Cyber risk and the role of insurance

Australians are more dependent than ever on technology.

With the pandemic propelling trends that existed pre-COVID-19, technology, and therefore cyber risk, is now woven into almost every aspect of our lives and social fabric. 

In such an environment, it is crucial there is a vibrant and resilient risk management framework and infrastructure for cyber risk.

Cyber risk insurance is a key part of that and the focus of this Green Paper.

Cyber crime on the rise

In Australia with a cyber crime reported every eight minutes over the past financial year —an increase of 13 per cent on the previous year.

Reported total economic losses in the year amounted to $33 billion, impacting government and the private sector, all sizes of organisations — from SMEs to the largest corporates — across industries and disrupting supply chains.

Globally, 623 million ransomware attacks were recorded in 2021. That is 20 attacks every second and more than triple the number recorded in 2019.

Omnipresent and unpredictable risk

Cyber risk is a classic ‘wicked problem’ (Rittel and Weber, 1973). It is omnipresent, unpredictably dynamic and its root causes are entangled with other problems.

For example, there are many motivators for cyber attacks, and the economics or expected payoff for cyber attackers is constantly improving.

Further, Act of War exclusions typically found in traditional covers are difficult to apply in a cyber realm, where there are greater nuances as to where an attack may be attributed.

Causes can be a combination of state actors or financial motives, and mere indications of fault are not enough to attribute fault ‘beyond reasonable doubt’.

For cyber risk insurers and consumers, such characteristics challenge the usual conventions about whether a policy is fair and of value.

How accurately does past claims experience inform future experience? Are previous terms and conditions for coverage appropriate?

The issues may be complex, yet it is clear that protection is vital for economic resilience given the reported total economic losses of $33 billion last year.

No wonder cyber risk is consistently among the top risks identified by Directors, C-Suite executives, policymakers and regulators.

Growth capacity and sustainability

The cyber insurance market is small globally and even smaller locally. Cyber represents 4 per cent of the Lloyd’s market, less than 1per cent of the United States market, and only 0.4 per cent of the local general insurance market.

On the one hand, this suggests strong growth potential, some of which may come from reducing the extent of underinsurance, including through greater awareness of cyber insurance and its potential value.

Equally, however, if underinsurance is significantly addressed, there are questions whether the Australian market will have capacity because it would make cyber risk the largest, or one of the largest, lines of business.

A clear value proposition

Is this sustainable given the ‘wickedness’ of the risk? Scenario analysis is one tool that could assist business to understand the potential costs of poor cyber resilience, including reputational damage and time needed to rebuild trust.

Actuarial projections give a clear picture of the impacts and value of cyber insurance and other mitigations on financial position and profitability over the longer term.

Actuaries are well placed to provide organisations with insights to make evidence-based decisions about their cyber protections.

This Green paper offers several solutions-focused discussion points, as we examine the complementary roles of government, business and insurers in creating a robust best-practice framework, where cyber insurance can thrive and offer better protection against cyber risk.

Download the Green paper