Cyber risk: Beyond the safety net with QBE

IN Partnership with

As cyber threats grow, QBE’s Dominic Keller discusses evolving insurance trends and strategies to strengthen cyber defences and maintain organisational resilience

WOULD YOU go into a critical surgery knowing that the hospital didn’t have a backup generator? If the power grid failed, every second would count; while the medical team would have the skills to perform with precision, they couldn’t succeed without the backup generator kicking in to restore power and keep the operation on track. In the world of business, cyberattacks are the equivalent of such sudden blackouts – disruptive, dangerous and potentially catastrophic. Like backup generators at hospitals, the need for cyber insurance has evolved beyond its role as a safety net. It’s now a vital part of strategic planning for organisations to ensure that businesses can manage cyber incidents effectively and emerge stronger and more resilient.

QBE Australia is part of the QBE Insurance Group, an international insurer and reinsurer headquartered in Sydney with offices across all states and territories. At QBE we’re driven by our purpose – enabling a more resilient future – and our vision: to be the most consistent and innovative risk partner. We provide a broad range of insurance products and risk management solutions to personal, business, corporate and institutional customers – from car and home insurance to tailored business packages and specialist cover for industries such as aviation and farming.

Find out more

What types of financial crime are on the rise in Asia-Pacific?

Increased by 11–20% in last year

“We are seeing cyberattackers become more focused on these core technologies [used by organisations], as well as an increased risk of an inadvertent outage by a vendor causing widespread business disruption”

Dominic Keller, QBE Insurance

QBE is taking a proactive, partnership-driven approach to helping companies strengthen their defences and respond to evolving cyber threats. From ransomware to supply chain vulnerabilities, the modern threat landscape requires more than traditional risk transfer. Businesses must engage at all levels across the organisation – from boardrooms to contractors – to prepare for incidents and enhance cyber resilience. With an emphasis on collaboration, training and comprehensive risk assessment, QBE is helping its clients navigate the complexities of cybersecurity, turning potential crises into opportunities for growth and innovation.

“The cyber market has evolved very quickly and dynamically,” says Dominic Keller, global head of cyber services at QBE. “In the last 12 months, we’ve seen ransomware attacks continuing, with frequency and severity remaining quite high and organisations being the victims of both data theft and [the] subsequent threat of exposure, and operational attacks which can paralyse an organisation’s business.” Keller notes that cyberattackers are focusing more on the theft of data as a means of extortion, including the theft of sensitive corporate information as well as customer data. This adds a new layer of complexity to the threat landscape and has forced businesses to reassess core data ‘crown jewels’ and bolster their defences against a wider range of potential attacks. The rise in data-privacy-focused attacks is particularly concerning, as it represents a dual threat to businesses. Not only do these attacks potentially disrupt operations but they also pose significant reputational risks. The exposure of sensitive customer data, or other confidential company information, can lead to long-term damage to a company’s brand and customer trust, often far exceeding the immediate financial impact of the attack itself. Another area of growing concern is the potential vulnerability of technology supply chains and the risk of cyberattacks on core technology systems used by many organisations. “We are seeing cyberattackers become more focused on these core technologies, as well as an increased risk of an inadvertent outage by a vendor causing widespread business disruption across an industry or region,” Keller explains. This trend underscores the need for companies to thoroughly vet their vendors and understand the potential ripple effects of a breach anywhere in their supply chain. As businesses become more interconnected, the importance of robust risk management practices extends far beyond their own networks. The complexity of modern supply chains means that a single weak link can potentially compromise the security of numerous organisations. This interconnectedness has led to a new approach to cyber risk assessment, where companies must not only evaluate their own security measures but also those of their partners, suppliers and even customers.

Keller emphasises the importance of proactive services in QBE’s value proposition. “We want organisations to be preparing for cyber incidents across their business operations. We want to be providing them with unique value in providing those services and to provide services that reduce the risk of a cyber incident, as well as improving the outcomes if an incident does occur,” he explains. This focus on preparation and resilience-building reflects a growing recognition that cyber risk management is not solely a technical issue; it’s a business-wide challenge that requires engagement at all levels of an organisation.

