Cyber Insurance 

Insurance: a product you buy with the express desire never to use - no wonder people often spend as little time as possible thinking about it, or as we see in the case of Cyber Insurance - have such polarising opinions on it.

Cyber insurance however - as simply demonstrated by the billions of dollars in claims costs paid by the global insurance market in the last few years - plays an essential role in an organisations overall cyber security risk management strategy, and arguably is the final piece in a truly holistic one. 

What do cyber insurance policies cover?

Starting with the fundamentals, Cyber policies provide first-party coverage designed to reimburse insureds for costs resulting from an insured event, and third-party liability coverage designed to defend insureds and pay any loss and damages owed to third parties because of wrongful acts.

“Insured events” is an intentionally broad trigger and often involves definitions like “unauthorised access”. The mercurial nature of cyber, data and technology risks dictate the need to such a broad insuring “trigger” and is designed to capture internal and external threats, and intentional and unintentional actions, including third parties and vendors.

Reasonable and necessary expenses to investigate and remediate a covered, include: 

• Expenses to retain legal advisors, forensics, accountants and public relations.
• Resultant business interruption losses
• Reasonable and necessary claims to investigate, defend, and resolve through settlement or judgment, a covered third-party litigation, including regulatory inquiries.

What role does Cyber Insurance play in a Cyber event?

Cyber policies typically cover the reasonable and necessary expenses to investigate and remediate an event and associated liabilities. However, the differentiator is the incident response capabilities of the policy, affording insureds access to 24/7 365 assistance from an incident response team and associated vendor panel including:

Incident response capabilities afforded under the policy are engaged by the insured for the insured.

Cyber insurance does not undermine the effectiveness of IT security teams – it supplements their skills and protects a business from the unknown. They are not a party that takes over a claim, but rather compliments inhouse knowledge providing:

- Expertise in cybersecurity and privacy liability.

- Knowledge of an insurer’s guidelines, reporting requirements, and approval/consent procedures.

- Pre-negotiated rates not available if engaged outside the insurance relationship

What about third parties caused events?

Cyber events can spread through your Tech and non-tech (i.e., professional services) suppliers or your outsourced technology providers, leading to significant impact irrespective of whether you are the “target”. RedBelts have seen significant collateral damage from cyber events impacting insured, where their trusted vendor is the cause.

What if your data storage provider is the target, and your data is compromised in the process?

This is particularly pertinent given recent research from the University of Wollongong’s Professor Alex Frino noting, “the media usually breaks the news of security breaches first.” The study compiled a database of cyber security incidents regarding the stock price impact of cyber incidents, with the paper backing up existing evidence on the risk and exposure of third-parties/vendors to associated organisations.

Additionally, IBM’s 2023 Cost of a Data Breach Report found nearly one-fifth of breaches are caused by supply chain compromises, often with increased costs and time (length) of discovery.

.

Finally, collating and analysing the data of over 230,000 organisations from Security Scorecard and the Cyentia Institute, a significant finding from the report was 98.3% of organisations are associated with/have an existing relationship with at least one third party that has experienced a breach in the last two years.

Policy response to third party caused events

Today, the frequency and severity of cyber events is cause for insureds to evaluate their policy response, specifically when it comes to third party/vendor caused events. Recent multiple widespread cyber events have compromised targets ranging from software supply chain and email security vendors to data servers and infrastructure. As a result, insurers are – on an ongoing basis – assessing their exposure and developing solutions, or providing clarity to manage these exposures and affirm whether their policies do or do not respond to this exposure.

Pleasingly, the vast majority of insurers continue to offer core cyber coverages that are designed to respond to widespread “events”. It is essential however that insureds with their broker ensure affirmative cover is afforded for such an event.

“Cyber measures taken should be proportionate to the nature, scale, and complexity of your organisation – and the criticality and sensitivity of the key assets held. ASIC also expects this to include oversight of cybersecurity risk throughout your organisation’s digital supply chain.” - ASIC Commissioner - Danielle Press

The increasing frequency and severity of third party caused events is pressuring insurers’ loss ratios, while systemic exposures with catastrophic potential grow ever more pervasive. In ensuring a policy wording responds to such an event organisations need to ensure the same core coverages provided — incident response, first-party risk, third-party liability, and so on — are available by ensuring:

• Affirmative cover is noted.
• No sub-limits to coverage are applicable
• Contingent business interruption cover is implemented; and
• Cover is included for events or breaches caused by “non-technology” providers
  
  

Directors & Officers Liability Risk - Board Considerations

Cyber Insurance has an important role to play in directors' and officers' meeting their duties. Addressing cyber deficiencies, having assessments performed by independent third parties and transferring the risk to insurance will assist in demonstrating prudent governance of a business’s critical risk, thereby mitigating directors’ and officers’ exposures.

