Australia’s 2020 Cyber Security Strategy

Tahiry Rabehaja[1], Denny Wan[2] and Ryan Springall[1]

The Australian Government, through the Department of Home Affairs, has called for views regarding the cyber security strategy that Australia should adopt from 2020. This strategy will be the successor to the 2016 initiative which the Government accompanied with an investment of $230 million in cyber security. The call for views consists of a series of 26 questions ranging from technical solutions to legislative discussion. Few questions in the call for views were directly related to regulation and cyber insurance. In the response that Risk Frontiers submitted to the call, we stressed that Cyber Security is a risk and thus should be managed as such. This means that whilst mitigation and deterrence are important components in risk management, insurance has a role to play as a mechanism for risk transfer and for reinforcing robust cyber security practices through pricing and policy signals. Here is a summary of the top five questions that Risk Frontiers addressed.

4. What role should the government play in addressing the most serious threats to institutions and businesses located in Australia?

To accurately price risk, insurers require a robust quantitative understanding of frequency (how often) and severity (how much financial loss). These data are often obtained through years of claims data and experience dealing with natural catastrophes, for example. In the case of cyber-risk, this understanding is currently lacking. Overcoming this deficiency will require strong and pragmatic leadership from the government to ensure a cyber-risk resilient Australian economy.

The USA is amongst the countries with well-developed cyber security laws and regulations. In addition, the US government actively encourages US businesses to implement robust cyber risk management and, in particular, promotes the incorporation of cyber insurance into their Enterprise Risk Management strategy. According to a 2018 Aon report[i], the current global cyber insurance market premium is estimated to be between 4 and 5 billion US dollars with the US accounting for more than 80% of this market. Figure 1 shows the breakout of global cyber insurance premiums. The US market is considered to be maturing while the rest of the world is developing and expected to grow. In 2018, the Australian cyber insurance market premium was approximately $60 million US dollars, which was about 2% of the global market by premium volume.

Figure 1: Measured and estimated written premiums (source: Aon Cyber Insurance Market Insights 2018).

In Australia, the recent enforcement of the Notifiable Data Breach (NDB) scheme as well as the introduction of APRA’s CPS 234 regulation are positive steps towards improving the resilience of Australian businesses to cyber threats. However, more information on breach frequency and severity needs to be shared with the insurance industry to assist in understanding frequency/ severity relationships underpinning risk transfer policies and to educate businesses and the community on the value of taking up cyber insurance.

Such governmental regulations have already proven effective for other countries and regions. In the case of the US, the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) and the Federal Information Security Management Act (FISMA) form the three pillars for digital security compliance for businesses and governmental institutions.

Corresponding regulations for Australia are framed through the Privacy Act 1988 and subsequent amendments such as the NDB in 2017. However, compliance alone does not ensure resilience as shown by high profile cases such as the Target breach. At the end of 2013, hackers exfiltrated more than 100 million records containing credit card details and other Personally Identifiable Information (PII) from Target’s internal network. Target was PCI compliant and deployed state-of-the-art security systems but the breach still occurred due to a third party weak link, poor network segmentation and other system misconfigurations[ii]. Target did have cyber insurance that proved useful in offsetting some of the financial losses incurred during the post-breach response period.  A well-planned response is an equally important defence strategy and cyber insurance will go a long way to providing a better incident response and business continuity.

10. Is the regulatory environment for cyber security appropriate? Why or why not?

Regulatory frameworks such as the NDB primarily focus on protection of privacy. In contrast, other regulation such as the CPS 234 is more balanced due to its focus on broader information security challenges beyond the protection of PII. While only currently enforced on APRA regulated entities, CPS 234 is applicable to other organisations and presents an encouraging point of departure to lift cyber security standards in the Australian economy. The standard is principle based and non-prescriptive, offering regulated entities scope to leverage their current investment in Information Security Management Systems (ISMS) to achieve compliance.

The 2019 update of CPG 234 (guidance for implementation of CPS 234) includes some concrete best practices such as information to be presented to the business board tabled in Appendix H. Implementation of the standard can be assisted by taking advantage of a standard cyber risk quantification framework such as Factor Analysis of Information Risk (FAIR).