“The [claims] that are more infrequent but create the most challenge to resolve are of course sexual abuse,” Davis says. “We were one of the first carriers to offer an affirmative sexual abuse policy back in the late ’80s – so we actually said, ‘This is what we will cover’ and didn’t go silent on it.” In the face of market upheaval, insurers are promoting their offerings or planning new products. At AmTrust, Sree says, the focus has been on “cross-selling to provide more broad-based coverage and providing enhanced coverage for our insureds.” Meanwhile, Convelo is developing a few new tech-driven programs, which will be available over the next six months or so. Smith says the company is “highly focused on technology to deliver top-of-the-market products to our broker partners in an efficient, easy-to-use platform. We are using this technology not only to automate systems and make the buying process easier, but also to improve in risk selection and lower claims costs.” NIA has responded to the pandemic by rolling out a new communicable disease form on the liability side. “That’s something that really nobody else has done,” Davis says. “But we saw that we have nonprofits who have to continue housing the homeless; they have to continue to work.” The coverage form delivers $250,000 of defense inside the limits. “It’s trying to be the coverage that nonprofits need without offering limits that might become opportunistic with some plaintiff attorneys,” Davis says.

Proactive measures can include regular security audits, penetration testing and tabletop scenario-planning exercises. These activities not only help identify potential vulnerabilities but also ensure that when an incident does occur, the organisation is well prepared to respond quickly and effectively.

organisations that proactively focus on business continuity when systems are unavailable, rather than simply what information systems are core to their operations, respond and recover more effectively with lesser long-term business impacts,” Keller says. This holistic approach to risk assessment requires input from across the organisation. Finance teams can provide insights into potential financial impacts, operations can identify critical systems and processes, while marketing and communications teams can assess reputational risks. By bringing these perspectives together, businesses can develop a more comprehensive understanding of their cyber risk exposure.

Secure your data with a cuttingedge biometric cyber security system, featuring seamless access control for maximum privacy.

The evolving threat landscape

Published 05 Nov 2024

“Unless cyber incidents are proactively assessed from a technical, operational and cross-business perspective, it’s likely that organisations will underestimate the true financial costs or overlook key impacts arising from a cyber incident”

Dominic Keller, QBE Insurance

Financial crime involving digital payments

Increased by over 20% in last year

Financial crime involving the use of AI

Corruption and bribery within supply chain

Criminal use of technologies/methodologies

Financial crime involving cryptocurrencies

Trade-based money laundering schemes

Use of money mule accounts to launder crime proceeds

Supply chain disruptions

46%

19%

38%

23%

38%

21%

38%

23%

40%

18%

35%

23%

35%

23%

35%

23%

34%

23%

Source: LexisNexis Risk Solutions True Cost of Financial Crime Compliance Study, Asia Pacific, 2024

Understanding the level of insurance needed

Top business challenges relating to insurance

Source: Zywave 2024 Broker Services Survey

Affording insurance

Implementing risk management and employee safety strategies, policies and procedures

In response to these evolving threats, QBE has positioned itself as more than just a risk transfer partner. “QBE is very focused on building strong partnerships with our policyholders and making sure that, rather than a pure risk transfer partner, we are engaging with them to ensure that we can improve their cyber risk,” Keller says. This collaborative approach involves working with various stakeholders within an organisation, from board members to operational teams, to create a comprehensive understanding of cyber risk across all aspects of the business. The partnership model extends beyond the point of sale, encompassing ongoing support and guidance. “Cyber risk now impacts all aspects of a business’s operations,” Keller says. “Whether [it involves] working with technical, operational or leadership teams, proactively preparing for a cyber incident and effectively understanding key organisational risks is critically important.”

A partnership approach to cyber insurance

Proactive risk mitigation

Quantifying the unquantifiable

Despite technological advancements, human error remains a significant vulnerability in too many cyber incidents. “Most cyber incidents are still started by a human clicking on a malicious link,” Keller says. “Exploring how we can support improvements in training, how we can engage with the workforce, and the human side of cyber risk remains one of the critically important measures of how you effectively manage cyber risk in your organisation.” With human error consistently cited as one of the leading threat actors in the attack landscape, this observation highlights the ongoing need for comprehensive training and awareness programs that engage employees at all levels of an organisation. It’s not enough to have robust technical defences if staff members are not equipped to recognise and respond to potential threats. Effective training programs go beyond simple dos and don’ts, fostering a culture of security awareness throughout the organisation. These can include regular simulated phishing exercises, interactive workshops and integrating security considerations into day-to-day operations.

