A number of high profile data breaches affecting Australian organisations, together with a number of class actions launched as a result, have served as a wake-up call for the Australian business community. Organisations are now strengthening and re-thinking cyber security defences and government has legislated for greater penalties for privacy breaches.1 In this context, it is imperative organisations have a robust cyber incident response plan. What is the role of cyber insurance in these plans and in cyber defence more generally?
In this article we describe the state of the cyber insurance market in Australia, what boards should consider when taking out cyber insurance, and how organisations should address cyber insurance in their supply chains (including via contracts).
What is cyber insurance?
In a nutshell, cyber insurance provides protection for loss as a result of a cyber incident. It is usually taken out as a standalone policy although cover may be available as an optional cover or endorsement on traditional products such as professional indemnity cover. However, as demonstrated by the Inchcape decision,2 traditional policies (the policy in that case was an Electronic and Computer Crime Policy) only provide limited cover and standalone cyber policies provide broader protection for cyber incidents.
In contrast to a decade ago, the cyber insurance market is now a significant standalone market and insurers are more selective. The increasing cost and frequency of data breaches, together with a greater focus on privacy compliance by regulators, has led to some significant insurance claims. As a result, insurers are implementing more stringent underwriting practices. IBM estimates that the global average total cost of a data breach incident is USD 4.35 million.3 For Australia, the average cost was USD 2.92 million.4
Anecdotally, organisations report being unable to obtain cyber insurance unless their cyber defences and IT security protocols are of a high standard. Organisations report:
- extensive underwriting questions from insurers that probe the procedures in place to secure data and the robustness of IT testing;
- high insurance premiums (in some cases increasing by up to 80% in 12 months);5 and
- closer consideration of aggregation risk, which is the risk that a cyber attack causes systemic issues (e.g. due to software and systems that are used by the same companies across a particular industry sector) and therefore multiple insured losses from the one event.
Preparing for a cyber insurance placement can be a useful exercise in reviewing IT measures and identifying areas for improvement.
Obtaining cyber insurance
Following a number of years of tight capacity and increasing premiums, global insurance broker Aon reports that stability of the cyber insurance market is on the horizon.6 The global market has attracted new players, leading to more capital, competition and softening premiums.7 This includes the Australian market, with a number of new entrants including Lloyd’s syndicates providing new cyber capacity over the past 12 months.
However, underwriters are becoming more selective and the underwriting process can be difficult to navigate. It is important for organisations to start the placement and renewal process early with their insurance brokers, and assemble a dedicated team that can share the company’s cyber security posture with insurers. This will assist with achieving an optimal price and minimise the likelihood of additional exclusions.
What does cyber insurance cover?
Standalone cyber insurance policies provide protection for a broad range of cyber‑related risks. The key triggers are breach of confidential information, loss of data, corruption of software and unauthorised access to computer systems that leads to receipt or transmission of malicious code and viruses. Cyber insurance may also provide cover for non-hostile events such as negligence of employees or service providers that leads to loss of data or network failures.
Broadly speaking, there are two categories of loss:
- First party loss: this is loss suffered by the company in order to respond to a breach of information security. Depending on the policy, it may include cover for:
- legal costs incurred to mitigate legal exposure and notify affected customers and regulators;
- the cost of IT specialists in order to investigate and substantiate whether a breach of information security has occurred;
- if a breach has occurred, to establish the extent of the breach and contain the event;
- credit monitoring services for affected customers;
- public relations services it if is a newsworthy event;
- data restoration costs;
- business interruption loss;
- business interruption mitigation costs;
- funds transfer fraud;
- cyber extortion; and
- regulatory investigations (there may also be some cover for fines that are payable to the extent insurable).
- Third party loss: this covers claims made by a third party against the company. It may include cover for:
- liability to third parties (e.g. customers);
- proceedings related to failure to notify customers and/or regulators in accordance with relevant laws; and
- legal defence costs associated with the above.
First party loss may be written on an occurrence or discovery basis. For covers that are written on an occurrence basis, the policy in place at the time the incident occurred will respond. For covers that are written on a discovery basis, the policy in place at the time the cyber incident is discovered will respond. This provides some comfort that historical cyber incidents are covered provided the organisation did not and could not reasonably have known about them when taking out the policy.
Third party loss is usually written on a claims-made basis, meaning the policy in place at the time the claim is made against the organisation is the one that will respond.
Managing cyber risks in the supply chain
A prudent organisation may also require its suppliers, particularly key suppliers, to take out their own cyber insurance. Cover for first party loss will increase the likelihood that a supplier has the financial resources to recover from a cyber incident. Cover for third party loss will increase the likelihood that a supplier has the financial resources to pay compensation for liability relating to a cyber incident.
