We're a Baker Tilly network member
Learn more
‘Uninsurable’ businesses face a boom in cyber attacks
Article

‘Uninsurable’ businesses face a boom in cyber attacks

A swathe of Australian businesses could soon be uninsurable for cyber security risks, as the insurance sector grapples with companies with a low security posture combined with soaring ransomware payouts and reinsurance costs.

The risk spotlight comes as a result of Australian Prudential Regulatory Authority now requiring Australian insurers to review their cyber risk profile and reconsider whether insurers are themselves underplaying risk.

What that can mean for businesses is if they are unable to demonstrate that they have plans in place to mitigate a cyber threat before it occurs, insurers are likely to be more hesitant in offering coverage and even include higher premiums.

As they say, the best defence is a good offense. Contrary to complacent belief, having cyber insurance is not a ‘get out of jail free’ card, and it is essential that business directors invest in shielding their information assets against an attack. Software is only one aspect of managing cyber security risk. In addition to technology, organisations need to have the right policies, processes, training and governance in place to protect themselves against cyber attack.

Cyber security is a growing risk, and many businesses identify cyber insurance as something that might help — but a lack of understanding around specific coverage can be problematic. Businesses may recognise a gap in their security but don’t know how wide that gap really is, and see cyber security insurance as a way of plugging that hole.

However when it comes to data loss, data theft, ransomware, malicious activity or even cyber terrorism, it is paramount that businesses are aware of exclusions in the fine print and limits on their insurance liability. The last thing a business needs is to find out they are not properly insured until after an attack.

The standard approach of insurers in pre-assessing risk — sending companies questionnaires about their security posture to understand their threats, likelihood of an incident occurring and potential business impact —presents difficulties when considering cyber security.

An area that is evolving quickly, many businesses lack the information to answer the questions accurately, not intentionally but simply due to lack of knowledge. This can present hurdles when later making a claim.

In response to the increase in ransomware payouts there’s a growing trend by insurers to increase premiums and cap cyber security limits. In Australia premiums rose 20% in 2020.

What’s more, Australian Directors may soon be at increased personal risk, with the Department of Home Affairs considering changes that could make company directors personally liable for business cyber attacks, similar to APRA and their CPS 234 regulation for the financial services industry.

In addition, a new Ransomware Payments bill proposes changes that could make disclosure of ransomware attacks mandatory. The proposed changes would require organisations to report both the attack, whether it paid the ransom and to whom.

In summary, Directors need to understand the exposure of their companies and satisfy themselves that both the organisation and they themselves are adequately protected. They also need to ensure that the insurance protection they have in place is the right policy for their situation and is going to cover both losses and remediation in the case of a claim.

To learn more about cyber security and assess your business risk, contact your Pitcher Partners specialist.

This content is general commentary only and does not constitute advice. Before making any decision or taking any action in relation to the content, you should consult your professional advisor. To the maximum extent permitted by law, neither Pitcher Partners or its affiliated entities, nor any of our employees will be liable for any loss, damage, liability or claim whatsoever suffered or incurred arising directly or indirectly out of the use or reliance on the material contained in this content. Pitcher Partners is an association of independent firms. Pitcher Partners is a member of the global network of Baker Tilly International Limited, the members of which are separate and independent legal entities. Liability limited by a scheme approved under professional standards legislation.
Pitcher Partners insights Get the latest Pitcher Partners updates direct to your inbox

Thank you for you interest

How can we help you?

Business or personal advice
General information
Career information
Media enquiries
Contact expert
Become a member
Specialist query
Please provide as much detail to ensure appropriate allocation of your query
Please highlight a realistic time frame that will enable us to provide advice within a suitable and timely manner. Please note given conflicting demands with our senior personnel, we will endeavour to respond to you within the nominated time frame. If you require an urgent response, please contact us via [email protected] or 03 8610 5477.
CPN Enquiry
Business Radar report
Student careers 2021-22
Find an expert
Search by industry