Systemic risks, silent cyber, and state-sponsored hacking are the three biggest global cyber threats, a leading UK-based expert has told an Emergence Insurance webinar.
Scott Bailey, Managing Director Cyber for London-based Markel International, was in Australia to participate in a Q&A session at one of Emergence’s regular webinars for brokers.
Mr Bailey said systemic risk existed because “cyber risk knows no boundaries”. An incident affecting a single target could cascade across multiple systems, creating widespread havoc.
Silent cyber was exposures that may be covered under non-cyber policies because many broader liability and property policies had no cyber exclusions. “Coverage may be open to interpretation,” Mr Bailey said.
State-sponsored hacking included risks like the 2017 NotPetya encryption ransomware, which was allegedly perpetrated by Russian intelligence against the Ukraine but spread more broadly because of its sophistication.
Mr Bailey said trends in other jurisdictions were similar to Australia and included:
- Crypto-jacking, through which computer power was diverted to generate cryptocurrencies. “This can be costly,” he warned.
- Sextortion attacks, which targeted people viewing “inappropriate websites” and used webcam images of their viewing habits to extort funds.
Emergence Insurance Head of Sales Gerry Power said sextortion attacks had been trending up in Australia.
Social engineering scams – manipulating people’s vulnerabilities so they surrendered confidential information – were active in Australia and internationally. But Mr Bailey said those scams could be heavily mitigated by risk management, including requiring call backs to potentially fake phone calls and two-factor password authentication.
The European Union’s (EU) general data protection regulation (GDPR) imposed strict conditions on collecting and sharing personal data and was more onerous than Australia’s notifiable data breach scheme.
Asked whether Australia should adopt a regime like GDPR, Mr Bailey said there were moral benefits and “many global tech companies are falling foul”. But he likened GDPR to “using a sledgehammer to crack a nut”. “It’s a significant burden for many businesses.”
Mr Power warned Australian businesses capturing EU data needed to understand and comply with GDPR’s strict requirements.
Emergence Insurance has expanded its Lloyd’s syndicates panel beyond Markel, which remains its key security provider, because of major growth in the past three years and the need to access future capacity.
Mr Bailey said diversification was important because, as cyber losses increased, risk sharing across the market was vital.
Corporates were now seeking coverage for $100 million-$600 million and Mr Bailey cited a hotel chain’s claim settlement which had cost the market about $400 million.
Industry sectors like online gambling and video gaming were big cyber cover buyers, along with traditional industries like retail, hospitality and health.
Mr Bailey advised Australian brokers for whom Mr Power said cyber was “still a hard sell” to assess clients’ businesses to identify obvious exposures. Risk management advice had to work in tandem with risk transfer.
Mr Power agreed, saying a cyber policy was part of every successful business’s risk management framework.
“Cyber insurance is not the first line of defence; it is designed to protect a business when its IT security, policies and procedures fail to stop an attack,” he said. “But no amount of risk management can get you out of the sights of a determined cyber attacker.”
Mr Bailey said many SMEs did not think they were vulnerable because SME incidents were not publicised like big companies’ attacks. “SMEs don’t think about cyber attacks until after they’ve had an uninsured data breach.”
Mr Power said: “If you learn from your mistakes and do something positive, the risk is improved. But you need to go to the core of the problem.”
Emergence is a pioneer of cyber cover in Australia and provides protection for SMEs through to ASX-listed entities.