Insurance News held a half-day cyber seminar in Sydney last Thursday, with more than 100 industry professionals attending.

Expert speakers provided insights on a host of important issues. Here are some of the highlights.

Consider a cyber pool 

Marsh head of cyber Gill Collins told the audience a catastrophic cyber event would be beyond the scope of reinsurers, and a government-backed cyber pool – similar to the terrorism pool – may be an answer. 

Lloyd’s of London estimates a single attack on a global payment system could cost the world economy $US3.5 trillion ($5.38 trillion), illustrating the scale of the risk and that cyber threats are “outpacing” traditional insurance, she said. 

This protection gap “urgently needs collective action from ... the public sector, with support from the insurance industry. 

“The risk becomes so great, or so unquantifiable or so uninsurable, that we need to think, ‘How best do we respond to it?’ 

“And that’s where maybe a public-private partnership could potentially sustain the market and the broader economy. There are limits to the amount of loss the insurance and the reinsurance industry can absorb.” 

A cyber pool is “an option, and I think we’ve got to look at all options”, she said. 

“I did want to raise the issue for discussion and really open up everyone’s mind to the fact that any kind of support we can get that goes beyond the traditional insurance industry – into reinsurance or into some other kind of bond or fidelity fund – would be valuable. 

“We hope some kind of insurance backstop can be explored to fill the gaps and to encourage more insurers to offer policies, and at reduced prices with better policy coverages, spurring greater take-up of cyber insurance and better cybersecurity practices. I really hope these discussions can take place in Australia.” 

Better risk models and knowledge-sharing partnerships will help insurers expand the scale and scope of their cyber protection, she said. 

“We all have a part to play in identifying areas where there might be limited insurability or non-insurability, and in making suggestions for public-private partnership to address these critical issues.” 

Ms Collins praised the national cybersecurity bill and other “fantastic initiatives”, but said the government “really needs to ... ramp this up and continue doing it at pace because of the urgency of what we’re talking about here. 

“Any solution ... needs to have efficient delivery mechanisms, and I think probably that is going to be done by leveraging the insurance industry’s actuarial, financial, administrative and distribution expertise so the government can be instrumental in filling that cyber protection gap.” 

Everyone needs a champion 

George Oosthuizen, senior security analyst at cyber expert Coalition, said every small business should have a “security champion” familiar with best practice and responsible for in-house training. 

“If somebody clicks a link on a phishing email, it’s usually because they’re not aware that they shouldn’t be doing that,” he said. “Awareness training covers that and could be a low cost, almost $2 per person per month.”  

Multi-factor authentication is free to implement and will “stop 95% of anybody taking up your data”, he said, with four-step authentication for devices now widely available. 

Head of special projects international Adam Robertson told the audience Coalition has no minimum premium and the smallest policy in force in Australia costs about $200. 

“We’ve got a bouncy castle operator in the UK that is less than £100 ($192) of premium, and we go all the way up to covering businesses up to $US2 billion ($3.07 billion) in turnover. I think we’re highly competitive in the space – probably one of the factors that’s allowed us to become the largest cyber insurer in North America,” he said. 

The long tail 

Taylor Fry principal Win-Li Toh told the audience high-profile breaches such as the Medibank hack “really put Australia on the map for cyberattackers”, and such significant incidents produce a long-tail insurance claim.

“The cost can go on for years. A spectrum of fines, penalties and other surprising costs can arise from a breach,” she said.

For Medibank, the first year cost $40-$50 million, and another $40 million is budgeted in the year to next June. It is also facing five legal actions that are not yet on the balance sheet.

“There’s more to come,” Ms Toh said. “A cyber incident is a long tail ... the kind of analysis you have to do stretches out years.”

See more on the seminar in the December/January edition of Insurance News magazine.