Is personal cyber insurance about to take off?

Vol 46: Issue 4 | December 2023

Innovation these days is often driven by people’s desire to work, play, communicate and shop online. But with increasing numbers of individuals losing out to scams like ‘Dear mum’ and fake SMS payment demands — to the tune of more than A$3 billion across Australia and New Zealand — many insurers are responding in the form of personal cyber insurance.

In the United States, for example, multiple insurers are offering personal cyber cover as an addition to home insurance or as a standalone product. Others are targeting identify theft insurance: a particularly costly cyber event for individuals, both in terms of the financial losses, and the time spent reporting the crime and addressing the fallout.

Identity theft can result from phishing attempts (where a person responds to a scam email or SMS and provides sensitive information), but also from online data breaches (such as the 2023 Optus data breach in Australia).

These details can be used to access people’s existing bank accounts, open new credit accounts and apply for loans. Identity theft cost Australian citizens more than A$10 million in 2022 and experts believe the true cost is much higher, owing to the complexity of reporting identity theft.

Many other countries have similar — albeit smaller — personal cyber markets. For example, in Singapore, Etiqa and StarHub offer standalone personal cyber products, with StarHub’s cover underwritten by Chubb.

FWD bundles personal cyber cover for some online shopping fraud and fraudulent transactions with its home insurance policy, and Delta offers a personal cyber add-on through its business cyber insurance.

In Australia and New Zealand, the market is smaller again. Underwriting agency Emergence has a standalone personal cyber offering available via brokers and Chubb offers personal cyber as an add-on to its home and contents insurance. AIG underwrites broker offerings from Norton and Experian for identify theft insurance.

Norton — which has recently launched a free scam detection tool — blocked over 55.5 million scam threats in Australia and New Zealand and over 1.5 billion globally in the first half of 2023, says Dean Williams, a senior systems engineer with multinational software company Gen, which owns the Norton brand.

“Personal cyber insurance could become a staple in insurance portfolios. While the market is still relatively young, its growth potential and the enduring relevance of cybersecurity make it a promising area,” says Williams.

Swiss Re estimates the global cyber market has tripled in volume in the past five years, expanding to around US$13 billion in size in 2022. If personal cyber grows at the speed of commercial cyber products in the past few years, those insurers who are already in the market could be well-placed for a dramatic take-up of personal cyber insurance products.

Unique benefit

Backed by Lloyd’s, Emergence’s personal cyber product has been on the Australian market since 2020. Previously, it could only be accessed through brokers, but in August this year Emergence adopted a new distribution strategy similar to Delta’s in Singapore: offering personal cyber insurance to employers looking to give staff that extra layer of protection.

Emergence founder and CEO Troy Filipcevic says he is seeing “tremendous” signs from employers for this product, and he doesn’t rule out a similar offering in New Zealand, where Emergence recently launched its business cyber product.

“We are educating brokers to have those conversations with clients and that takes time, but since we’ve launched, we’ve been extremely happy,” he says. “The only thing we do is cyber insurance, so the personal aspect was just an addition to our cyber products.

“We see cyber as a major risk across businesses but also personal, as family lives become increasingly entwined in technology. Technology isn’t going away. It makes sense that people start thinking about cyber risk more holistically.”

Emergence’s personal cyber insurance limits range from A$50,000 up to A$1 million. The product covers cyber events such as hacking, ransomware attacks, identity theft and phishing, as well as providing assistance for cyberbullying and cyberstalking. Response experts are part of the coverage, as is compensation for unauthorised fund transfers, identity restoration costs and time-off-work costs.

Questions to answer

Win-Li Toh, vice president of the Actuaries Institute and principal at Taylor Fry, estimates the Australian cyber insurance market is sitting at around A$500 million and that personal cyber would represent a tiny portion of that at present. She says personal cyber cover has appeal.

“It’s early days, but Emergence covers cyberbullying and helps with related forensics, and it pays you a little bit of income while you’re getting your life back in order, which is more than commercial cyber covers,” observes Toh. “I imagine the kind of person who buys this sort of cover, unless it’s for employees, is probably someone who’s pretty PC or cyber savvy.”

However, mainstream customer awareness of personal cyber is in its infancy and one additional hurdle could be the public’s understanding of what a policy actually covers.

Toh questions if customers who fall prey to scams, where the victim authorises payment to a fraudulent bank account, will be covered by personal cyber products.

Her reasoning is that banks may not reimburse payments made to fake e-commerce retailers; because if a person has authorised a payment without checking for the signs of a scam or verifying the integrity of the website, this suggests negligence on their part. According to the Emergence PDS, for example, cover generally applies to attacks of the unauthorised kind, suggesting that Toh has correctly defined a coverage gap.

Toh says another big question around cyber insurance — commercial and personal — is what happens during acts of war. Most insurance policies do not cover damages resulting from an act of war.

However, as we saw, following the Russian-backed NotPetya malware attack that targeted Ukrainian infrastructure in 2017, people and businesses across the globe with no connection to a conflict could be collateral damage in cyber warfare. The Lloyd’s Market Association has tabled exclusion clauses to exempt insurers in the event of state-sponsored cyber attacks, but the clauses are yet to be tested.

“The market has not yet settled on wordings that excludes acts of war,” confirms Toh. “Lloyd’s wording attracted some controversy and it has never been tested in the court, so market clarity on exclusion for this big systemic risk is still unsolved.”

What is clear is that responding to cyber risk with the right personal cyber insurance product presents a huge opportunity for insurers — if they can underwrite the risks correctly and ensure policy wordings are clear and fit for purpose. 

Who’s on the hook for losses?

New rules that come into force in 2024 will make it mandatory for banks and other payment companies in the United Kingdom to reimburse victims of authorised push payment (APP) scams.

These are bank transfer payments (not card payments), where someone uses online banking to pay a fraudster for goods or services that don’t exist or are counterfeit, or where a cybercriminal tricks someone into transferring funds to the fraudster’s bank account.

Meanwhile, the Monetary Authority of Singapore is currently considering a shared liability scheme that will mean both consumers and banks are on the hook for financial losses from scams. In Australia and New Zealand, however, regulators are focusing more on encouraging prevention activity than compensation schemes.

While the UK’s new measures may cover some losses and also force banks to develop better fraud detection systems, Emergence CEO Troy Filipcevic says that bank scams are only one aspect of the cyber risks that individuals and families are facing.

In his view, having access to response experts who can help navigate a situation like identity theft and decrypt locked files or photos, for example, is a core advantage of a personal cyber offering. 

“I imagine the kind of person who buys this sort of cover, unless it’s for employees, is probably someone who’s pretty PC or cyber savvy," says Toh. 

“The market for personal cyber insurance is currently niche but if the commercial cyber market is anything to go by, it is only a matter of time before personal cyber becomes a solid profit play.”

Read this article and all the other articles from the latest issue of the Journal e-magazine.

Read issue 4 of the Journal