Cyber risk Green Paper tackles major concerns for public and private sectors

The paper highlights how technology is woven into every aspect of our daily lives and cyber criminals take advantage of this dependence. Lead author Win-Li Toh says, “Despite increasing government and business spend, the approach to addressing the exposures appears disjointed and the losses are mounting. No one is immune – from SMEs to the largest corporates – across industries and disrupting supply chains.”

What’s more, Win-Li adds, government entities are a long way off baseline standards of cyber security, while many businesses are also behind in their resilience against rapidly shifting risks.

Cyber insurance as influencer, but there are gaps

In addressing these core issues, Win-Li says, “Importantly, cyber insurance is not the first line of defence – that role goes to good cyber hygiene and security. But cyber insurance can influence best practice in a major way – by boosting cyber hygiene and security resilience through eligibility criteria, pricing and insights.

“A vibrant cyber insurance market will do more than provide financial recompense for risks that break through the first line of defence.”

For this role to be effective, Win-Li says several gaps need to be addressed, including:

• A severe shortage of qualified cyber security personnel
• Limited understanding of the role of cyber insurance among Boards
• Limited education on cyber risks among SMEs
• Achieving sufficient capacity and profitability in the market
• Managing accumulation risks
• Cyber hesitancy in seeking the right insurance solutions.

Cyber risk an explosive global concern

Globally, cyber risk is mirroring the Australian experience and growing at unprecedented levels, with ransomware attacks more than tripling in two years. Contributing factors to this expanding risk include:  the accessibility of Ransomware as a Service, the development of crypto currencies enabling untraceable payments, and cyber insurance hesitancy due to reduced cover, increasing premiums and a reduction in policy limits.

Compounding these issues, the paper points to the lack of geographical boundaries in cyber risk, where a computer virus can spread quickly around the world, resulting in multiple companies making a claim. “This is the accumulation risk challenge for an insurer,” Win-Li says. “The potential for a single event to trigger losses across business lines and global borders.”

A further hurdle is the difficulty in defining acts of cyber war (or terrorism) that are excluded from insurance policies, with Lloyd’s recently giving directions to underwriters towards excluding liability for losses arising from any state-backed cyber attack.

Problem too big to solve alone

The Green Paper offers several solutions-focused discussion points, as the authors examine the complementary roles of government, business and insurers.

“The problem is simply too big for any sole party to tackle on its own,” Win-Li adds. “Finding the right balance between guidance, education, mitigation, cover and regulation will require government, business and insurers coming together and appreciating one another’s perspectives.” Constructive conversation will encourage give and take, she says. “Active partnership between these stakeholders is critical in plugging the gaps, in heading off market failure and in creating a robust risk management framework, where cyber insurance can thrive and offer better protection against cyber risk.”

Listen to the Actuaries Institute podcast here.

Commentary in the media

Australian Financial Review

Canberra Times

West Australian

ABC Radio National

ABC’s Peter Ryan

Insurance News

Insurance Business Australia

Asia Insurance Review