Brought to you by:

Optus, Medibank ‘a big wake-up call’: Honan

Recent high profile cyberattacks have kickstarted insureds into gear, Honan says, promoting better cyber risk management practices and C-suite awareness – with insurers already rewarding this improved behaviour at renewal time.

Honan Placement Manager Ben Robinson tells insuranceNEWS.com.au that after a period of insurers declining to provide quotes to those without appropriate controls, Australia’s executives are listening and taking action, spurred by recent cyberattacks at megabrands Optus and Medibank.

“It's certainly the product most spoken about at the moment,” Mr Robinson said. “In particular after the two high profile attacks, you're seeing more attention being paid to cyber liability discussions.

“It has kickstarted conversations and it's certainly encouraging us as brokers to have constructive conversations with our clients that have been received well. Medibank and Optus were just the unlucky ones that got targeted first. It is a big wake up call for Australia to not be the third.”

Honan says Australia’s business are increasingly aware that to secure insurance at attractive rates, they must adopt measures known as the “essential eight”: application control, patching of applications, configuring macro settings, user application hardening, restricted administrative privileges, patch operating systems, multi-factor authentication and regular backups.

That is a base level that corporate Australia should be working toward “quickly,” and a good guide Honan recommends to mid-market clients.

“Affordable and effective cover is actually achievable in this market however more pressure is being put on clients to meet minimum risk management standards,” Mr Robinson said. “There is availability to be able to get a cost-effective cyber liability insurance program if you’re best in class.

“It's quite simple – change and more capital expenditure is required in those businesses that have yet to mark cyber risk as the number one risk in their organisation, particularly those that hold sensitive data.”

Clients are focusing their attention more than ever on cybersecurity practice, he says, giving insurers “comfort”.

"Therefore, they're rewarded with more capacity opening up,” he said. “As the wider marketplace plays catch up and continues to practice healthy cyber hygiene regularly, at Honan we're certainly seeing and expecting rates to stabilise. Best in class will be rewarded with more market interest.

“We actually have started to see that with our renewals, which is a big positive for those clients – actually seeing that the investment made internally is now being reflected in those premiums.”

Businesses without adequate minimum cyber risk management controls find “pricing is not going to be in their favour, nor is capacity,” Mr Robinson says, and face “ugly” deductibles meaning it is “probably not a viable option for them to purchase”. Honan engages clients with market updates and insurer expectations well ahead of renewals.

“We certainly work with our clients well in advance to make sure they're in a geared position to be able to make that decision without being backed into a corner where it's too expensive for cyber insurance and they're not prepared, from a balance sheet perspective, to self insure those items.

“That's a really tricky area for brokers to be navigating at the moment and something we think we do quite well”.

He says even those that do elect to self insure will miss out on access to Incident Response services provided under an insurance policy, and may not account for things like lost revenue, share price falls and loss of consumer trust.

“I'd say cyber insurance is one that is really hard to predict what a claim quantum will look like. You've got all those lingering hangover type effects, not just the initial incident, that you've got to look to self insure. It can create a claim hangover effect for months, not to mention the brand reputational damage and longer term associated costs.

"Hence people would probably prefer to take cyber insurance because they don't know enough about it, and it changes often – that landscape of risk.”

Mr Robinson says there is more variation in cyber policy wording than in other insurance products and says cyber is “one that just needs a lot of time spent on it”.

“It is forever changing and a really tricky area for clients to be able to navigate and understand what they're actually covered for, particularly given they're paying big premiums.”

Macquarie analysts recently estimated gross written premiums for cyber insurance in Australia more than doubled since 2020 to $480 million this year, and will reach $815 million in 2024. It says around two thirds of ASX200 companies have purchased cyber insurance and described data as “the new coal – once the greatest asset on the balance sheet, now the greatest contingent liability”.