July 2024 Market Update – Cyber Liability Insurance
Cyber Liability premiums remain stable as newer market entrants establish themselves and diversify market share, maintaining favourable conditions for buyers. The cover offered by cyber policies has expanded, with some insurers broadening their service offering to include network monitoring as part of the policy coverage.
Proposed reforms to the Privacy Act 1988 (Cth) together with greater enforcement powers to the OAIC will see more regulatory action brought against more organisations, not only those in the public eye.
The majority of cyber claims (by frequency) trigger the ‘first-party’ section of a traditional cyber policy. Following the proposed reforms, it is expected that the regulator and affected third parties will be more inclined to lodge complaints and bring claims for compensation arising out of identity theft and breaches of privacy/data.
Insurers will look more favourably upon those businesses that proactively demonstrate cyber risk resilience. To reiterate which measures should be considered, we refer to the ‘Essential Eight’. The Essential Eight steps to prevent and mitigate cyber security incidents are a good starting point and have been formulated by the Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC). They are as follows:
- Creating, implementing and managing a whitelist of approved applications.
- Implementing a process to regularly update and patch systems, software and applications.
- Disabling macros in Microsoft Office applications unless specifically required. Training employees not to enable macros in unsolicited email attachments or documents.
- User application hardening by ensuring web browsers are configured securely to block malicious content. Only using necessary browser extensions and keeping them updated.
- Restricting administrative privileges to those who need them.
- Setting up automatic updates for patching operating systems.
- Using strong, unique passwords and enabling multifactor authentication.
- Conducting daily backups of critical data and isolating backups from your network.
Other key measures which should be taken include:
- Regular risk assessments
- Utilising an endpoint detection and response (EDR) solution deployed across all endpoints
- Creating a well-defined incident response plan
- Cyber awareness training/simulated phishing attacks for employees.
Continue reading our full range of market updates here:
For more in depth market updates by product class, profession and industry, please see our individual reports below: