Cyber insurance premiums soar

Cyber attacks are not going away anytime soon and in the wake of the Optus, Medibank and more recent Latitude Financial breach, the demand for cyber insurance has increased, despite premiums soaring as much as 300%.

Many small to medium size businesses are feeling the affect and may now find it impossible to obtain cyber insurance which can make it difficult when competing for business, where contract terms require cyber insurance at a sufficient level of cover, which depending on your risk profile could be as much as $10 million dollars or more. The average level of cover though is about $1 million.

A positive that has come out of breaches though over the last 2 years is that cyber insurers are starting to pay attention to the finer details of what controls and processes matter and that provide the most effective coverage to reduce overall risk.

The main categories of focus being:

• Policies and Procedures - Does your organisation have effective policies and procedures in place and do these align to a an industry standard (NIST, ISO27K etc)
• Security awareness training - how often this occurs, is it tracked and what remedial training is enforced for repeat offenders. Do you regularly undertake phishing campaigns
• Key technical controls - not limited to but including Authentication (MFA), Application control (White Listing), Vulnerability Management, Endpoint Detection and Response (EDR), Logging (SIEM), Firewalls (Layer7) and Network Detection and Response (NDR)
• Incident Response Planning - Are you prepared if something bad does happen and how quickly can you recover. Do you have an incident response retainer in place?
• Regular Testing - Red Teaming, Penetration Testing, Web App Testing and more.

Even if your responses to the above areas are comprehensive when completing your annual insurance cover form, there is no guarantee this will result in a reduced premium!  Based on my experience the insurance market for this type of product although better than it was a few years ago, still has a long way to go in terms of maturity and understanding.

Some insurers have even exited the market and no longer offer cyber products as a result of the number of breaches that have happened over the last few years.  In fact it would only take a few Ransomware breaches to effectively wipe out the collection of premiums by the insurer, over resultant claims and losses therefore incurred, to make this possibly a dying game for the insurance market as a whole?

So above all the doom and gloom there are some positives to come out of this which are, if an enterprise organisation is paying attention to the detail and are willing to continue to invest in their security programs then maybe insurance is no longer required.  Even for the SME market where businesses might not have such deep pockets there are still effective approaches that can be taken to reduce overall risk which will involve:

• Identifying key assets and data
• Putting in adequate controls like the ASD-8 or similar
• Having resilience baked into your security program and knowing how to respond if things do go south
• Improving security culture throughout your business.  People are your last line of defence so keep educating them on cyber.

Lastly I think the cyber insurance market will evolve and mature once it has recovered from the shock factor of significant losses in the wake of global mega breaches and continued Ransomware extortion.  What that actually looks like in the future we will have to wait and see, but hopefully like other insurance products, having the right controls in place that are shown to be effective at mitigating risk should then result in reduced premiums even if just a little bit!