Choosing to not insure a business-critical risk due to high premiums could present directors' and officers' liability issues should an organisation face a significant uninsured loss. The process can also contribute significantly to an insured’s environmental, social, and governance (ESG) principles, showing further commitment to the S (i.e., data protection) and the G (management leadership).

Finally, the implementation of a Cyber Insurance policy complements the position recently taken by ASIC in the RI Group matter. Whilst specific to a financial services licensee, RI Group was recently found to have breached its license obligations by failing to adequately manage cyber risk. ASIC outlined an expectation on directors to educate and equip themselves to drive their organisation’s cyber risk culture. They further encouraged directors to consider their risk management framework, enquire about incident response plans, and ensure access to appropriate risk management resources.

“There’s going to be a huge number of issues that the board is able to delegate, but cybersecurity is such a big issue now that if a board is not addressing that in a satisfactory manner, then they would have to be on notice that they may not be complying with their duties – unless they thought that management has effective cybersecurity in place”.

Asking the right questions - Where does Cyber Insurance sit within a holistic cyber security strategy approach?

The risk needs to be approached from a holistic basis. Identifying the exposure, mitigating as best possible and only then seeking to transfer the risk where commercially sensible.

Risk management is the foundation upon which successful, and resilient organisations are built.

Recognising risk in all its forms—measuring it, managing it, mitigating it—are all critical to success. But has every firm achieved that goal? It doesn’t take in depth research beyond the myriad of breach headlines to answer that question.

Implementing a Cyber Insurance policy assists in demonstrating that the Executive and Board seriously address cyber risk through investment, education and risk transfer.

Medibank: a case study

"The annual report also reveals that the CEO and key management personnel had their short-term incentive payments reduced to zero over the incident."

"Australia’s biggest health insurer Medibank has axed bonuses for its executive leadership team as a consequence of last year’s cyber-attack that impacted more than 9 million customers".

Further, the group's 2022 data breach has cost the health insurer $46.4 million in the 2022-2023 financial year, and the total cost by next year could pass $80 million. This excludes any potential regulatory action, lawsuits, and associated costs.

Cybersecurity here is referenced as a great example. While two decades ago it did not register as a concern for boards, the Optus and Medibank hacks this year elevated the issue into the boardroom.

CPS 230 is another example of ongoing action from Australian regulators to expand the scope of privacy and cybersecurity obligations, and specifically address third-party provider risk management. APRA is focusing on regulated entities that are placing increased reliance on third parties to undertake critical operations on their behalf. CPS 230 looks to enforce, amongst other obligations, ongoing monitoring, testing, and assurance of the risk management controls implemented by third-party service providers, utilised by regulated entities.

ASIC

Finally, a recent announcement by ASIC chairman Joe Longo at the Australian Financial Review's Cyber Summit is no surprise with – in summary – the corporate regulator outlining they will seek to make an example of board directors and executives who are "recklessly ill-prepared" for cyber events, by taking legal action against compromised organisations that do not take sufficient steps to protect their customers and infrastructure from threat actors.

Equally important is the point made regarding organisations putting too much faith in third-party providers of technology systems and services reaffirming that organisations can (and in the vast majority of cases should) outsource services and solutions to the experts, but cannot outsource liability.

Earlier in the year, ASIC alleged the Star Casino Board breached their directors’ duties to act with due care and diligence under the Corporations Act.

The allegation points to two pertinent questions at stake in the case:

1. What is a “reasonably foreseeable risk” that directors should be on notice about?; and
2. When can directors delegate their powers or rely on what executives are telling them about the companies they oversee?

Take aways are that for all organisations they will face a huge number of issues that the board is able to delegate, but cybersecurity is such a big issue now that if a board is not addressing that in a satisfactory manner, then they would have to be on notice that they may not be complying with their duties – unless they thought that management has effective cybersecurity in place.

