Cyber security insurance providers are tightening policy conditions

As premiums and excesses rise, this is what Australian organisations can do to stay insurable against the threat of ransomware and other attacks.

Growing increasingly tired of the operating environment – and in particular, the never-ending flood of ransomware infections – are the insurers whose role it often is to help victim organisations pick up the pieces and pay for much of the damage done.

In 2022 changes to how insurers assess risk and determine premiums and coverage could become a problem for some organisations. So which organisations are most at risk, and why?

It’s worth examining what is driving insurance companies to change their collective tune on cyber security protections and payouts.

First, too many organisations are being compromised. Nearly 500 reports were received by the Australian Cyber Security Centre last financial year, an average of more than one per day.

Second, these breaches are increasingly costly. IBM puts the average cost of an infection at US$4.62 million (A$6.45 million). This excludes any ransom payment, which is often an additional six- or seven-figure amount, and which – by some accounts – the majority of infected businesses wind up paying on the quiet.

Third, insurers don’t want to pick up the bill for this never-ending stream of compromises indefinitely.

In response, payout limits have halved in some cases, while premiums have skyrocketed; industry body the Council of Insurance Agents & Brokers (CIAB) saw cyber premiums rise 27.6% in the three months to September 30, on top of increases of 25.5%, 18% and 11.1% in the prior three quarters.

The types of attacks covered by cyber insurance policies may also become narrower: exclusions on cyber policies are being tested before the courts, and this could have ramifications for future cover.

It’s fair to say that organisations remain acutely aware of the financial and reputational risks associated with being successfully targeted. And with proposals on the table to make company directors personally liable for cyber security incidents, organisations want to do what they can to mitigate risk and remain under insurance cover.

There are things that organisations can do to make themselves more insurable:

Keep pace with minimum qualifying standards

Insurers expect organisations seeking cover to be able to demonstrate a minimum standard of security and resiliency against an attack. That requirement has steadily increased over time. When insurers mandate strong baseline security protections, everyone wins, because it raises the bar that almost every organisation must meet. As a former White House administration said, “With widespread take-up of insurance, these requirements become de facto standards.”

CIAB notes that multi-factor authentication (MFA) on all enterprise accounts and proactive staff training are now considered a baseline standard by insurers. While not having MFA is unlikely to result in cover being refused, it is likely to affect the premium and excess associated with a policy. Being priced out of cover in today’s insurance market is a real possibility if security baselines are unmet.


Build to a stronger baseline

We note some insurers are taking this concept further by incorporating elements of compliance-based security frameworks and standards like the ASD Essential Eight, NIST, or the Centre for Internet Controls (CIS) 18 into the tests they use to pre-qualify customers for cyber insurance policies. This won’t be an issue for more forward-thinking organisations that already use these frameworks to guide their security activities.

For organisations not already on this path, however, a cyber security review by Tecala can be used to test your organisation against these standards. It can also be used to develop a strategic technology roadmap to bridge any gaps in capability or coverage that could have flow-on impacts for insurability.

Assess your vulnerability to attack. Protect your reputation.

Working to a risk assessment matrix, we’ll clearly identify where your business is most susceptible to breach or attack.

Our assessment follows 3 Steps:

  1. Where and how your business operations create your potential for risk.
  2. We’ll explain the two primary security frameworks and how to apply them to your organisation 
  3. Define next steps: Achieve peace of mind with a tailored Strategic Security Roadmap for your business 

Don’t be tomorrow’s headline. Book your session today.  


Tactical Experts Driving Success for Ransomware Gangs

We enter a new cybercrime world as cooperative cybercrime experts become far more efficient than what most organisations are prepared for.


How to Reduce the Impact of a Ransomware Attack

Ransomware is one of the biggest threats to any organisation today - period. As such, organisations must do everything in their power to reduce the impact of an attack.