Beyond the floods

Tough times: WTW’s Benjamin Di Marco says the cyber market won’t start to improve until next year are better understood.

That threat – and the more hardball underwriting attitude – is reflected in the severely hardened cyber insurance market, where cover is much harder to obtain than a year ago. The limit offer has halved to $5 million while insurers are “charging more than what they were charging for $10 million,” Mr Di Marco says.

The “low-hanging fruit” of improving cyber hygiene – effortless and simple measures with low investment and a high return – are implementing a password manager, a virtual private network (VPN) to control access to data (especially for remote workers), and securing the cloud with authorisation.

That is the advice of password manager NordPass, which found a fifth of passwords are the company name or a close variation. Its security expert Chad Hammond says it will take more than just window dressing as insurers drill down to determine whether a business is a good candidate for cyber insurance, as the average cost of a data breach hits $US4.24 million and rising.

“Cyber insurers can act as partners in the cybersecurity journey and help you understand where your most significant vulnerabilities are and how to reduce or eliminate them,” Mr Hammond says.

Marsh, in a recent report, says the influx of cyber claims has allowed underwriters to identify a correlation between certain controls and corresponding cyber incidents, while at the same time the growth in attritional losses means insurers are now taking a much more cautious position.

“Insurers are tightening their underwriting terms, carefully analysing all cyber insurance applications, and asking more questions than ever before about an applicant’s cyber operating environment and risk controls,” it says.

Adoption of certain controls has now become a minimum requirement of insurers, with “potential insurability on the line” for those seeking cover.

Marsh recommends 12 control steps: Multifactor authentication for remote access and privileged or administrator access; Email filtering and web security; Secured, encrypted, and tested backups; Privileged access management; Endpoint detection and response; Patch and vulnerability management; Incident response plans; Cybersecurity awareness training and phishing testing; Remote desktop protocol mitigation; Logging and monitoring; Replacement or protection of end-of-life systems; and Digital supply chain cyber risk management.

Though these have been established best practice for several years, Marsh says companies are still struggling to adopt them, with effort “often more about checking a box, than enhancing security”.

Insurers are not the only ones taking action on cyber vulnerability. APRA has undertaken pilot cyber defence testing, with specialists “actively probing” for gaps at insurers and banks, using tools and techniques employed by criminals.

And the Federal Court recently ruled RI Advice, now part of Insignia, breached the Corporations Act with inadequate cyber security measures – the first Australian Financial Services licensee to be so prosecuted.

The Insurance Council of Australia (ICA) has said the insurance industry can help lift cyber security practices, motivated by reduced claims and losses and possibly offering greater cover and/or lower

premiums as a reward.

“There should be a ‘push factor’ from the insurance industry to raise standards and drive best practices,” it says. “The industry is well placed to drive the adoption of reputable cyber security standards or frameworks.”

ICA recommends insurers should collectively agree on a set of minimum-security requirements as part of risk assessments for SMEs.

A recent turning point, Mr Di Marco says, is a growing understanding of the time it takes for businesses to recover from a cyber attack, something he says was historically misunderstood. BI may last months if significant parts of a data asset inventory are compromised, and if backups are not viable, and executives face the cost of getting licences back and trying to recreate data assets which is generally much more challenging than bargained for.

“That is just a fundamentally different profile,” he said. “You can’t manage invoice, customer relationships, keep projects going. So we see the tail of the BI being much longer and much uglier and much more difficult than many organisations have historically allowed for or properly contemplated. “There are a number of pain points that I think are going to be happening in the next five years in this space,” he said. 0 At Allianz, we work with our Broker Partners to give your customers confidence in tomorrow. Our Broker Claims Dashboard makes the claims process simple and easy for you to search, lodge and check the status of your claims online – so you can focus on delivering for your customers. 100 years and counting, we’re behind you for what’s ahead.

Terms, conditions, limits and exclusions apply. Before making a decision about [insert product type e.g. motor/home] insurance, please read the PDS. The PDS and Target Market Determination for this insurance are available from allianz.com.au. Allianz Australia Insurance Limited ABN 15 000 122 850.