Inaction not an option, says Green Paper in the aftermath of Australia’s massive Optus data breach

The Australian Actuaries Institute has issued a detailed report urging government, businesses, and insurers to collaboratively address significant insurance gaps in protection against cyber attacks that have already cost the Australian economy billions of dollars.

In its Green Paper, ‘Cyber Risk and the Role of Insurance,’ the Actuaries Institute analysed the vulnerability of organisations, from SMEs to large corporates, and the role of cyber insurance in setting best practice standards for cyber resilience as part of a robust risk management framework.

“For cyber insurance to influence best practice in a major way, there are several gaps that need to be addressed by government, business and insurers,” said the report’s lead author Win-Li Toh, a principal at analytics and actuarial consultancy Taylor Fry.

“Adding to these challenges are escalating cyber losses that have reduced insurer appetite for this class, significant shortage of capacity to provide the levels of protection needed across the market, and premium hikes in the double/triple digits over the past two years,” she said.

Actuaries Institute President Annette King said the Green Paper identifies pathways for key stakeholders in the Australian economy to prevent further significant damage from cyber attacks.

“Sitting back and doing nothing shouldn’t be an option when cyber attacks cost the Australian economy $33 billion last financial year,” King says, noting the Green Paper’s recommendations including scenario planning and a joint approach towards training and skills development.

“The issues may be complex, yet it is clear that protection is vital for economic resilience given the headline-making losses we too often read about here and around the world.”

Small firms at risk

Just 20 percent of Australian SMEs have cyber insurance compared with 35 per cent to 70 per cent for larger organisations, notes the rpeport. And yet in 2021, 75 per cent of ransomware attacks were on companies with fewer than 1,000 people.

In addressing these issues, Toh said: “importantly, good cyber hygiene and security – not insurance – are the first line of defence.”

She noted government entities are a long way off baseline standards of cyber security and many businesses are also behind in their resilience against rapidly shifting risks.

“A vibrant cyber insurance market will do more than provide financial recompense for risks that break through the first line of defence. It can also strengthen that first line, by offering clear signals and incentives to business – in the form of eligibility, pricing and sharing of insights – on best-practice standards,” she said.

On a global basis, Toh said cyber risk is growing at unprecedented levels, with ransomware attacks more than tripling in two years.

“The accessibility of Ransomware as a Service (malware products), combined with the development of crypto currencies enabling untraceable payments has super-charged the growth of cyber attacks.

“This has brought more organisations of different types and sizes under the widening net of cyber criminals to the point where it is now clear that no firm is immune. This is why a vibrant and resilient risk management framework and infrastructure for cyber risk is crucial, of which insurance is one part,” she said.

Coping with risk accumulations

The Green Paper also notes that with no geographical boundaries, a computer virus can spread quickly around the world and results in many companies making a claim under their cyber insurance policy.

“This is the accumulation risk challenge for an insurer – the potential for a single event to trigger losses across business lines and global borders,” said Toh.

Another issue is the difficulty in defining Acts of cyber War (or terrorism) that are excluded from insurance policies, with Lloyd’s recently giving directions to underwriters towards excluding liability for losses arising from any state-backed cyber attack.

Toh said, “finding the right balance between guidance, education, mitigation, cover and regulation, will be central in creating a robust risk management framework for cyber risk and cyber insurance.”

The Insurance Council of Australia (ICA) welcomed the report. According to Andrew Hall, CEO Insurance Council of Australia: ”This week’s extraordinary cyberattack on Optus and its customers demonstrates how important it is for large and small organisations to have robust cyber protections in place.  

“This chilling example reminds us that more needs to be done to protect businesses and organisations from cyber-attacks. Working in partnership with government, insurers have a key role to play to help businesses protect themselves and recover from cyberattacks.  

“The Actuaries Institute provides yet another opportunity to discuss how industry and government can work in partnership to tackle this significant challenge.”