The FAIR methodology is a quantitative approach that provides estimates on the frequency and severity of loss events using historical data, heuristics and expert opinions. FAIR is a comprehensive methodology that provides a framework for analysing tail losses through quantitative metrics such as Value at Risk. The quantification process provides a structured approach to prioritise risk and remediate efforts based on expected reduction in potential financial loss, enabling a prudent investment culture in cyber security based on established financial management principles.

15. Are there any barriers currently preventing the growth of the cyber insurance market in Australia? If so, how can these be addressed?

In the insurance industry, cyber-risk is broadly categorised either as affirmative (named as a risk) or as silent (covered without explicit recognition of the risk as it is not excluded). Increasingly, traditional commercial general liability and property insurance policies exclude cyber risk[iii] with insurers looking to provide explicit policies that are accompanied by robust risk management processes. However, there remains significant ambiguity, especially when it comes to attribution of a cyber-attack[iv][v]. This means that cyber insurance is emerging as a stand-alone coverage and insurance companies with “silent cyber” built into their products are exploring ways to isolate that component. Current cyber insurance policies are covering a relatively wide range of costs depending on the level of coverage. A comprehensive cover will typically include direct costs associated with a post-breach response. Figure 2 shows the classification of costs due to cyber-attacks[vi][vii]. Blue costs are direct first- or third-party losses and are usually explicitly attributed to the cyber event. Grey costs are less tangible and hard to measure. Costs with purple outlines are currently covered by various branded cyber insurance products. For instance, asset destruction is generally covered under silent cyber.

Figure 2: Costs of a cybersecurity breach (source: Risk Frontiers in-house analysis).

The first obvious observation here is that current coverage is generally restricted to direct costs and excludes intangible losses or long-term impacts such as reputational damage. One example is the 2017 Equifax data breach where losses in market share prices and subsequent security improvements were not covered by their insurance policy.

Another barrier for the growth of cyber insurance in Australia, and globally, is that cyber risk is not well understood. Brokers and underwriters lack the training and tools to quantify this emerging risk efficiently as the tools to assessing cyber risk (and hence pricing and policy construction) are different from traditional property and casualty insurance. In fact, current approaches to assessing cyber security risk rely heavily on manual assessments that greatly impede the scalability and application to small and medium enterprises. Unlike other mature risks such as those arising from natural catastrophes, cyber security risk is extremely hard to quantify due to its dynamic nature, the scale, the lack of physical boundaries upon which accumulations are analysed and the aggregate expertise required to produce a good model of the risk. This gap in cyber risk modelling has a major impact on pricing where premium prices becomes unsound or unaffordable for SMEs.

Another issue with current cyber insurance is regarding policy terms, which drives the lack of certainty in successful claims. Since cyber-insurance products are still young compared to P&C insurance, the policy terms are constantly being tested in court and usually contain explicit exclusion clauses for cases such as “act of war”[viii]. A recent example of a more subtle exclusion occurred in the court case confronting National Bank of Blacksburg to its insurer Everest National Insurance Company[ix].

The above issues and challenges can be addressed (at least partly) through:

  1. Governmental initiatives including the development of a compelling regulatory framework for cyber security risk as well as the promotion of the cyber risk management with particular emphasis on cyber insurance.
  2. The government should encourage and support collaboration between academia and the industry into paving the way towards better understanding and modelling of the cyber-security risk landscape as it pertains to Australian businesses. Without a proper understanding of the risk, there is only a small degree of price differentiation across different firms.
  3. The government also needs to work with insurers to assist in the “attribution” process (which is important for certain policy exclusions) and potentially consider establishing a cyber reinsurance pool.
  4. Finally, the government should increase awareness and provide platforms for SMEs to explore their alternatives in terms of cyber risk transfer.

