Insight,

Moving at the speed of light – Cyber insurance in 2022

AU | EN
Current site :    AU   |   EN
Australia
China
China Hong Kong SAR
Japan
Singapore
United States
Global

Lived experience in 2022 has shown cyber insurance is increasingly relevant for all organisations.  While all organisations remain a target, those that handle large amounts of personal and sensitive information must be acutely aware of the value such information holds to nefarious actors.  With the inherently fast-moving nature of cyberspace, insurers have been busy amending coverage and exclusions and moving to stricter underwriting standards.

A reminder: typical design and coverage

Cyber insurance offers both ‘first party loss’ and ‘third party liability’ coverage.  Further, given the strict regulatory reporting requirements (and notification periods) associated with cyber breaches, cyber claims are typically brought and settled in the same policy year.  This contributes to a dynamic insurance market which reacts quickly to trends.

First party coverage

First party coverage responds to direct out-of-pocket costs arising as a result of a covered event (typically a defined term involving the word ‘breach’).  These generally relate to:

  • containing and mitigating losses
  • restoring systems
  • recovering/replacing data
  • extortion
  • remediation of affected persons and
  • regulatory losses and statutory penalties.

Coverage can extend to other losses, like transfer fraud and business interruption losses.

Extortion coverage remains particularly controversial.  Philosophical debate (and potential regulatory changes) aside – it is a typical feature of cyber insurance coverage.  An important aspect of this coverage (and other insurance contracts) is to obtain the insurer’s consent to the payment.  This can raise other issues, such as the insurer being complicit in a breach of law (eg anti-money laundering laws – a typical exclusion).  The result can be the insured being left in a precarious situation – choosing between making a payment for which it is covered, and potentially breaching the policy.

Third party coverage

Third party, or cyber liability coverage, covers claims by third parties for damages arising out of a covered event.  Often times, third parties have incurred costs themselves due to the insured suffering a cyber breach.  The third party then seeks to recover these costs from the insured. 

Such coverage operates like other liability cover – on a ‘claims made’ basis and subject to the same principles and conditions.

Trends and developments

The elephant in the room: the renewed impetus for cyber insurance

Two of the largest cyber-attacks in Australian history dominated headlines in 2022.  One for its scale, and the other for the nature of the information released.  However, it’s not just the headline grabbing attacks – the Australian Cyber Security Centre received over 76,000 cybercrime reports in 2021/22, an increase of 13% on the previous financial year (an identical increase was recorded in the preceding period). [1]  Lloyds estimates that global economic losses due to cybercrime will rise to US$10.5 trillion by 2025. [2]

In our ever-increasing digital world, they reflect a worrying trend – cyber-attacks are occurring more often and with greater severity.  Indeed, there can be large spill over effects to reliant downstream organisations for ‘someone else’s breach’.  As a result, cyber-attacks generate enormous potential liability for a victim organisation, such as: (1) statutory penalties; (2) customer class actions; (3) direct losses; and (4) third party losses.

In response, the Commonwealth amended the Privacy Act 1988 in December 2022 to increase penalties for privacy breaches.  Previously, penalties for serious or repeated privacy breaches were set at $2.22 million.  Today, penalties are the greater of: (1) $50 million; (2) three times the value of any benefit obtained through misuse of information; or (3) 30% of an organisation’s turnover in the relevant period.

For a prudent organisation, the need for cyber insurance has never been greater.  However, this is weighed against the difficulties in obtaining this insurance.

Premiums and underwriting

Naturally, insurers are alive to the precarious cyber threat landscape.  As with all insurance, increased risk comes bundled with reduced coverage and greater premiums. 

Global insurance broker Marsh has said that the cost of cyber insurance has doubled each year over 2019-2022. In 2022, cyber premiums increased by 80%. [3] Noting the great potential liability that exists in cyberspace, cyber insurance has not yet reached the point of being too expensive to be worthwhile.  That said, it has become more prohibitive for smaller organisations which already feel they’re ‘not valuable’ enough to be the target of an attack. [4]  Of course, this is a fallacy (organisations tend to be targeted due to their vulnerability, rather than value). 20% of SMEs currently have cyber insurance, compared to up to 70% of larger organisations, [5] and the average cost of a data breach is estimated at A$2.9 million. [6]

Increased premiums are not the end of the story. Risk mitigation is a cornerstone of insurance. One of the key means by which insurers are managing cyber risk is through tightened underwriting. Organisations with lacklustre cybersecurity measures will simply not be offered insurance, or, if they do have cyber insurance, denied cover for claims if they’re found to be lacking the relevant cybersecurity measures. More and more, insurers are requiring minimum cybersecurity precautions. These tend to include: [7]

  • compliance with common cybersecurity standards, like the Centre for Internet Controls 18, the ‘Essential Eight’, the NIST Cybersecurity Framework, and APRA Prudential Standard CPS 234; [8]
  • engaging external technical and legal experts (typically with insurer approval);
  • regularly reviewing preventative measures, and engaging in simulated attack testing; and
  • robust corporate governance, including regular assessment of the organisation’s systems and data.

State-backed exclusions [9]

One significant development in cyber insurance last year is a standard exclusion for state backed cyberattacks.  Effective March 2023, Lloyds of London introduced a standard exclusion for all losses arising from any ‘state backed cyberattack’.  This compounds on Lloyds’ 2020 actions to exclude cyber from traditional insurance policies (such as property and liability policies).

State-backed cyberattacks are now typical in, and outside of, warfare.  Russian attacks against the Ukrainian banking sector are an example of the former, while the 2020 attacks against a range of public and private Australian entities from a ‘sophisticated state-based actor’ are an example of the latter. 

The exclusion will face serious challenges in practice.  Fundamentally, operation of an exclusion must be proved by the insurer, and attributing a cyberattack to a state will be difficult.  Of course, in the high stakes game of international diplomacy, attribution of an attack to a state is rare.  Indeed, the Australian government has publicly attributed cyber activities to another state on only eight occasions. [10]  Regardless, attribution would be difficult in any case – regular cyberattacks are rarely tracked to their source – and state-backed attacks are yet more sophisticated.

IBM Security, Cost of Data Breach Report 2022, p 10 URL: https://www.ibm.com/downloads/cas/3R8N1DZJ#:~:text=Average%20total%20cost%20of%20a,million%20in%20the%202020%20report.

Australia’s International Cyber and Critical Technology Engagement Strategy, 2021, p. 44 URL: https://apo.org.au/sites/default/files/resource-files/2021-04/apo-nid311927.pdf

Reference

LATEST THINKING
Insight
Australia’s new wage theft criminal offence is now in operation, having formally commenced on 1 January 2025.

13 February 2025

Insight
As the private markets have grown, and regulation becomes a more often used tool for managing market risks, discussion has, inevitably, turned to whether private capital is adequately regulated.

11 February 2025

Insight
The Government has tabled a report on the review of the Online Safety Act 2021 (Online Safety Act or OSA).

10 February 2025