Award winner explores cyber threat potential
By Rose Cavanagh*
The year is 1981.
- NASA launched its first space shuttle mission.
- Diana Spencer married Prince Charles.
- It was finally determined that a dingo took baby Azaria.
- Ian Murphy (AKA Captain Zap) became the first person convicted of a cybercrime when he hacked AT&T’s system and altered their internal clocks.
I wasn’t here to experience any of that. But, fast forward more than 40 years and the cybercrime landscape has evolved. There’s an average of 2,200 cyber attacks a day globally and cybercrime cost Australia alone an estimated $42 billion by the end of 2022.
What does this mean for cyber insurance?
Zurich CEO Mario Greco told The Financial Times last year that cyber would become uninsurable, saying it’s “not just data . . . this is about civilisation. These people can severely disrupt our lives”.
Voice simulation
In 2019, the CEO of a UK-based energy company got a call from his German boss who asked him to urgently transfer £250,000 to a supplier. Without hesitation, he responded to his boss’s request. Unfortunately, it wasn’t his boss on the phone, in fact it wasn’t even a person. A cybercriminal has used AI software to download an audio-spoofing device to perfectly simulate the boss’s voice.
While cybersecurity capabilities seem to be improving, unfortunately the threat and sophistication of cyber attacks are overtaking that progress. Cybercriminals are now using AI, deep-fake technology, and targeted phishing campaigns to automate their attacks.
Attacks increased in frequency in 2023. How can the cyber insurance market respond when cybercriminals are getting smarter? And with the possibility that a single cyber attack can cause catastrophic consequences.
Let’s start with cybercriminals.
In the past decade, we have seen extraordinary growth in technology as the world becomes more digitalised and interconnected. Cybercriminals have evolved beyond traditional tactics and disordered attempts to infiltrate weak security systems.
Phishing attacks
A trend has evolved in Australia and worldwide called ‘hacking the human’ where cybercriminals impersonate an employer, service provider or family member in their phishing attacks. No doubt many have fallen for that.
Just last week, my mum received a text from her only daughter saying her phone was broken and she urgently needed money transferred into a random bank account.
Unfortunately, it isn’t beyond the realm of possibility that mum’s real daughter would send such a message, so she did have to check. But, according to the Australian Competition and Consumer Commission, reported losses from the ‘Hi mum’ scam were $2.6 million by the end for 2022.
Cybercriminals also use AI and deep-fake technology to create fake images, audio and even videos to automate their attacks.
This year a cybercriminal used deep-fake technology to produce a video of Russian President Vladimir Putin with the caption ‘President’s emergency appeal’. The video showed a realistic-looking Putin declaring military mobilisation and martial law. It aired on several television networks and coincided with a surge in Ukrainian attacks.
Some might ask what’s less worrisome, an AI version of Vladimir Putin or the real thing. But it’s just one example of the whole new frontier of cybercrime, with cybercriminals adopting increasingly sophisticated ways to deceive organisations and governments.
High demand
The good news is that the demand for cyber insurance products is at an all-time high and will continue to grow. But we face a challenge. How can the cyber insurance market respond to the gradually evolving and exponentially increasing cyber risk so the market remains viable?
In recent years, the number of organisations taking up cyber insurance in Australia has been increasing. However, the cyber insurance market is still relatively small. Cyber represents 0.4% of the Australian general insurance market, 4% of the Lloyd’s market and 1% of the US market.
While there is strong growth potential, many insurers are reluctant to provide cyber insurance, or instead provide limited insurance cover under standard policies, given the high cost and difficulty in pricing and assessing cyber risk.
Huge data breaches
The scale of risk to insurers was brought home in the past year with a few of the biggest cyber breaches Australian has ever seen:
- Medibank suffered a large data breach affecting the personal medical information of about 9.7 million customers and is subject to a $50 million fine if it’s determined it did not have sufficient security practices in place.
- Optus, Australia’s second largest telecommunications company, suffered a breach impacting up to 9.8 million customers.
- Financial services provider Latitude suffered an attack impacting on more than 14 million people across Australia and New Zealand.
The damage from these attacks is ongoing and not yet quantified. What attack will be next and on what scale? Cyber leaders have warned that an attack causing catastrophic consequences spanning multiple organisations, sectors and infrastructures will likely occur by 2025.
That gives the market less than two years to prepare. We are in the clock.
How does the market prepare for this?
The Insurance Council of Australia (ICA) has called for an overhaul of cyber policy settings and recommended solutions. I will name just a few.
Tighten policy wordings
Firstly, there needs to be a tightening of policy wordings and clarity over what is covered. As the frequency of cyber attacks has increased, some insurers have updated their policy wordings to exclude silence cyber coverage from non-cyber products. As a result, it is essential the insurance industry works with policyholders to ensure they clearly understand the extent to which risks are covered under their policies.
Secondly, we need to prepare for a catastrophic attack. The UK has shown a pathway for insurers to provide cover for catastrophic events by transferring risk. Beazley has introduced catastrophe bonds for cyber events. The bond essentially caps the amount Beazley pays in the event of catastrophic cyber attacks and transfers the financial risk to investors, who receive attractive investment rates. That enables the industry to spread coverage risks and provides insurance with a new source of capital.
Thirdly, cyber is fast moving and a rapidly evolving threat. We don’t have historical data to rely on to predict risk. We have no choice but to rely on current data to identify, prevent and detect future cyber attacks. Consequently, the ICA has called for better data sharing from industry to government and government to industry.
Second line of defence
Insurance will not protect individuals and businesses from cyber attacks, just as it can’t prevent a flood or fire occurring. Insurance remains the second line of defence, with strong cyber security and technology the first.
No individual or organisation is immune from a cyber attack and we live in uncertain times in which criminals are wreaking havoc for governments, businesses and individuals across the globe.
It is difficult to predict where the cyber insurance market will land. But there is one thing I know – we better get rods ready because its phishing season and the phish are biting.
*Rose Cavanagh is a lawyer at Lander & Rogers in Sydney and the winner of AILA’s 2023 Ron Shorter Award for public speaking. She shared her winning presentation with delegates at WICA2023 in Melbourne.