16. How can high-volume, low sophistication malicious activity targeting Australia be reduced?

The first and foremost protection against high-volume and low sophistication threats is the adoption of good cyber hygiene. Credential management (password usage, multi-factor authentication for example), regular patching and employee training (resilience against phishing and frauds) are amongst the top low-cost but high return strategies to prevent attacks in this category. These types of attacks are most prevalent for lower-tier enterprises, which should be encouraged and made aware of the impact of good cyber hygiene. This cyber security strategy mirrors the public health management strategy in encouraging hand sanitation to minimise the spread of the common cold and flu viruses that help to prevent flu pandemics. Through insurance engagement, the insurance industry can provide the services as part of a broader product offering to increase cyber hygiene.

20. What funding models should Government explore for any additional protections provided to the community?

A cyber reinsurance pool is one form of funding that the Government should explore to improve confidence in the cyber insurance market, increase the resilience of the economy and community to cyber-attacks and, more generally, as a signal to build market confidence. For instance, in the UK, Pool Re was established by the insurance industry and the government as a reinsurance pool to protect insurance companies against large claims originating from terrorist incidents. Since 2018, Pool Re also covers cyber-terrorism14. Thus, similar extension or more innovative approaches, such as Hiscox’s cyber Insurance-Linked Securities[x], can be explored through the ARPC to cover cyber-attacks on critical infrastructures. Risk Frontiers can provide more detail on these schemes if required.

About Risk Frontiers

Risk Frontiers specialises in the assessment and management of risk across the Asia-Pacific region. We help organisations ranging from the global insurance industry and infrastructure operators to government departments and emergency services.

Our research and expertise cover major hazards affecting the region including floods, tropical cyclones, storms, bushfires, heatwaves, coastal erosion and earthquakes. We also continue the development of a cyber risk model in partnership with the Optus Macquarie University Cyber Security Hub.

Our work with government encompasses a diversity of projects including understanding community risk perception, evaluation of resilience and recovery programs, research into catastrophic disasters and the development of resilience frameworks.

As a partner of the Australian Research Council Centre of Excellence for Climate Extremes, Risk Frontiers is well positioned to deliver the latest in climate change solutions to enhance our clients’ decision making.

Rigorous, independent and data-driven, Risk Frontiers is one of Asia- Pacific’s leading providers of risk management and catastrophe modelling solutions.


[1] Risk Frontiers

[2] Security Express


[i] Aon. Cyber Insurance Market Insights, 2018.

[ii] Xiaokui Shu et al. Breaking the Target: An Analysis of Target Data Breach and Lessons Learned, 2017

[iii] Sasha Romanosky et al. Content analysis of cyber insurance policies: how do carriers price cyber risk?, 2019

[iv] Mondelez International Inc. v Zurich American Insurance Company. No. 2018L011008. Circuit Court of Illinois, October 10, 2018.

[v] Milton Mueller et al. Cyber Attribution: Can a New Institution Achieve Transnational Credibility?, 2019

[vi] The Council of Economic Advisers. The cost of Malicious Cyber Activity to the U.S. Economy, 2018

[vii] Deloitte. Beneath the surface of a cyberattack, 2016

[viii] Mondelez International Inc. v Zurich American Insurance Company. No. 2018L011008. Circuit Court of Illinois, October 10, 2018.

[ix] https://krebsonsecurity.com/wp-content/uploads/2018/07/1-main.pdf

[x] Insurance Day. Hiscox plans dedicated cyber ILS fund, 2019

Community Resilience

Resilience

Risk Frontiers has a great deal of experience in delivering a wide diversity of consulting projects for commercial, infrastructure and government clients relating to hazard analysis, social research, risk management, resilience planning, policy development and risk assessment.

Underwriting solutions

Underwriting Solutions

Risk Frontiers’ Underwriting Solutions enables better risk selection, more informed decisions on premium and capital allocation, as well as quantitative understanding of peak risk aggregation, policy limits and deductibles.

Learn more

 

Our People

Complex enterprises require diverse and experienced teams. We recruit talented people who are experts in data-driven science, passionate learners and keen policy thinkers. This blend provides unique insights for our stakeholders. Meet the people solving the problems of the future.

Natural Catastrophes Greatest Risk for East Asia and the Pacific

by Andrew Gissing.

The World Economic Forum this month released their Regional Risks for Doing Business Report. The findings of the report are based on a survey of global business leaders on the state of business environments regionally.

