January 2024 Market Update – Cyber Liability

Premiums are stabilising due to new capacity in the market and growing adoption of robust risk management strategies and cyber network security measures among businesses.

This emerging trend in the cyber market comes in spite of the growing number of cyber incidents. The three most targeted industries by cyber-attacks – financial services, manufacturing and healthcare – continue to experience a high level of cyber incidents resulting in theft and service disruption and consequently are still seeing uplifts of 15 to 20 per cent.

Phishing has emerged as the leading cause of attacks, with upwards of 90 per cent of incidents arising from phishing emails[1].

Insurers realise that cyber risk is heavily dependent on risk controls, industry, and business size, and they are increasingly favouring case-by-case risk assessments. Those businesses with adequate measures in place can expect premium stabilisation or even reductions in some cases where there is a demonstrable improvement of ‘cyber maturity’.

Basic cyber risk management is now expected across the board, so businesses must be extra vigilant to ensure that they stay ‘ahead of the curve’ to minimize premium expense. Insurers are also paying closer attention to supply chain partners and whether they meet adequate standards of risk management.

The Essential Eight

The ‘Essential Eight’ steps to prevent and mitigate cyber security incidents are a good starting point, and have been formulated by the Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC). They are as follows:

Creating, implementing and managing a whitelist of approved applications.

Implementing a process to regularly update and patch systems, software and applications.

Disabling macros in Microsoft Office applications unless specifically required. Training employees not to enable macros in unsolicited email attachments or documents.

User application hardening by ensuring web browsers are configured securely to block malicious content. Only using necessary browser extensions and keeping them updated.

Restricting administrative privileges to those who need them.

Setting up automatic updates for patching operating systems.

Using strong, unique passwords and enabling multifactor authentication.

Conducting daily backups of critical data and isolating backups from your network.

Other key measures which should be taken include: regular risk assessments, utilising an endpoint detection and response (EDR) solution deployed across all endpoints, creating a well-defined incident response plan, and cyber awareness training/simulated phishing attacks for employees.

Australian Cyber Security Strategy

The Government’s aims to transform Australia’s cyber-security capabilities by 2030 through the implementation of the Australian Cyber Security Strategy should further aid market stabilisation. This strategy, announced on 22 November 2023, comes after the penalties for serious cyber breaches were increased in 2022, and will focus on a wide range of initiatives including:

Strengthening small businesses by offering free maturity assessments and establishing a service to provide free advice and support in the event of an attack.

Working with a range of industries to develop a ‘no fault, no liability ransomware reporting obligation’ and a playbook to guide businesses' responses to ransomware attacks, as well as to pilot next-generation threat blocking capabilities.

Expanding the Digital ID program to limit the sharing of personal information with government and businesses to access online services.

Promoting the safe use of emerging AI technology.

Growing the national cyber workforce.

Tightening obligations and compliance related to cyber security.

ASIC Cyber Pulse Survey

There is a need for these strategic measures to supplement the drive for businesses to improve their cyber risk management, especially in light of ASIC’s recent report on its cyber pulse survey results, released 13 November 2023. The cyber pulse survey was implemented by ASIC to assess the cyber maturity of regulated organizations. The report found that there are significant “gaps in cyber security risk management of critical cyber capabilities”. Small businesses fell behind medium and large organizations when it came to cyber maturity. Overall, ASIC has identified four areas for improvement across the board:

Supply chain risk management: whilst an organisation may have adequate cyber risk management themselves, they must also make sure any external third party they engage has effective protections in place.

Data security: organisations must classify their information to determine which is most important or at risk, then apply relevant security controls.

Consequence management: organisations need to have an effective cyber incident response plan in place to ensure business continuity and prevent prolonged interruptions and financial damage.

Adoption of cyber security standards: organisations should conduct cyber risk assessments to determine their cyber security standard and the steps they need to take to achieve cyber maturity.

Bellrock recommends any organisation considering cyber liability insurance should contact us to obtain a cyber risk assessment as a first step in understanding risk exposures.

[1] Phishing refers to communications sent by malicious actors to staff or other stakeholders to deceive them into sharing confidential business information, often leading to fraudulent business transactions or identity-theft.