Product Family

Cyber-crime is proliferating, and cyber insurance is now an integral component of many companies’ risk management programmes. However, insuring against cyber risk presents multiple challenges for underwriters. Max Broodryk, AXA XL’s Product Leader-Cyber Risk, APAC, has the details.

Working with clients on the frontlines of the war against cyber-attacks, I find myself expressing how it sometimes feels combating this scourge of the modern era with phrases like: “pushing water uphill with a rake”, “nailing jelly to a tree” and “stabbing mercury”.

Why is that? First and foremost, cyber-threats only continue to proliferate. Today, all firms are vulnerable to cyber-attacks. As are individuals, local/regional governments, universities, hospitals and non-profit organizations. Or, to put it differently, unless you are living entirely off the grid and never use an internet-connected device, the risk of a cyber-attack is ever present.

Second, cyber-criminals are continually creating new tools and methods to exploit vulnerabilities in the vast universe of essential systems and technologies that power our economies and enrich our lives. Patching faulty code may make an IoT device more secure, for instance, but that won’t prevent cyber-criminals from accessing a company's systems by duping employees with clever phishing scams.

Prevention then mitigation

While cyber risk is virtually ubiquitous, this article focuses on the challenges that cyber-threats present for our clients and in turn us. First, I want to stress that security remains the fundamental imperative. As with all risks, mitigation follows prevention. Considerable information and expert resources are available to clients—including from insurers' risk consulting teams—on how to secure different systems/applications while also lessening the possibility of being targeted. So, I urge clients to take the time to understand the cyber-threats to their organisations and to ensure their systems and processes are as secure as possible.

That said, mitigating cyber risks via insurance also is an option, and cyber coverages are now an integral component in many companies' risk management programmes. However, as I'll outline below, insuring against cyber risk presents multiple challenges for underwriters.

Unsustainable losses

The global cyber insurance market, including Australia, experienced several large losses in 2019 and 2020 that significantly impacted insurers' overall profitability. In response, some insurers limited their exposure to this class of business by reducing policy limits, increasing retentions, restricting their offerings to specific clients or industry segments while a few exited this market.

A continuously evolving threat

The unpleasant fact is that cyber-crime today is profitable: It doesn't require much upfront capital; payoffs from five- to over eight-figures are not uncommon; and the risk of being caught is fairly low. That makes it attractive to criminal gangs, some nation-states and opportunistic amateurs, who then apply the lessons learned from past "campaigns" to devise ever more effective methods for extracting money from different types of organizations.

Ransomware in particular has emerged as perhaps the most concerning recent dimension in the evolution of cyber-crime. Before 2018, ransomware tended to be delivered in random and untargeted ways. In those early days of cyber-crime, attackers could only guess which organisations were more or less likely to pay and whether to set the demands high or low. In other words, they had to grapple with the same issues that companies face when launching new products or entering new markets; e.g., what types of organisations to target, and whether to focus on a few big wins or many smaller successes. Ransomware attackers soon discovered that if their demands were perceived as relatively modest, many victims would opt to pay the ransoms because the decryption processes were viewed as reliable as well as cheaper and faster than restoring system(s) from back-ups.

Based on these initial experiences, ransomware gangs are now moving “up market” by targeting larger entities and demanding much higher ransoms. Also, their attacks are more sophisticated and much more invasive, often exfiltrating sensitive data and disabling networks. Thus, over the last two years, the ransom demands, and subsequent amounts paid have increased exponentially along with, in turn, the costs of forensic investigations, data recovery, associated business interruption expenses and legal advice.

Regulators are getting involved

In a few high-profile cases, regulators have taken notice and levied substantial fines on companies after data breaches compromised confidential data. In Australia, for instance, the Securities and Investments Commission (ASIC) is seeking a civil penalty against an Australian Financial Services Licence (AFSL) holder for inadequate cyber-security systems. The Office of the Australian Information Commissioner is also said to be reopening old data-breach cases and asking for additional information, which suggests it is looking to take a more active enforcement approach in the future.

