Brought to you by:

Hard cyber terms 'exactly match' new threat landscape: CFC

The cost of securing cyber insurance won’t be fixed by new entrants and more capacity, cyber specialist CFC says, as recent tougher terms are a truer reflection of the real risk exposure.

Cyber is not so much a hard market as an insurance product that is finding its correct level, CFC’s UK-based cyber development leader Lindsey Nelson tells insuranceNEWS.com.au.

"We think it's been actually more of a market correction rather than a hard market,” she says during a visit to Melbourne.

"A hard market insinuates that it's cyclical like other insurance products, and goes in waves … but we think the price has been exactly matching the new threat landscape and what the new cyber exposures are.”

While past cyber attacks on Australian businesses were modest, “today is a really good day if we see a ransomware event handled under $1 million,” she says. The recent huge data breach at Optus is a "perfect example” of the knock-on systemic effect on reliant businesses as a consequence of “somebody else's breach”.

"It’s not the fact that Optus themselves have had an incident. It's that hundreds of thousands of Australian businesses have relied on them,” she said. "That's really what the market correction has been pricing for now.

“We do think that we've reached a point of market stabilisation – it does feel like we're out of the storm and a lot of that remediation work has been done to match the new threat landscape.”

Cyber is a company's biggest exposure now, she says, yet small businesses commonly object that they are too small to be a target, or have outsourced their liability to somebody else and it's not their risk or concern.

“A lot of the times they're often the unintended target of it. So they are in fact getting hit. They're outsourcing to people who are the targets of threat actors and are getting caught in the crosshairs of that.”

She says CFC is one of the largest writers of cyber in Australia and it’s “a fallacy that people think that cyber claims don't happen outside of the US”.

"Our experience is actually quite different,” she said, adding businesses here are falling victim to cyber attackers "because they're vulnerable rather than them being valuable” due to a lack of adoption of the “most basic” security controls.

"We see that much more in Australia, almost disproportionately so, than we do the rest of the world,” she said. “It's quite easy just using a few free websites to know about some of these vulnerabilities from the outside without even going into their networks.”

CFC says proactive prevention is vital and these efforts have finally stepped up. CFC’s product includes building a team of experts internally, backed by monitoring of digital assets, with continuous scanning throughout the policy term to find potential vulnerabilities or compromises, relying on threat intelligence.

CFC also works with the Australian Government and private agencies to source threat intelligence and feed back to clients.

“It's a very new concept in the Australian market,” Ms Nelson said. "We can actually stop a cyber attack from happening in the first place, rather than reacting … in the context of creating a much more sustainable market for cyber insurance.”

With the establishment of CFC’s Security Division, there are now more CFC security professionals than underwriters, she says.

"It's quite telling that we've evolved as a company to become a fully-fledged security and response company upfront, and then that's bolstered by cyber insurance policies should the worst happen.

"That's been a huge differentiator for us in the market, the fact that it's an inhouse team. We have over 130 security individuals sitting around on the world on various time zones … to proactively monitor clients to stop the cyber attacks, but they're also there to pick up the pieces should the worst happen after the fact.

"It's very much the evolution of the product. We do think that the rest of the market will have to follow suit in order to keep coverage as broad as it is at the price point that it is today.”

CFC’s proactive cyber offer is also available to uninsured firms.

"We're very proud and the local Australian team can only expect to grow in the next few years,” Ms Nelson said.