Recent cyberattacks in Australia have highlighted weaknesses in cyber resilience across several industries amid rising insurance rates for businesses looking to mitigate against this particular type of risk.

One company currently feeling the heat is Medibank Pvt. Ltd. The health insurer's personal information handling practices are currently under investigation by the Office of the Australian Information Commissioner after hackers stole customer data and released the information on the dark web when the company opted not to pay the ransom.

Medibank CEO David Koczkar said the insurer is committed to sharing what it has learned to help Australian businesses and the broader community better navigate any similar challenges in the future, according to a company statement.

A spokesperson said in an email that Medibank had considered cyber insurance in the past and made the decision to self-insure given the restrictive nature of coverage combined with an assessment of the risk involved.

Jarden analysts said in a Nov. 16 research note that while additional one-off costs pose a further risk, Medibank appears to be "well positioned" with a debt-free balance sheet and A$150 million of unallocated capital.

Cross-industry problem

An Insurance Council of Australia spokesperson said in an email that the focus on cyberrisks and insurance is increasing as a result of some recent high-profile attacks, but the role of cyber insurance is not broadly understood, and the uptake of cover is still low relative to other classes of insurance. 

"The combination of a small premium pool and the increasing sophistication and maliciousness of some cyber-attacks have put significant pressure on insurers and businesses alike," the spokesperson said.

Other recent cyberattack victims Down Under include telecommunications company Optus and The Smith Family charity. "All of Optus' insurance arrangements are commercial in confidence," a company spokesperson told S&P Market Intelligence, while the charity did not respond to a request for comment.

In addition, internet services provider TPG Telecom Ltd. disclosed on Dec. 14 the discovery of evidence of unauthorized access of emails of up to 15,000 business customers.

Overall, the Australian Cyber Security Centre received over 76,000 cybercrime reports in the 2021–2022 financial year, up 13% from the previous period, according to its latest annual cyberthreat report. It saw a 25% increase in the number of publicly reported software vulnerabilities worldwide.

Certain software and hardware are used ubiquitously across government, critical infrastructure, small business and by individual users, presenting malicious actors with a plethora of potential victim networks, the center warned.

A capital markets solution

Willis Towers Watson PLC said in a recent report that primary and excess cyber renewals averaged more nominal premium increases in the flat to 25% range in the fourth quarter, and there are signs of capacity beginning to broaden. The global broker added that rate increases will still be the steepest for those organizations that cannot demonstrate strong cyberrisk controls, culture and overall cyber hygiene.

S&P Global Ratings credit analyst Manuel Adam said the cyber insurance market now presents an opportunity for insurance-linked securities, or ILS, investors to gain exposure to cyberrisks in the same way they did with natural catastrophe risks in the '90s, following Hurricane Andrew in 1992. But so far, ILS investors have not shown much interest, and Adam believes that growth in cyber ILS will be slow in the short-to-medium term.

The analyst said ILS investors have "learned the hard way" that they can be exposed to perils that they had not fully modeled and/or priced for, noting that cyberrisks are not limited by region and can easily spread across the globe in a few seconds, exposing investors to accumulation risk and related losses.

However, Ben Zickel, chief technology officer at insurance-linked securities platform Vesttoo Ltd., believes that cedents will "always consider" the capital markets as one possible solution.

"Even in cases where traditional cyber reinsurance premiums are cost effective, cedents would like to keep the option of transferring cyber risk to the capital markets to diversify their sources of capital," Zickel added.

The executive noted that while the cyber insurance industry has grown massively in recent years, many of its earliest claims have not yet been settled, limiting the ability of investors to evaluate the risk associated with cyber insurance, Zickel added.

"Given this, it is not surprising that capital market investors may be hesitant when considering investments into this new and growing space," Zickel said.