While these developments should benefit companies by pushing them to take cyber-security even more seriously, these actions could further compound the difficulties insurers face in determining a fair and sustainable rate for cyber insurance. In particular, as regulators take a more proactive role in holding companies accountable for their cyber-security systems and procedures, that could impact the "tail" on cyber policies because penalties and third-party claims for compensation are usually levied long after these events occur.

Then there is aggregation

Insurers invest considerable time and effort assessing and managing aggregation risk; the potential for a single event to affect multiple policies. However, unlike property insurance, where aggregation is limited to a specific locale or region, cyber risk could aggregate in various ways:

  • Across different product lines, including products where cyber coverage is "silent"
  • Across common vulnerabilities in a particular type of equipment, operating system or application exploitable by malware
  • Via malware that is widely propagated
  • Across common shared infrastructure—including cloud services, payment networks, navigation and timing systems—that suffers interruptions due to attacks, system failures, or simply human error
  • Across supply chains using a common vendor that suffers a breach
  • Across a particular industry
  • Via the theft of passwords or other access credentials that can be re-used.

Because the aggregation risks with cyber are so diffuse, insurers must monitor their cyber portfolios carefully; the same challenges also apply in other lines where a cyber event could trigger coverage. And in some cases, insurers may opt to introduce more stringent underwriting controls to limit aggregation risks.

I have seen the future … 

So, where do we go from here? Clearly, cyber risks will only continue to grow and evolve. In fact, the increase in remote working due to the Covid-19 pandemic has made many organizations even more vulnerable to cyber-attacks.

At the same time, for the reasons I've outlined in this article—plus some others I haven't touched on, e.g., the role of the capital markets and increased reinsurance costs—many companies should prepare for the likelihood that their expenses for managing and mitigating cyber risk will go up.

Hence, it is essential for the collective community of clients, brokers, insurers and cyber-security experts to continue sharing expertise, best practices and lessons learned. All crime, including cyber-crime, is an unproductive drag on society, and it is in all our interests to marginalize these activities as much as possible. Only by working together, increasing security, and reducing or eliminating the proceeds of crime (like ransom payments), it is possible—not assured, but possible—we will get to the point where cyber-crime becomes yesterday’s problem.

Max has been involved in cyber insurance for the last ten years and financial lines and other classes for twenty years prior to that in various underwriting, claims, portfolio management, operational and management roles in Australia, Asia, New Zealand and the Pacific Islands. He is based in Sydney and can be contacted at


More Articles

Global Asset Protection Services, LLC, and its affiliates (“AXA XL Risk Consulting”) provides risk assessment reports and other loss prevention services, as requested. This document shall not be construed as indicating the existence or availability under any policy of coverage for any particular type of loss or damage. AXA XL Risk. We specifically disclaim any warranty or representation that compliance with any advice or recommendation in any publication will make a facility or operation safe or healthful, or put it in compliance with any standard, code, law, rule or regulation. Save where expressly agreed in writing, AXA XL Risk Consulting and its related and affiliated companies disclaim all liability for loss or damage suffered by any party arising out of or in connection with this publication, including indirect or consequential loss or damage, howsoever arising. Any party who chooses to rely in any way on the contents of this document does so at their own risk.

US- and Canada-Issued Insurance Policies

In the US, the AXA XL insurance companies are: AXA Insurance Company, Catlin Insurance Company, Inc., Greenwich Insurance Company, Indian Harbor Insurance Company, XL Insurance America, Inc., XL Specialty Insurance Company and T.H.E. Insurance Company. In Canada, coverages are underwritten by XL Specialty Insurance Company - Canadian Branch and AXA Insurance Company - Canadian branch. Coverages may also be underwritten by Lloyd’s Syndicate #2003. Coverages underwritten by Lloyd’s Syndicate #2003 are placed on behalf of the member of Syndicate #2003 by Catlin Canada Inc. Lloyd’s ratings are independent of AXA XL.
US domiciled insurance policies can be written by the following AXA XL surplus lines insurers: XL Catlin Insurance Company UK Limited, Syndicates managed by Catlin Underwriting Agencies Limited and Indian Harbor Insurance Company. Enquires from US residents should be directed to a local insurance agent or broker permitted to write business in the relevant state.