The cyber wake-up call we had to have?

In September 2022, the Actuaries Institute released its Green Paper Cyber Risk and the Role of Insurance, co-authored by Taylor Fry. Since its publication, Australia has faced the three largest data breaches in its history:

• In September 2022, Optus was the victim of a cyber attack affecting 9.8 million former and current customers
• In October 2022, Medibank was the victim of a cyber attack affecting 9.7 million former and current customers
• In March 2023, Latitude Financial was the victim of a cyber attack affecting 14 million former and current customers.

A number-one risk emerges

As a result, cyber risk made national headlines and conversations around cyber security became commonplace – at the kitchen table and board table alike. In January, the Australian Securities and Investments Commission’s Chairman Joe Longo said, “For all boards, I think cyber resilience has got to be a No. 1 risk facing everyone. From my perspective, I see it as the top-of-the-house, the board-of-directors-level  issue.”  We understand the Australian Institute of Company Directors (AICD) publication Cyber Security Governance Principles, released in October 2022, was the most downloaded publication in AICD’s history.

Organisations were quick to contact their insurance brokers to check the adequacy of their cyber insurance coverage or contemplate taking out coverage for the first time. Another consideration was increasing the amount they spend on information security.

A survey by cybersecurity software firm Netskope indicated about 70% of Australian organisations surveyed had seen an increase in their leadership’s willingness to bolster information security investments. The survey found the proportion of organisations planning bigger cyber security budgets between 2022 and 2023 jumped to 63%, up from the 45% that increased their budgets between 2020 and 2022.

How is this escalating interest helping to combat the threat landscape and improve our cyber resilience? We draw out some of the most promising developments for government, industry and community in response to Australia’s cyber security wake-up call.

Government and industry are coming together to tackle cyber issues

One of the major conclusions of the Green Paper was that the challenges associated with cyber risk couldn’t be solved by individual players – the issues are too vast to be solved in isolation.

In December 2022, Australia’s Minister for Cyber Security, Clare O’Neil, announced the development of the 2023 – 2030 Cyber Security Strategy, led by an expert advisory board comprising the former CEO of Telstra, Andrew Penn, retired Air Marshal Mel Hupfeld and Rachael Falk, CEO of the Cyber Security Cooperative Research Centre.

“… the proportion of organisations planning bigger cyber security budgets between 2022 and 2023 jumped to 63%, up from the 45% that increased their budgets between 2020 and 2022”.

When announcing the development of a revised strategy, Minister O’Neil said the “approach demonstrates the Australian Government’s enduring commitment to collaboration. Cyber security is a team sport and we must all work together to make Australia the most cyber secure nation in the world by 2030”.

In February, the expert advisory board released the 2023-2030 Australian Cyber Security Strategy Discussion Paper. The discussion paper notes “the Strategy will be developed in partnership with industry, academia, state and territory governments and the Australian and international community. Like Australia’s cyber security, the Strategy will be a team effort, building on our history of collaborative cyber resilience”. It calls for collaboration to ensure Australia is a world leader in cyber security by 2030. The focus areas for the strategy are:

• Enhancing and harmonising regulatory frameworks
• Strengthening Australia’s international strategy on cyber security
• Securing government systems
• Improving public-private mechanisms for cyber threat sharing and blocking
• Supporting Australia’s cyber security workforce and skills pipeline
• National frameworks to respond to major cyber incidents
• Community awareness and victim support
• Investing in the cyber security ecosystem
• Designing and sustaining security in new technologies
• Implementation governance and ongoing evaluation.

Consultation on the discussion paper closed in April 2023, and we will be eagerly following development of the strategy.

Signs of a softening cyber insurance market – some respite for business?

At the time of publication of the Green Paper, we identified that the previous two years had been tumultuous for the cyber insurance market, particularly:

• Significant reduction in capacity offered – with reductions in policy limits
• Increases in premiums (which had averaged more than 100% from Q4 2020 to Q4 2021), with price increases all the way up the insurance coverage tower, and no tapering off at higher levels of cover.

“Brokers are expecting to see meaningful price decreases, on primary and especially excess insurance, as well as improvements in coverage for businesses with a detailed focus on security.”

In the first half of 2023, we’ve started to see signs of a softening insurance market. Major brokerage firms have reported that the Asia-Pacific region is seen as a growth target, with the market increasing coverage back to the historical maximum line size of $10 million, and some markets offering limits exceeding $10 million. On pricing, rate increases declined over the second half of 2022. Brokers are expecting to see meaningful price decreases, on primary and especially excess insurance, as well as improvements in coverage for businesses with a detailed focus on security.

We’ll be watching how a softening market will impact the take-up of cyber insurance, particularly whether it will flow through to increased demand in the small to medium enterprise (SME) market – currently, only about 20% of SMEs hold cyber insurance.

Prioritising resilience for small business

The Green Paper pointed to several challenges facing small businesses in protecting themselves against cyber risk, including:

• Low spend on cyber security, with an Australian Cyber Security Centre Small Business Survey revealing almost 50% of small businesses spend less than $500 on cyber security
• On average, poor cyber security hygiene
• Limited education on cyber risks, and low awareness of available educational resources.

Australia’s federal Budget in May 2023 announced $23.4 million to support small businesses to build resilience to cyber threats. This will be delivered through a Cyber Wardens program that aims to equip small businesses with the foundational skills they need to improve cyber safety. It will be delivered by the Council of Small Business Organisations Australia and will support more than 15,000 small businesses.

What else we’ll be watching out for

In the ever-evolving world of cyber risk, we’ll also be keeping a keen eye on:

• The results from ASIC’s cyber pulse check on corporate Australia – ASIC has been conducting surveys about the cyber resilience of financial market firms since 2016. This year, it will be surveying corporate Australia more broadly, asking for entities to self-assess their cyber security and controls, governance arrangements and incident preparedness. It will be one of the largest surveys conducted into Australia’s cyber resilience and ASIC will publish a report with key findings later in the year.
• The results of consultation on the proposed expansive reforms to the Privacy Act – In February 2023, the Attorney-General proposed expansive reforms to the Privacy Act, intending to strengthen and modernise privacy protections for Australians. The proposed reforms are broad, and aimed at strengthening the protection of personal information and the control individuals have over their information. These reforms are in consultation, and are expected to culminate in new legislation before Parliament in the next 12 months.