Firms respond to rising cyber threat

"Scale and severity" continues to rise, says expert

Firms respond to rising cyber threat

Cyber

By Daniel Wood

In recent months, some insurance industry stakeholders have significantly increased their commitment to combatting cyber risks. International law firm Clyde & Co has appointed five new special counsels in Australia – three of them will focus on cyber breach response.

These additional cyber resources come as attacks against Australian firms and government agencies continue to grow. The latest published data from the Office of the Australian Information Commissioner (OAIC) shows about 500 notifiable attacks every six months. That number has gone up by 20% compared to the first half of 2023.

Last week, one of the country’s largest event ticketing firms, Ticketek, released a statement concerning a cyber incident that could impact millions of people.

Rising threats and increasing claims risks

Stefanie Luhrs (pictured above), a partner in Clyde & Co’s cyber practice, said the new appointments at her firm were a response to both rising threats and increasing claims risks.

“A rapid increase in the scale and severity of cyberattacks, coupled with a renewed focus on enforcement activity by the Australian Privacy Commissioner, means that the long tail regulatory and claims risk in the wake of a cyber incident is also set to increase,” said Brisbane-based Luhrs.

Partner Gareth Horne agreed that his firm’s additional strength in its cyber practice was “guided by current and anticipated trends we are seeing in the market.” Another factor, he said, was broadening its mid-market (SME) offering.

“This reflects a changing focus of a number of our key clients towards volume business,” said Horne.

Luhrs suggested that, more than before, firms need access to teams that can manage cyber risks “throughout the lifecycle of an incident and assist with mitigating future claims risk which may not yet be known.”

Privacy Act Review

The prospect of Privacy Act reforms taking effect later this year, said Luhrs, also means that firms like her own need to “continuously train and strengthen their teams to meet the rising demand arising from these risks.”

According to the Attorney General’s Department, the government is currently in a process of consultations concerning privacy reforms. Consultations on changes to address the practice of doxxing – the intentional revelation of private information online without consent  – closed in March.

Analysing cyber threats over a 15-month period

Luhrs said her firm also recently analysed the cyber related incidents they handled over a 15-month period, including costs and losses.

“We know that, overall, ransomware incident attack frequency is down but ransom demand quantum is up,” she said. “Fewer victims are paying, but if they do pay, it’s for a higher quantum than ever before.”

Luhrs said stats showing fewer ransom payments indicate that industry “is moving in the right direction to defend against ransomware attacks.”

However, she said the economy continues to lose “significant capital” to business email compromise incidents and associated funds transfer fraud.

“Particularly insurers who have many small businesses policyholders on their books should note that small to medium-sized incidents are where the volume of cyber incidents rest,” said Luhrs.

She said, “generally speaking” Australian firms are “significantly underinsured” against cyberattacks. Small to medium-sized businesses, said Luhrs, are “particular” targets.

“Further work is required to better promote the value of cyber insurance and its uptake to insulate our economy,” said Luhrs. “Insurers play a vital role in supporting policyholders with uplifting their defences and breach response capabilities.”

According to figures from the Insurance Council of Australia (ICA) about 20% of SMEs have cyber insurance. Some cyber brokers say that figure is between 5% and 15%.

IAG launches dedicated cyber agency

Last month, one of Australia’s largest insurers, Insurance Australia Group (IAG) launched a dedicated cyber underwriting agency. A media release said the new firm, called Cylo backed by CGU, aims to strengthen the cyber resiliency of small businesses.

What is a notifiable data breach?

Australia’s privacy laws compel an organisation to report a data breach to both the individuals impacted and to the OAIC. According to the OAIC’s website, reportable data breaches include identity theft, financial loss through fraud and a breach likely to result in a risk of physical harm.

How is your firm dealing with the cyber threat? Please tell us below

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!