CYBERSECURITY IS an often misunderstood proposition. Unfortunately, this tends to mean that cyber insurance gets overlooked, even by businesses and brokers who should know better. But cyber insurance is becoming an increasingly essential risk-transfer asset, and those who ignore it do so at their own peril, says James Crowther, general manager of emerging risks at Agile Underwriting.
“Ten years ago, when I first moved into cyber insurance underwriting, the market was obviously much less sophisticated,” he says. “Cyber insurance tended to be purchased as an add-on to existing products, like management liability or professional indemnity, rather than its own stand-alone product.”
Today, cyber insurance is far more specialised – not only are there many stand-alone products, but they generally also include crisis management or incident response costs as part of the package. In fact, many modern cyber insurance products actually provide breach remediation capabilities rather than simply reimbursing clean-up costs. This is particularly important for SMEs, as many don’t have the capabilities to deal with a fullblown cybersecurity crisis.
“Brokers have a real responsibility to work through these issues with their clients,” Crowther says. “What sort of security measures do they have in place already? Are they prepared for when a breach does occur? For example, is there a breach response management plan in place, and how should they notify their insurer? Given the world we live in, being uninformed or unprepared just isn’t an option anymore.”
Businesses also need to keep in mind that there are legal implications in play, too. In 2018, changes to the Privacy Act 1988 introduced the Notifiable Data Breach [NDB] scheme, which requires mandatory notification to affected individuals and the Office of the Australian Information Commissioner following certain data breaches. Additionally, companies with clients or customers in the EU also need to be compliant with that region’s new data protection laws.
The cyber threat landscape has significantly evolved since Crowther first entered the field. With the increased emphasis on cloud computing, he explains, many businesses are at far greater risk of a breach because they’re often not aware that they need to maintain their own robust security beyond what their cloud service providers offer.
“The biggest thing we’re seeing at the moment is business email compromise, or BEC, which seems to have risen in frequency along with the use of software as a service [SaaS] email software such as Office 365,” Crowther says. “Essentially, a cybercriminal gains access to the user’s login credentials, usually via a phishing email, and they can then log into the email account. The hacker often then impersonates someone from inside the business and tricks other staff into handing over compromising information or, in some cases, the business’s financial assets.
“If an outsider is able to gain access via BEC, it’s frequently possible for them to gain access to the whole network from there. The compromised email account might be used for resetting passwords for other critical services or launching attacks – it’s a security issue that brokers need to be aware of in order to educate their clients and own staff.”
Crowther also notes that having an effective cyber fitness or resilience program, which takes into account staff training, breach response planning and insurance, is crucial for any business looking to update its cybersecurity risk profile. To this end, Agile provides updates to current security threats via social media and LinkedIn, along with updates on trends and education materials via its website. Having close ties to Lloyd’s of London enables the underwriting agency to stay at the forefront of developments in available cyber insurance products.
“We also have frequent discussions with our IT security vendors to stay up-to-date on the threat landscape, and we are always looking for ways to improve customer education through partnerships,” Crowther says.
Through these channels, as well as partnerships with firms such as Cynch Security and the Optus Macquarie University Cyber Security Hub, Agile is able to assist brokers in answering customers’ queries and meeting their needs.
“The broker is the client’s trusted advisor,” Crowther says. “They need to be ready to answer questions when they arise. Proactive management is key, and we are always here to help.”