Extreme weather events, natural catastrophes and failure of climate change adaptation were ranked in the top 10 risks for East Asia and the Pacific and North America, but not in other regions.

For East Asia and the Pacific natural catastrophes were rated as the highest risk and extreme weather events as number 5. Natural catastrophes were rated as the highest risk in Japan, New Zealand and China. Asia experienced some $55 bn USD in catastrophe losses in 2018, second only to the United States, but rated highest in terms of loss of life (Swiss Re, 2019).

In South Asia, water crises were rated as the top risk. Climate change through melting of glaciers and altering the frequency of extreme weather events will only worsen water stress in this region.

Globally, cyberattacks were rated as the world’s second most significant risk behind financial crisis. The report notes the rising cost of cyberattacks and the ever-evolving nature of the risk. In East Asia and the Pacific, the risk was also rated second.

Australian respondents rated energy price shock as their number one risk, followed by cyberattacks (2nd), asset bubble (3rd), failure of critical infrastructure (4th) and fiscal crises (5th).

The top ten risks for East Asia and the Pacific and globally are listed in Table 1 below.

The full report is available at: http://www3.weforum.org/docs/WEF_Regional_Risks_Doing_Business_report_2019.pdf

References

Swiss Re (2019) Natural catastrophes and man-made disasters in 2018: “secondary perils on the frontline”. Sigma No.2

California Fire and Power

Paul Somerville, Risk Frontiers

Once again, wildfires have caused catastrophic property losses in the late Californian summer, but loss of life is much lower than last year, possibly because of radical mitigation measures including the widespread use of deliberate blackouts to avoid ignition by power lines and related equipment.

Causes of Fire Ignition

In the United States, about 84% of wildfires are caused by human activity or equipment, with the remaining 16% caused by lightning. 95% of the fires that the California Department of Forestry and Fire Protection (Cal Fire) responds to are caused by human activity.

The largest cause of wildfires is electric power lines and related equipment. Pacific Gas & Electric (PG&E) transmission lines caused the 2018 Camp fire in Northern California, which razed 90% of the town of Paradise, killed 86 people and destroyed more than 13,900 houses. This loss was the reason PG&E declared bankruptcy based on an estimated liability of $30 billion for fires in 2017 and 2018 (RF Briefing Note 372; see also Briefing Note 375). Sceptics have pointed out that, with stable revenue from electricity and gas subscribers, bankruptcy was declared to shield the company from its liabilities. California Governor Newsom implied on 1 November 2019 that the State may become involved in the restructuring of PG&E. Some of the largest fires in Southern California’s history were also caused by power lines: Southern California Edison (SCE) and San Diego Gas & Electric (SDG&E).

Other causes of fires are sparks from vehicles and other equipment.  The Carr fire in Trinity and Shasta counties, which killed 8 and destroyed more than 1,600 structures, was caused by sparks from a wheel rim exposed by a flat tyre. Failure to fully extinguish the Berkeley–Oakland  Hills fire in 1991 resulted in it blowing out of control, killing 25 people and destroying over 2,200 structures. Camp fires are another cause, and two small fires lit by a lost deer-hunting hiker in southern San Diego County resulted in 15 deaths and the loss of over 2,300 structures. Arson is a rare cause of large fires in California.

Changes in the Frequency and Size of Fires

All ten of the largest fires in California have occurred since 1991.  This is attributable, in part, to the increased numbers of houses located in regions of high fire hazard.  However, in the past few years the winter rains (from storms originating in the Gulf of Alaska), that used to begin in late September (Figure 1), have been delayed by a month or more, which may be attributable to climate change. This has extended the fire season into October and, this year, into early November. The headline in an opinion article in the New York Times (2019) warned that “It’s the end of California as we know it” and declared that “at the heart of California’s rot” is the “failure to live sustainably.” The Atlantic (2019) wrote that “California is becoming unliveable.”

Fires burning on 3rd November 2019 in California (Channel 4 TV) Temperature and rainfall for Sonoma County, California.  Source: LA Times and ChartFX.

