Op-Ed: Australia’s evolving business conversation about cyber insurance

It’s a conversation that’s overdue; less than a year ago, the Insurance Council of Australia still characterised cyber insurance awareness as being “low within the Australian business community”.

That lack of awareness plays out in the type of cover businesses held. It’s less common to find businesses with cyber-specific cover. The Insurance Council quantified this: “Currently in Australia only about 20 per cent of SMEs and 35-70 per cent of larger businesses have standalone cyber insurance.”

More often than not, businesses rely on more general insurance policies to also cover cyber incidents — a phenomenon known as “silent cyber” — although the ability to make claims under such policies is often limited, and this is now even more constrained.

Businesses in this situation may face increased pressure — from executives, boards or outside influences like regulators — to buy more specific cyber insurance products that offer a higher level of insurance against risks associated with using the internet, as well as of storing and electronically processing data.

These products may include data breach insurance, which covers the costs of leakage of confidential information, or a Ransomware Supplemental Addendum that is coverage-specific to the circumstances of ransomware attacks.

However, access to this type of coverage depends on a few things: its availability, its affordability, and the ability of businesses to meet a growing list of prerequisites to prove they take security seriously and are an insurable risk.

On the issue of availability, as the Insurance Council noted, Australian businesses have traditionally had access to only a small number of providers able or willing to offer specific cyber insurance products.

On affordability, costs were already high, but the number of attacks in the past year means premiums have only gone up. It’s now more challenging and expensive to get a cyber insurance policy than before. In general, small businesses can expect to pay anywhere from a few hundred dollars to a few thousand dollars per year for a basic cyber insurance policy, while larger companies may pay tens of thousands of dollars or more.

VIEW ALL

On their ability to demonstrate insurability, businesses must meet an increasingly long list of requirements to demonstrate preparedness. This may include drawing up an enterprise risk management policy and implementing appropriate systems, controls and protections.

Cyber insurers consider organisations with poor security practices as an unwanted, and potentially dangerous, liability to their business model. For a business wanting standalone cyber security insurance, having strong cyber defences improves the chance of qualifying for coverage, as well as obtaining the best rates. While there is no direct relationship between infosec controls and premium savings like a safe driver credit on car insurance, a judicious enterprise risk management strategy shows the business understands its risks and the risks of its customers.

This is the challenge that is currently garnering substantial interest from Australian businesses as they canvas the cyber insurance market for stronger cover.

Showing cyber maturity

While cyber insurance is an important instrument for managing risk, organisations must still focus on ensuring they are effectively and responsibly managing cyber risk. This entails implementing the right security controls and employee cyber awareness training.

There are five key controls that all businesses should strive to implement and demonstrate maturity in: multifactor authentication (MFA) for email, remote network access, and privileged/admin access; back-ups that are encrypted and kept out of reach of ransomware; endpoint detection and response (EDR); employee awareness training; and a cyber incident response plan (that has been tested).

Going beyond these baseline controls, the most insurable businesses are those that have a 24/7 security operations centre (whether in-house or third-party), have total control over their privileged accounts and service accounts, can show a proper patching cadence, and have no exposure to open ports.

Two sets of technologies can assist here.

First, threat intelligence systems can be used to detect threat indicators and early signs of attacks. Modern systems with machine learning and artificial intelligence are being used by businesses in this area to expand the breadth of their monitoring capabilities.

In addition, Privileged Access Management (PAM) solutions can be used to control, monitor, and audit all privileged access.

Cyber insurers recognise that PAM controls are foundational security in every organisation, prevent many cyber attacks outright, and significantly minimise the damage of any potential breach. They are also one of the most effective defences against insider threats.

The must-have capabilities of a PAM solution include least privilege enforcement, privileged account and credential management, and remote access security — all of which are common criteria for cyber insurance approval.

Scott Hesford is the director – solutions engineering APAC at BeyondTrust.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.