Claims frequency for cyber insurance rose by 29% for FY2019 compared to a year earlier, according to a portfolio analysis conducted by cyber insurance specialist underwriting agency Emergence Insurance.
The finding, revealed last week to almost 1,000 brokers and their clients at a webinar, also correlates with new data in the latest notifiable data breaches (NDB) scheme report issued by the Office of the Australian Information Commissioner (OAIC) whereby notifiable data breaches were up 14% from the prior quarterly report.
Emergence portfolio analyst Luke Sheppard said that the agency’s industry categories also mirrored OAIC figures. While professional, scientific or technical services accounted for 20% of claims, healthcare and social assistance accounted for 14%. Meanwhile, financial and insurance services comprised 12%. However, claims costs for financial services were 20%.
The OAIC’s report for the quarter to 30 June 2019 showed healthcare remained the worst performing category with 19% of NDBs, followed by finance at 19% and legal/accounting at 10%.
At the same time, the underwriter’s FY19 average claim severity was up by 51% compared to the previous year. Its claim settlement times also reduced 27% from FY18 to FY19, assisted by streamlined claims processes.
However, Mr Sheppard said that claim costs were up to three times higher for businesses that had no written cyber risk management policies or awareness training. In comparison, organisations that regularly updated anti-virus systems had fewer claims. He also said that organisations doing daily backups recovered 25% faster than those that did not.
“A large proportion of business interruption claim costs is in data recovery,” he said.
Emergence data for claim types also echoed OAIC’s statistics with hacking and extortion responsible for 36% and 31% of claims respectively.
Many data breaches could in fact be prevented with sound risk management as human error remained a major factor. “Employees must understand they are the last line of defence if security systems fail,” said Emergence head of sales Gerry Power.
“The garden-variety cyber criminal goes after low-hanging fruit – organisations with weak security postures where they can access systems via open back doors.
More sophisticated criminals can be embedded within organisations’ systems for six to nine months, observing interactions, before launching targeted attacks,” he said.
Therefore, education was identified by OAIC and Emergence data’s close correlation as the key to reducing claims and thus lowering premiums.