“The legal principles don’t change, but what’s a foreseeable risk can shift over time…. And boards and directors need to be aware of that and adapt to those changed circumstances”.

What are we intending to cover?

 Now that the market is entering a more competitive phase, now affords us an opportune time to review the suitability and intention around what we are seeking to cover.

Ultimately, cyber insurance should be relied upon as the last line of defence in a catastrophic cyber event. The limit and deductible structure should address this, and in doing so a properly thought-out program structure can assist in addressing premium and costs challenges.

We advise that the engagement with respect to the appropriateness of the limit should always be driven by the fact that the cover should be implemented to respond to a catastrophic event.

Why not use the money to invest in defence?

Where to invest? Is the best security strategy investment suited to prevention or resiliency? Looking at this from an IT/IS perspective, organisations would consider investment across:

• Infrastructure
• Security Governance
• Practices and Procedures
• Staff training
• BCP’s/Backups/Scenario readiness
• Actual incident response capabilities
• SOC/SIEM capabilities; and so on.
  
  Further consideration needs to be given to how organisations would also effectively deploy this capital to reduce their exposure to third party vendors/supply chain exposure? The Frontier breach is a good reminder of the exposure these parties bring. Additionally, how much of this capital is invested upfront and how much is saved to be utilised in the event of a claim, to engage (where required) third party assistance around forensic, legal, PR vendors or otherwise?
  
  

Consequences of wrong investment?

With cyber events being so mercurial, misguided investment could have far greater financial consequences than the impact of paying a large premium.

Maintaining a high standard with respect to cyber security within an organisation and the associated ongoing investment has been and will remain important. Reducing an organisation’s exposure and using prevention tools helps to block an enormous number of potential cyber exposures.

Identification and mitigation of exposures remains extremely important. No one should be proposing that we move away from investment here. However, cyber exposures are constantly evolving. Threat actors are continuously learning and improving their capabilities, organisational skills, and modus operandi. And due to the proliferation of cyber tools, they have an advanced variety of techniques at their disposal.

 The attacker-defender asymmetry ensures cyber criminals only need to exploit one weakness to access an insured’s environment. This is the role Cyber Insurance plays.

Corporate ecosystems today are so complex that it is nearly impossible to determine the extent of exposure due to even a single common vulnerability. For example, the well-publicised Log4j exposures that impacted tens of thousands of organisations globally. Because organisations are almost certainly not aware of all the dependencies in their own software, and in third-party software components, it is extremely difficult for them to truly be across and be able to effectively remedy these exposures. The adoption of cloud and software-as-a-service components have created a new, interconnected mesh of corporate IT, bringing with it significant security implications in organisations that may not have the skills and experience needed to handle them.

 While internal investment is always advised, organisations cannot invest to a point where they are completely secure. Implementing a policy to cover off the unknowns is the role of Cyber Insurance and should continue to be implemented as part of an organisation’s broader risk management strategy.

Ransom payments and insurance policies

Yes insurers will - in particular instances - reimburse an insured for paying a ransom.

No the insurance market is not responsible for the ransomware pandemic.

In understanding, and advocating for the value cyber insurance plays, we are unashamedly vocal on this topic, and were beyond excited when seeing empirical analysis by Daniel Woods and the Cyber Economics team.

The empirical analysis, highlights potential biases in reporting on disputes over cyber losses in that:

- Most online articles do not reference an actual cyber insurance coverage dispute.
- Of the coverage disputes that are referenced, only 17% relate to standalone cyber insurance.
- Mainstream media articles include 20 references to disputes, of which 19 concern the Merck and Mondelez cases (these did not involve cyber insurance policies)
- There wasn't a single instance identified where a war clause dispute involved a standalone cyber policy

The key take away for those in security advocating against Cyber Insurance? It is NOT designed to take any one's job, divert investment in cyber security solutions and so on.

Conclusion

Cyber Insurance is a tool....when you buy a Cyber Insurance policy, you are buying a network of professional crisis managers, who can be your "bench strength" to get your company back up and running after a cyber event.

• Cyber Insurance is not a supplement for good cyber security posture, strategy and investment.
• Cyber Security solutions/investment do not replace the role of a Cyber Insurance policy
• The are as much separate in the particular role they play, as they are complimentary in their role in an organisation's overall cyber security strategy.