Business needs to address cyberattack insurance gaps: Actuaries Institute

The Australian government, businesses and insurers are being urged to collaboratively address significant insurance gaps in protection against cyber attacks.

In a new report by the Actuaries Institute, it assessed economic losses, noting that only 20 percent of small to medium enterprises (SMEs) have cyber insurance compared with 35 percent to 70 percent for larger organisations.

In the past two months, major Australian institutions like Medibank, Optus, Woolworths and Telstra have all been impacted by cyber attacks. 

In 2021, 75 per cent of ransomware attacks were on companies with fewer than 1,000 people.

In its Green Paper, ‘Cyber Risk and the Role of Insurance,’ the Actuaries Institute analysed the vulnerability of organisations, from SMEs to large corporates, and the role of cyber insurance in setting best practice standards for cyber resilience as part of a robust risk management framework.

Win-Li Toh, lead author and principal at Taylor Fry said, “For cyber insurance to influence best practice in a major way, there are several gaps that need to be addressed by government, business and insurers.

“Adding to these challenges are escalating cyber losses that have reduced insurer appetite for this class, significant shortage of capacity to provide the levels of protection needed across the market, and premium hikes in the double/triple digits over the past two years.”

Annette King, president at the Actuaries Institute said the Green Paper identifies pathways for key stakeholders in the Australian economy to prevent further significant damage from cyber attacks.

She said, “Sitting back and doing nothing shouldn’t be an option when cyber attacks cost the Australian economy $33 billion last financial year.”

To counteract these cyber attacks, the report recommends including scenario planning and a joint approach towards training and skills development.

“The issues may be complex, yet it is clear that protection is vital for economic resilience given the headline-making losses we too often read about here and around the world.”

Toh said good cyber hygiene and security – not insurance – are the first line of defence. She noted government entities are a long way off baseline standards of cyber security and many businesses are also behind in their resilience against rapidly shifting risks.

“A vibrant cyber insurance market will do more than provide financial recompense for risks that break through the first line of defence. It can also strengthen that first line, by offering clear signals and incentives to business – in the form of eligibility, pricing and sharing of insights – on best-practice standards,” she ended.