The human factor in cybersecurity

One of the persistent challenges in cyber risk management is the difficulty of quantifying potential losses. Keller argues that this requires a shift in perspective: “What we need to do is look at the business as a whole and how it is reliant on networks and systems to operate effectively.” By framing cyber incidents as business continuity events, organisations can better understand and prepare for the wide-ranging impacts of a potential breach. This approach can also help them develop more effective incident response plans and workarounds that can minimise disruption in the event of an attack. “In a number of cyber incidents, we have seen that

As the cyber threat landscape evolves, ensuring adequate coverage becomes increasingly complex. Keller notes that, unlike more traditional forms of insurance, the valuation of cyber risk is not easy. “With property insurance, we have a building, for example, that you can value fairly accurately. With cyber risks and subsequent cyber insurance considerations, there are financial, operational, reputational and customer-facing considerations to be considered,” he explains. This multifaceted nature of cyber risk often leads to underestimation of potential impacts. “Organisations often underestimate the importance of systems to their core business functions,” Keller warns. “When we do see organisations that have a cyber incident, often they do underestimate just how reliant they are on systems to operate.” To address this challenge, Keller advises a thorough, cross-functional approach to risk assessment. “Working with organisations across industries, I commonly see that regardless of the size of the organisation, unless cyber incidents are proactively assessed from a technical, operational and cross-business perspective, it’s likely that organisations will underestimate the true financial costs or overlook key impacts arising from a cyber incident.”

The true cost of inadequate cover

Keller cautions that the threat landscape remains dynamic and challenging. “Unfortunately, there remains a lot of profit to be made by the bad actors in ransomware attacks, and the way that they’re targeting data privacy as well as operational attacks means that it’s going to continue to be a challenge,” he says. In response, organisations need to adopt a comprehensive, adaptive approach to cybersecurity. This includes not only robust technical defences but also ongoing training; regular risk assessments, including cyber risks in business continuity planning; and fostering a culture of security awareness that permeates every level of the organisation. In an increasingly interconnected and digitally dependent world, the ability to effectively manage cyber risk may well become a key differentiator between successful businesses and those left vulnerable to the next wave of digital threats. Partnerships with experienced insurers like QBE, and cybersecurity experts, need to be built into corporate strategy as routine.

Corporate governance and cyber resilience

As the threat landscape continues to evolve, Keller sees a trend towards more mature risk management practices. “We’re seeing organisations look at cyber risk as a business risk in a much more mature, much more effective way,” he says. “Governance, boards, C-suite and leadership engagement with cyber risk is where we’re going to see continuing evolution.” This shift towards treating cyber risk as a core business issue reflects its growing importance in the corporate world. Surveys show that the cost of insurance or cyber risk management is less of a factor than investing in understanding key risks, proactively preparing for diverse cyber incidents and focusing on an effective and comprehensive response and business recovery.

RSS

Sitemap

About us

Conditions of Use

Terms & conditions

People

Specialty

Best in Insurance

Resources

Risk Management

News

RSS

Sitemap

About us

Conditions of Use

Terms & conditions

People

Specialty

Best in Insurance

Resources

Risk Management

News

RSS

Sitemap

About us

Conditions of Use

Terms & conditions

People

Specialty

Best in Insurance

Resources

Risk Management

News

Disclaimer This content is brought to you by QBE Insurance (Australia) Limited (ABN 78 003 191 035, AFSL 239545) (QBE) as a convenience to readers and is not intended to constitute advice (professional or otherwise) or recommendations upon which a reader may rely. QBE makes no warranty or guarantee about the accuracy, completeness, or adequacy of the content. Readers relying on any content do so at their own risk. It is the responsibility of the reader to evaluate the quality and accuracy of the content. Reference in this content (if any) to any specific product, process, or service, and links from this content to third party websites, do not constitute or imply an endorsement or recommendation by QBE and shall not be used for advertising or service/product endorsement purposes. To decide if a product is right for you, please read the relevant Product Disclosure Statement (PDS) and Target Market Determination (TMD).