A swathe of Australian businesses could soon be uninsurable for cyber security risks, as the insurance sector grapples with companies with a low security posture combined with soaring ransomware payouts and reinsurance costs.
The risk spotlight comes as a result of Australian Prudential Regulatory Authority now requiring Australian insurers to review their cyber risk profile and reconsider whether insurers are themselves underplaying risk.
What that can mean for businesses is if they are unable to demonstrate that they have plans in place to mitigate a cyber threat before it occurs, insurers are likely to be more hesitant in offering coverage and even include higher premiums.
As they say, the best defence is a good offense. Contrary to complacent belief, having cyber insurance is not a ‘get out of jail free’ card, and it is essential that business directors invest in shielding their information assets against an attack. Software is only one aspect of managing cyber security risk. In addition to technology, organisations need to have the right policies, processes, training and governance in place to protect themselves against cyber attack.
Cyber security is a growing risk, and many businesses identify cyber insurance as something that might help — but a lack of understanding around specific coverage can be problematic. Businesses may recognise a gap in their security but don’t know how wide that gap really is, and see cyber security insurance as a way of plugging that hole.
However when it comes to data loss, data theft, ransomware, malicious activity or even cyber terrorism, it is paramount that businesses are aware of exclusions in the fine print and limits on their insurance liability. The last thing a business needs is to find out they are not properly insured until after an attack.
The standard approach of insurers in pre-assessing risk — sending companies questionnaires about their security posture to understand their threats, likelihood of an incident occurring and potential business impact —presents difficulties when considering cyber security.
An area that is evolving quickly, many businesses lack the information to answer the questions accurately, not intentionally but simply due to lack of knowledge. This can present hurdles when later making a claim.
What’s more, Australian Directors may soon be at increased personal risk, with the Department of Home Affairs considering changes that could make company directors personally liable for business cyber attacks, similar to APRA and their CPS 234 regulation for the financial services industry.
In addition, a new Ransomware Payments bill proposes changes that could make disclosure of ransomware attacks mandatory. The proposed changes would require organisations to report both the attack, whether it paid the ransom and to whom.
In summary, Directors need to understand the exposure of their companies and satisfy themselves that both the organisation and they themselves are adequately protected. They also need to ensure that the insurance protection they have in place is the right policy for their situation and is going to cover both losses and remediation in the case of a claim.
To learn more about cyber security and assess your business risk, contact your Pitcher Partners specialist.