Cyber Risk and the Role of Insurance: Where Are We At?

In September 2022, the Actuaries Institute released a Report authored by actuaries Win-Li Toh and Ross Simmonds and technology expert Michael Neary titled Cyber Risk and the Role of Insurance. The release of the Report happened to coincide with one of the largest data breaches in Australia’s history: 10 million Optus customers – about 40% of the Australian population – had personal data stolen.

The next month, Medibank experienced a breach that was dubbed the most invasive in Australia’s history, and in March 2023, financial services company Latitude experienced a data breach of about 14 million individuals.

It’s safe to say, Toh wasn’t short on material for her update to the profession at ICA2023, “Cyber Risk and the Role of Insurance: Where Are We At?”

What does the data say?

Toh revealed that the statistics indicated it wasn’t just the big end of town that had experienced an uptick in cyber incidents. In addition to the headline-making major breaches, there was:

• An increase of almost 13% in reported cybercrimes over FY20/21 to FY21/22, as well as an associated 14% increase in average cost per cybercrime report.
• A steady upwards trend in the number of notifiable data breaches in 2022.

Corporate Australia’s reaction

In Toh’s words, the last six months or so were a “watershed moment for Australian businesses and organisations”.

A survey from global cyber security group Netspoke showed that 80% of Australian organisations with 200+ employees are looking to increase their cyber security spend for the year, and more than three-quarters of respondents said their leadership awareness of cyber threats had increased.

Additionally, cyber security rose up the ranks of top issues of concern for board members.

Cyber insurance industry update

Toh also outlined three major updates to the cyber insurance industry since the publication of the Report:

• Increased market focus on the impact of state-backed cyber attacks: Lloyds’ market bulletin requiring all standalone cyber policies to include, at the inception or on renewal of each policy, a suitable exclusion clause excluding liability for losses arising from state-backed cyber attack came into effect on 31 March Toh noted this provision is yet to be tested in the courts.
• Discussion in the market about the potential impact of banning cyber ransom payments: In light of the Commonwealth Government’s announcement that it was considering making the payment of ransoms illegal, the Insurance Council of Australia urged the government to let the decision of whether or not to pay remain in the hands of business, so it could be made in the best interests of the company and its
• There have been initial signs of a softening market for cyber insurance: In contrast to the previous couple of years, premiums are expected to stabilise, policy limits are set to rise, and insurers are now open to discussions about broadening coverage to non-standard

Multiple regulators respond

Unsurprisingly, policy-makers and regulators responded to the changed cyber insurance landscape:

• The Australian Prudential Regulatory Authority (APRA) listed its first supervision priority for 2023 as “heightened supervision on cyber resilience through detailed assessments and rigorous pursuit of breaches”.
• The Australian Securities and Investments Commission (ASIC) announced it would run a voluntary cross-sectoral survey for corporate Australia to self-assess their cyber security and controls, governance arrangements and incident (The survey period ran from 13 June to 9 July 2023, and ASIC has said it will release the results of the survey later this year).
• The Office of the Australian Information Commissioner (OAIC)’s enforcement powers were extended in December 2022 following an amendment to privacy legislation in the wake of the major incidents listed Penalties for breaches were also raised. Looking forward, substantial and expansive reforms to Australia’s Privacy Act have been proposed by the Attorney General, and are expected to culminate in new legislation before Parliament in the next 12 months.
• The Department of Home Affairs released its 2023 – 2030 Australian Cyber Security Strategy Discussion Paper, looking to enhance and harmonise regulatory frameworks, strengthen Australia’s international strategy on cyber security and secure government The Actuaries Institute Cyber Risk Working Group submitted a response to the discussion paper, which you can read here.

Funding allocated in Budget 2023

In addition to policy and regulatory changes, the Australian Government budget announced $102 million over five years to support and uplift cyber security in Australia, including funding to help small businesses build in-house capability to protect against cyber threats. Toh noted both the Report and the Actuaries Institute submission to the Department of Home Affairs draft strategy saw education uplift for SMEs as crucially important, which was a pleasing result.

Where to from here?

Toh concluded by saying the Report had urged for collaboration to create a sustainable and resilient insurance market and to uplift the cyber security of the nation as a whole, including insurers, government, business and community. While there are still challenges ahead, she is heartened to see the consultation and open dialogue that is now occurring.

Want to learn more? Watch Win-Li’s presentation and view her slides.

CPD: Actuaries Institute Members can claim two CPD points for every hour of reading articles on Actuaries Digital.