What cyber insurers look for

How the growing cyber insurance sector assesses risk

When he assesses a potential client for cyber risk insurance, Fergus Brooks, national practice leader of cyber risk at Aon, says he is much more interested in their operational approach to cyber threats than in their cyber threat protection technology.

“When I visit a company for the first time I will ask a few key questions,” he told Computerworld Australia. “What I am really looking for is the operational security of an organisation as opposed to ‘Do you have a firewall? Do have antivirus?’ I ask how more about prepared they are for a cyber incident.

“I ask ‘What have you done in terms of planning? Do you have a plan? Have you tested the plan? Does it integrate with your business crisis management plan?’ Then I ask ‘How do you do security awareness training?’”

“The vast majority of claims we get are the result of people clicking the wrong link or opening the wrong file,” Brooks said.

“From those questions I can get an idea from where on the operational maturity scale an organisation is. If they are doing incident response planning the chances are they are doing regular penetration testing, and have security review of their code.”

He added: “I don't often get the answer I want to hear... I still get ‘We are absolutely fine’.”

Brooks said uptake of cyber risk insurance in Australia was much lower than in the US. “We are a long way behind the US,” he told Computerworld. Only five to 10 percent of businesses have taken up dedicated cyber cover. People think because they have coverage in other areas that would cover them for loss, but it’s very rare that a property policy would extend to data: They tend to deal mainly with physical damage.”

In a 2016 survey of Australian and New Zealand businesses undertaken by AusCert and BDO, 13.8 per cent of respondents said they had cyber cover under other policies, 7.4 per cent believed they were covered by other policies, and 9.4 per cent claimed to have a standalone cyber policy. Just under a quarter — 24.5 per cent — said they were considering cyber insurance.

The report cast doubt on the value of some of this insurance in light of poor security practices: “Only 52.3 percent of organisations are performing regular security risk assessments,” it said.

“This suggests that nearly half of all respondents don’t have an accurate view of their cyber risks. This raises the question as to whether those organisations who have taken out cyber insurance, have policies in place that will respond to insurance claims.”

The survey found only 48 per cent of respondents had a cyber response plan and only 41 per cent had a cyber incident response team or capability in place to respond to incidents.

Brooks also fingered Australians’ legendary laissez faire attitude as a contributing factor to poor uptake of cyber risk insurance and suggested a large local corporation suffering a major data breach would have dramatic change on companies’ attitudes to cyber risk insurance.

“With Aussies it’s very much a case of ‘She'll be right mate’ and [in the absence of data breach notification rules] we have not had to tell anybody, and we have not had a really big one in Australia,” he said.

“In the US pretty much everyone knows someone who has had some kind of identity theft because of one of the big data breaches – it’s very much a topic of conversation.”

He saw the recent high profile cyber attacks as a prelude of worse to come. “WannaCry and NotPetya were both from tools stolen from the NSA and there were supposed to be 150 of those,” he said.

Despite its high profile and the damage it did, WannaCry’s ransom demands were modest. “WannaCry did not ask for enough ransom in my opinion, the impact was quite small.”

NotPetya, he said was “just plain nasty; there was no way to pay the ransom.” It was followed by Bad Rabbit. “Some people think that Bad Rabbit and NotPetya came from the same people,” Brooks said.

“Bad Rabbit was shut down after two days. It looks more like attack testing to me.”