Clauses that require the supplier to hold cyber insurance are often inserted into the commercial, procurement and technology contracts that we negotiate. Typically, such a clause would require the supplier to hold standalone cyber liability insurance with a limit of cover of a specified amount at least for the duration of the supplier’s activities under the contract (and ideally for 7 years’ thereafter). The limit of cover a customer will require typically depends on a range of factors such as the services being provided, whether personal information or commercially sensitive information of the customer is held by the supplier, a supplier’s access to customer systems and a broader risk assessment conducted by the customer. We have seen limits upwards of $2M requested by customers. We expect the amounts requested by customers will increase over time to correspond with the increased risk of cyber-attack and regulatory penalties.
Given not all cyber insurance policies are created equal, a customer may wish to set out, in the contract with its supplier, the customer’s requirements as to the coverage it expects in the supplier’s cyber insurance policy. This would involve including a non-exhaustive list of the categories of both first party and third party loss that the customer requires, having regard to the particular activities of the supplier under the contract. (For more on these categories of loss see above.)
In addition, we recommend that a customer includes a clause requiring the supplier to provide the customer on request with a certificate of currency issued by its insurer confirming that the cyber insurance is current and that the insurance has the required limit of cover.
If, during a negotiation, a supplier resists the inclusion of a clause that requires it to hold cyber insurance, the customer should explore the supplier’s reasons.
- Resistance may indicate that the supplier is unable to obtain cyber insurance which may in turn indicate insufficient IT security practices, so this is a potential red flag.
- The supplier may argue that it has “silent cyber” coverage (see further, below), but the customer should be wary of this argument given that any silent cyber coverage is not likely to have the breadth of standalone cyber insurance cover, and may in the future be excluded from the general policy (again, see further below).
- The supplier may argue that standalone cyber coverage is uneconomic and it is self-insured. In this case, the customer should perform a detailed cyber risk assessment and explore other practical and contractual protection options.
The supplier’s cyber insurance coverage may also affect its position on the liability regime in contracts it enters into with customers. Suppliers have been known to argue that their liability should not exceed the amount its insurer will cover under its cyber insurance policy. Faced with this argument, a customer should assess the likelihood and impact of a cyber-incident, and decide if it requires the supplier to accept liability in excess of the insurance coverage. As an example, penalties for serious privacy breaches in Australia are now the greater of $50M, three times the value of the benefit of a contravention, or (where the benefit can't be determined) 30% of domestic turnover during a certain period, which would typically be well in excess of the supplier’s insurance coverage.8 For certain breaches of contract or other conduct of the supplier, it may be reasonable for a customer to expect the supplier to absorb all such loss regardless of whether it is covered by the supplier’s insurance. Such a position, in turn, would require the customer to think more deeply about the supplier’s ability to meet such claims in the absence of insurance coverage, and corresponding contractual mechanisms.
We also recommend that customers review key existing supplier agreements, and determine whether they should be uplifted to meet the customer’s current requirements and the risk landscape that exists relative to the date the existing contract was entered into.
A sleeper issue - “silent cyber”
“Silent cyber” refers to the potential availability of cyber cover in traditional insurance products. The issue has arisen due to the widespread use of technology in everyday operations yet insurers may not have factored in potential cyber exposure. Property, casualty, general liability and directors’ and officers’ policies may potentially respond to cyber triggers. As an example, a cyber attack could cause a computer to malfunction in a factory and lead to a fire causing widespread property damage. The property damage may fall for cover under a property insurance policy, even though it has been triggered by a cyber event.
The issue of silent cyber is not new. In July 2019, Lloyd’s of London issued Market Bulletin Y5258 and required underwriters to address this issue by providing affirmative language in all insurance policies as to whether there is cover for a cyber event. While Australian regulators have not mandated affirmative language in insurance policies, local insurers have embarked on projects to provide greater clarity in policy wordings although it has often resulted in blanket cyber exclusions. The Australian Prudential Regulation Authority considered this issue in 2021 and requested that certain insurers undertake a self-assessment as to whether there was silent cyber exposure across their product lines. The purpose of the self‑assessment was to improve product governance and ensure prudent underwriting practice.
The general effect of the above is that cyber risks are now often excluded from most non‑cyber insurance policies.
Putting a thinking cap on for the future
Cyber risks are constantly evolving. Accordingly, cyber insurance is not a “set and forget” purchase. Further, it should not be the sole weapon in defending an organisation against a cyber attack. Cyber insurance should be part of a regularly reviewed and tested cyber incident response plan.
If your organisation is considering renewing its cyber insurance or taking out cyber insurance for the first time, some things to look out for include:
- consider the scope and extent of cyber insurance required for your operations. This requires consideration of the potential impact of a cyber incident on your particular business;
- ensure IT procedures and protocols are of a high standard to ensure a smooth underwriting process;
- pay attention to your duty of disclosure which may require you to disclose the use of emerging technologies such as Artificial Intelligence in your organisation;
- consider the reputation and financial stability of the insurer; and
- seek proper review of the insurance policy to optimise coverage for your organisation’s particular circumstances. Not all cyber insurance policies are created equal.
In the supply chain, your organisation should:
- carefully consider the cyber insurance requirements in supplier agreements during negotiations; and
- consider uplifting existing key supplier agreements to meet current requirements and the threat landscape.