Since the 22 September cyber-attack on Australian telecommunications giant Optus, additional hacking attacks have been revealed against Medicare and Telstra.
Woolworths subsidiary, Mydeal and Medibank have also been hacked, with recent reports revealing that the latter breach is wider in scope than originally thought.
In the wake of the Optus attack, the bulk of public and government commentary has concentrated on security rather than insurance. Optus is understood to have arranged cyber insurance however the extent of its cover has not been revealed.
At this stage, no estimates have been made of the total costs Optus will face as a result of the invasion but the response required plus the expense of replacing thousands of clients’ documents (other than passports, which Optus CEO Kelly Bayer Rosmarin says do not need to be replaced) will be, to say the least, substantial.
The whole unfortunate scenario will test the extent of Optus’ insurance coverages including any sub limits, which can bite when applied.
In addition to multiple governmental investigations, Optus has engaged Deloitte to conduct an independent review of the organisation’s entire cyber-related operations, exposures and precautions which will inevitably include insurance.
Just what does a basic Cyber Insurance policy cover?
When the immense impact of cybercrime first started to emerge, there were no specific insurances available to cover the diverse risks and losses affected corporations were facing.
Certain policies such as management liability, crime guard type policies and network security began to include limited cyber risk extensions which did not fully protect for the expanding exposures.
As a result, the insurance industry devised specific cyber risk insurances designed to more adequately protect clients from the increasingly alarming cyber exposures becoming evident.
Although a ‘standard’ cyber policy had been developed, it was also necessary to devise bespoke policies, as different entities had different cyber exposures, requirements and risk appetites. Evolving cyber threats endangered both clients and insurers themselves.
These days, cyber insurance varies between insurers and care must be exercised when selecting a policy to ensure the appropriate coverage is obtained.
An excellent summary of the risks a cyber risk insurance policy intends to cover has been provided by Steadfast Insurance (which is acknowledged ) and appears below with some additions:
The risks cyber policies intend to cover include:
- Loss of revenue due to interrupted business
- Fines where insurable by law
- Credit monitoring
- Hiring negotiators and paying ransom
- Recovering or replacing records or own dataLiability for loss of clients’ data
- Defense of legal claims
- Investigations by government regulators and other parties
- Copyright infringement
- Prevention of further attacks
- Customer notifications and public notices
- Forensic examinations
- System damage, repair and remediation.
- Response management costs
To reiterate, any cyber insurance policy must be tailored to the insured client’s identified exposures as an ‘off the shelf’ policy risks inappropriate, partial or even non-existent protection.
Access to a full cyber insurance policy
Those wanting detailed policy wordings can download AIG’s 25-page Cyber Edge Network Security and Privacy Insurance coverage, keeping in mind that other insurers’ cyber policies may not share the same conditions, sub limits and exclusions.
It is axiomatic to say that insurance policies contain exclusions and cyber policies are no different.
The aforementioned AIG policy contains 19 specific exclusions. In all cases, exclusions must be robustly brought to a client’s attention, as clients are not renowned for assiduously perusing and absorbing critical exclusions or limitations — until a claim occurs.
For instance, assumed or contractual liabilities are often excluded from cyber policies, as are incidents that occurred prior to policy inception.
Willful disregard of policy requirements is another standard exclusion, as is non-compliance with agreed security precautions or keeping up to date with technology advances. Material non-compliance can result in a claim being declined.
Most cyber policies impose sub limits and can apply an annual aggregate liability (or capped yearly payout) plus claims deductibles, which must also be clearly conveyed to insured clients to avoid misunderstanding the coverage(s).
Foundershield.com has a downloadable cyber policy guide, which provides a quick reference summary to third party cyber coverages, first party cyber coverages and cybercrime coverage.
Founder Shield emphasises that cyber policies vary according to the insurer’s own evaluation of what cyber risks that orgainsation will or will not insure.
Selecting cyber insurance sums insured
The time-honoured cliche applies: how long is a piece of string?
Certain cyber exposures can be estimated, such as legal expenses or client notifications, but other exposures, like many liabilities, are difficult to predict accurately with any certainty.
Some clients may think ‘$15 million seems enough’ with others in the ‘think of a number and double it’ category.
Broker publications on cyber insurance avoid suggesting precise sums insured or limits, but privately, you can be sure they are aware of their clients’ cyber insurance arrangements.
Cyber insurance claims paid for ransoms or email intrusion are rarely publicised.
Generic comments or examples of cyber claims have been outlined by KBI Specialist Insurance Brokers, while US-based Advisen Cyber News commented that ransomware and email compromise accounted for 44 per cent of the 7,000 claims it reviewed over the past five years.
Don’t be fooled—it can happen to you
AXA Insurance has just produced an analysis of American cyber claims which illustrates the diverse nature of cyber losses and businesses affected, together with the insurance claims costs in US dollars.
The identified causes of each claim were obviously covered by cyber risk insurances and comprise: ransomware, malicious infiltration, fraudulent fund transfer, privacy intrusion, phishing, misdirected money, distributing a client’s private data and credentials, social engineering event and unauthorised use.
The entities involved covered a wide range of organisations, proving that cyber hacking can affect any business. The identified types of business and claims costs incurred were:
- technology companies $10m and $5m
- professional services $200,000
- healthcare $2m and $100,000
- financial services $500,000 and $225,000
- retail $2m and $150,000
- education $500,000
- legal services $400,000
- media $5m and $500,000.
It is emphasised that these examples are but a snapshot from just one cyber insurer. Also, many clients and insurers are reluctant to publicly precise claims details or costs, especially if a ransom was paid.
Increased cyber breach fines likely to be uninsurable.
Many countries, including New Zealand, legislate that certain fines are uninsurable in cases where insuring for the loss would be against the public interest. For example, insurance for traffic infringements.
A direct consequence of the recent disastrous data breaches within major Australian companies, the government has mooted a massive increase to the current maximum fine of A$2 million, possibly by hundreds of millions of dollars, according to Attorney General Mark Dreyfus.
If this threat eventuates, cyber security risk(s) will be catapulted into one of the most catastrophic uninsured business risks any entity faces. The minor consolation is that legal defense costs remain insurable.
Curly questions from clients
Given the extent and potential cost of the Optus cyberattack, many entities may already be reviewing their exposures and insurances, with possible pointed questions to their insurers, brokers or advisers.
Questions to expect might be: What is the degree of cyber risk protection in our current insurances? What recommendations do you have to reinforce or expand our protection? What operational obligations and premium costs will be incurred?
A 45-page downloadable paper from the Australian Actuaries Institute titled Cyber Risk and the Role of Insurance Green Paper published in September 2022 is an informed commentary on cyber insurance risks in Australia containing analysis of the market plus relevant commentaries.
Prescient means ‘knowledge of events before they happen’ and this description coincidentally applies to this technical, researched paper which appeared within day of the Optus incident.
It contains extensive references of interest to those wishing to delve further into the cyber risk and insurance world.
Obviously, the internet is another valuable reference. After plugging in ‘cyber’ as your first search word, adding others such insurance, risk, security, loss control checklists or audit, will result in multiple options to explore. Also try locating Be Ready Utah for an interesting array of information.
Business Insurance has just commented on the American cyber insurance market including making the prediction that cyber liability buyers will likely continue to see significant premium increases in forthcoming renewals and that insurers will pay more attention to cyber security and cyber hygiene.
The same attitude is likely to migrate to Australia rapidly following the Optus cyber-attack and its consequences.
This commentary is a personal observation and not exhaustive on such a diverse topic.
John Sloan is an insurance risk consultant previously practicing in New Zealand but now relocated to Melbourne.