment, if it is paid by the victim, may only be a minor part of the total loss that could be covered by insurers.”
ICA accepts that the reimbursement of ransoms paid, and proposals to ban such responses, “are vexed public policy issues”. But it says “the arguments put forward for banning indemnification under policies are weak”.
If indemnity were prohibited, criminals would simply use another measure to quantify ransom demands, it says, such as cash in the bank, or maximum overdraft.
The paper refers to the Government’s recent Ransomware Action Plan, which states that it does not condone ransom payments, but has not banned them, “instead looking at mandatory reporting, increasing capability and providing direct assistance as measured policy approaches”.
Recommendation: The Government to incentivise cyber victims to disclose ransomware events and seek affirmative assistance from law enforcement and reduce disincentives, such as punitive measures, which discourage disclosure.
Minimum industry underwriting standards
The paper says the insurance industry can help lift cyber security practices – based on the assumption that insurers are motivated to reduce claims and losses.
“This means that, in theory, there should be a ‘push factor’ from the insurance industry to raise standards and drive best practices,” it says.
“For example, the industry is well placed to drive the adoption of reputable cyber security standards or frameworks.”
Insurers could reward better standards with greater cover and/or lower premiums providing an incentive for organisations to improve standards.
Recommendation: Insurers should collectively agree on a set of minimum-security requirements as part of risk assessments for SMEs.
Click here to read the full report.