Mobile Phone Outages

According to the San Francisco Examiner on 4 November 2019, “As the lights flickered out and wildfires flared, PG&E’s blackouts also cut off thousands of Californians from cell phone service, leaving them unable to get emergency alerts or call 911. It exposed a troubling gap in the state’s readiness for mass outages that could, according to PG&E, keep happening for a decade. And it’s left regulators scrambling to find a fix — though it will be difficult. Neither California nor the federal government requires cell phone towers to have backup power, even though network service is a critical part of modern life. Instead, maintaining service is left up to cell phone companies, which have generators lasting days at some sites but batteries which can survive just a few hours at others. When those run out, they must send trucks to refuel or install generators, at times when fires may cut off roads, blackouts darken traffic lights and their own outages hamper communication. Companies said their personnel worked around the clock to put in place hundreds of generators during PG&E’s unprecedented and fast-changing power outages, but in some cases they couldn’t access sites because of the location — on top of buildings or in fire evacuation zones. They’re pledging to prevent future problems. But regulators, politicians and emergency response agencies are pushing for stricter rules to protect public safety.”

Fire Mitigation by Electric Power Companies

Responding to the declaration of bankruptcy by PG&E in 2019 following the fires in 2018, the major public utilities have engaged in intentional blackouts, to varying degrees, as a means to reduce fire ignition.  These measures range from:

  • no blackouts (Los Angeles Department of Water and Power, which admits that a branch blown from a eucalyptus tree onto its power lines ignited the Getty Fire beside the iconic Getty Museum)
  • tightly targeted blackouts (in San Diego by SDG&E)
  • less targeted blackouts (in Los Angeles by SCE) and
  • large scale blackouts (in Northern California by PG&E instigating power outages for days and risked the health of people requiring power for medical support equipment)

The question of when to turn the power back on was highlighted by the outbreak of the Maria Fire 13 minutes after SCE turned the power back on in Ventura County on November 1.  SCE is not yet conceding its fault but has announced that its electrical equipment will probably be found to be associated with the Woolsey fire of 8 November 2018, which burned more than 1,500 structures in Los Angeles and Ventura Counties and killed 3 people.

Financial Management of Fire Losses

In its quarterly earnings report, SCE disclosed that various fire and mudslide events could result in a liability of $4.7 billion, of which $1.8 billion will be borne by shareholders after insurance and other offsets. But in the company’s third-quarter earnings call last week, Edison International President and Chief Executive Pedro J. Pizarro said it was adequately prepared for the blow, saying on 1st November 2019 that the company “understands this is a difficult time for the many people who are being impacted. The company’s top priority is the safety of customers, employees and communities, which is why we continue to enhance our wildfire mitigation efforts through grid hardening, situational awareness and enhanced operational practices.”

The protocols for shutting down power are outlined in SCE’s 2019 Wildfire Management Plan. Incident management teams, that include meteorologists, base the decision on wind speeds, humidity and temperature, fuel moisture and fuel loading. Other less prescriptive considerations may include the potential effect on customers and communities, alternative ways to reroute power, the progress of the customer notification process and situational awareness from weather stations. The length of time customers are without power is one factor that may be considered in the decision to restore power. The plan states that, “The order in which circuits are re-energized will depend on many factors including, but not limited to, customer safety and well-being, consideration of affected essential services, damage to electrical and other infrastructure, and circuit design/topology.” Before power is restored, field crews inspect the lines for “any condition that could potentially present a public safety hazard when re-energizing circuits.”

The duration of a power outage can matter in small and large ways. Food may last only four hours in a closed refrigerator, while frozen food could last a day or two (depending on how full the freezer is) as long as the door stays shut most of the time. For those dependent on medical equipment requiring rechargeable batteries, time can be critical. SCE’s plan says it maintains a list of those customers and contacts them individually before a shutdown. If unable to confirm the notification, field representatives go to the customer’s house.

References

The Atlantic (30 October 2019). California Is Becoming Unlivable
https://www.theatlantic.com/ideas/archive/2019/10/can-california-save-itself/601135/

New York Times (30 October 2019). It’s the end of California as we know it.
https://www.nytimes.com/2019/10/30/opinion/sunday/california-fires.html