Cyber Insurance And Penetration Testing: How Australian Businesses Can Mitigate Cyber Risk
In the early 2000s, cyber insurance was a relatively niche market in Australia. It largely catered to big corporations and tech-centric firms that understood the potential threats of the digital space. However, the past decade has seen a significant shift.
By the 2010s, as data breaches and cyberattacks began making headlines, many Australian businesses sought to understand their potential exposure and means of protection. The mandatory data breach notification introduced in 2018 under the Notifiable Data Breaches (NDB) scheme further propelled the necessity for businesses to manage and mitigate cyber risks. The legislation made it compulsory for entities to notify individuals and the Office of the Australian Information Commissioner (OAIC) about significant data breaches. This increased the uptake of cyber insurance, as businesses sought ways to transfer some of the risks associated with potential data.
Escalating Requirements for Cyber Insurance
As we move into 2024, cybersecurity insurance in Australia has become more challenging to obtain due to several factors. Whereas previously insurance companies believed that cybercrime primarily affected large organisations - as we saw with the likes of Optus and Medibank - cybersecurity insurers saw SMEs as low risk clients. However, the COVID-19 pandemic changed this perception.
During lockdowns when employees were working from home, many businesses rushed to adapt, neglecting proper security measures. Cybercriminals took advantage of this vulnerability, leading to an increase in insurance claims. This high loss ratio (over 60% compared to the auto industry's 10%) forced insurance companies to reevaluate cyber risk.
As a result, insurance premiums have risen, and insurers are more selective about their clients. Providers are now gathering extensive information about businesses and their current security posture to ensure they are secure before providing coverage. This pivot in the cybersecurity insurance landscape has made it harder for businesses to secure coverage.
Penetration testing is now a becoming requirement for many cyber insurance policies as insurers will no longer shoulder the burden for companies with a poor security posture.
Cyber Insurance and Pen Testing Requirements
Cyber insurance provides the following benefits:
- Protection against cyber risks. Cyber liability coverage is important to protect businesses against the risk of cyber events, including those associated with terrorism.
- Cyber insurance helps businesses cover costs from cybercrimes. It handles risks linked to online and tech issues. The insurance can pay for a business's own losses (first party cover) and for losses others face due to the incident (third party cover).
- Highlights commitment to security, and mitigates the risk of fines and prosecution. If you get hit you are legally required to report to AOIC, they will go through your past policies and systems to check you are covered. If you get hit by a data breach and you can’t demonstrate the steps you have taken to prevent this, there are also legal obligations. In fact, CEOs can now be held criminally liable if it is shown they have failed to protect customer data.
However as we’ve mentioned, insurers are no longer prepared to shoulder the risk for organisations who are not sufficiently prepared.
Most Australian cyber insurers are now making it mandatory to pen test the internal, external networks along with any web application and associated APIs, at least annually or whenever major changes take place.
Pen testing is a crucial and continual part of a companies cyber risk management plan, not only does it mitigate risk, developing a strong security posture, but if a breach does occur, it demonstrates to insurers and governing bodies that you had existing strategies in place to avoid the likelihood of such an attack.
Penetration Testing with Cythera
With Australian legislation now holding leaders accountable and cyber risks escalating, companies must now demonstrate proactive measures to safeguard their data. Cyber insurance offers a financial safety net, covering losses from cyber incidents, but it is no longer a passive shield. Insurers are now mandating annual penetration testing to ensure that businesses maintain robust security postures.
This is where Cythera’s world-class cybersecurity team comes to the fore, offering penetration testing that uncovers critical vulnerabilities before they escalate into costly breaches. The question for businesses now is not if they are ready for a cyber incident but how well-prepared they are.
To assist in this mission, Cythera has created a complimentary pen testing checklist —essential for any organisation looking to secure, maintain, and utilise their cyber insurance in 2024. Don't let your defences be an afterthought; take action today to ensure you are cyber-ready for the challenges ahead.
