Bushfire deaths in Australia, 2010-2020

Lucinda Coates, Risk Frontiers

Targeting policy interventions to enhance public safety is critical. Here we interrogate PerilAUS, Risk Frontiers database of natural hazard occurences in Australia, to analyze bushfire deaths occurring since those of the 2009 Black Saturday fires.

This data was based mainly on articles from the news media – a rich source of details and circumstances around such fatalities – and represents lower bound estimates. The financial year is utilised for bushfire season totals. Increases in population have been normalised utilising fatality rates, which look at the overall number of deaths for a given group of people (say, males, or persons aged 30-34) against the population of that group. We have measured this in terms of deaths per 100,000 (background) population.

At least 65 deaths due to bushfires have occurred in Australia from FY 2010 to FY 2020 (Table 1). Just over half of the deaths (n=35; 54%) occurred during FY 2020 (note: the current fire season is far from over, especially for the southern states of Australia).

The most common age range of those killed in bushfires was 60-64 years (n=12; 18%), followed by 65-69 years (n=8; 12%). No deaths occurred below the age range of 15-19. The normalised age ranges shows the 60-64 to 75-79 age groups being overrepresented. Again, the 60-64 age group showed the highest value (death rate 0.94 deaths per 100,000 population), followed by age groups 75-79 (0.81), 65-69 (0.73) and 70-74 (0.60).

Table 1: Deaths from bushfires in Australia, FY 2010-2020 as at 29/1/2020

Of the 65 total deaths, 54 (83%) were male and 11 (17%) female. This relates to death rates of 0.46 deaths per 100,000 population for males and 0.09 for females.

New South Wales is the Australian jurisdiction where most of the deaths (n=33; 51%) occurred. This is followed by Victoria (n=9; 14%) and Western Australia (n=9; 14%) then South Australia (n=8; 12%). Over longer time periods, however, Victoria has had the highest proportion of deaths.

Twelve (18% of) deaths occurred inside a house or other building and 53 (82%) outside. Of those outside, 26 (49%) were in a land vehicle, 22 (42%) were on foot and five (9%) were in an aircraft. Vehicles were related to 33 (45%) of deaths; eight (11% of) deaths were treefall-related. Four deaths were related both to vehicles and to treefall.

The most common causal factor of death was being burnt whilst in vehicles (n=15; 23%). Of these, ten were due to late evacuation and five were due to firefighting (including en route). Thirteen (20%) were burnt in (or near) their home: nine were in the house, undertaking no/ little action or being too late to evacuate and four were firefighting. Eleven deaths (17%) were due to a cardiac event and of those ten known, all were firefighting: five saving their own properties, two professional firefighters, two informal volunteers (i.e., with RFS or CFA) and one member of the public (i.e., not a brigade member but helping out on someone else’s property). Two of the three fatalities caused by a medical condition exacerbated by the fires were due to asthma caused by bushfire smoke, at some distance from the active fire zone.

In relation to the activity of the decedents immediately prior to death, 30 (46%) were involved in firefighting efforts and another nine (14%) were en route to fight fires. Thirteen (20%) were attempting to evacuate: nine were late evacuations, three were saving their own property and then attempting to evacuate and one, a formal volunteer, was warning neighbours to evacuate. Ten (15%) of the decedents were undertaking no or little activity but were in/ near their home.

The most common reason behind the activity being carried out by the decedent was saving their own property, belongings or animals (n=14; 22%) – either firefighting or evacuating late from firefighting. Eleven (17%) were evacuating late or did not attempt to evacuate – either in car or in house. Thirteen (20%) were formal volunteers involved in firefighting, eleven (17%) were professional firefighters and five were members of the public involved in firefighting.

Figure 1 shows the death rate per 100,000 population for bushfires that have affected Australia since 1900, from PerilAUS. This 110-year record shows no particular trend over time but, rather, episodic severe bushfire seasons against a background of relatively low death rates.

Figure 1: Death rates per 100,000 population from bushfires in Australia, FY 1900-2020

The total of 35 deaths for the 2019/20 fire season, whilst relatively low, is still 35 too many: however, compared to the severity and the widespread extent of the fires, the death toll could have been higher. The PerilAUS record over the last decade shows that particular focus should be given to:

  • professional and volunteer firefighters
  • males aged 60+ trying to save own property, especially those with cardiac conditions
  • males aged 55+ attempting a late evacuation or not leaving home in time
  • males and females aged 55+ and remaining in their house.

Northern NSW bushfire impact research

Steven George, Salome Hussein, Jacob Evans, Risk Frontiers

Risk Frontiers deployed a damage survey team in early December. The team travelled to bushfire-affected communities in northern NSW to make observations and report on impacted areas. The two fires concerned behaved differently and were influenced by weather conditions and terrain. The role of wind conditions and embers in the Busbys Flat Fire were significant factors in the location and distribution of destroyed buildings and their proximity to bushland. Industries/Infrastructure affected: Sawmill, pine plantations, railway.

Damaged paddocks in the Northern Tablelands

Long Gully Fire (Drake Fire)

A survey of Long Gully Road from the Bruxner Highway confirmed the area had dense vegetation, which was severely burnt during the Long Gully Fire (LGF). The southern end of Long Gully Road (close to the fire ignition point) is remote and steep, which would likely have limited initial fire control efforts. Losses from early stages (September) of the LGF appear to be limited to private holdings and farms, with no evidence of any commercial or industrial enterprises being impacted. The team located 15 buildings (and one vehicle) impacted by the fire along Long Gully Road – most were totally destroyed or damaged enough to require demolition. The buildings were a combination of residences (of varying size and construction) and out-buildings. Destroyed properties varied in distance from the road from 10-15 metres to 1.9 km and were on either side of the road. Visible debris revealed no consistency to the construction materials of destroyed buildings, with corrugated sheeting, brickwork, timber and fibro (or similar) sheeting evident and several examples of water tanks remaining. There was minimal variation in distance to adjacent bushland. Most destroyed structures were no more than 20 metres from significant bush. At several locations, only a concrete slab remained after debris was removed. Over 7.5 weeks, the LGF burnt more than 74,000 hectares of bush and farmland. Conditions on Tuesday 8 October caused the LGF to reintensify and join with other local fires (including the Busbys Flat Fire). Together, the new combined fire was responsible for extensive damage to Rappville and two fatalities.

The Busbys Flat Fire (BFF), Rappville and wider area

An act of arson on Friday 4th October in the Busbys Flat area is the suspected cause of the Busbys Flat Fire (BFF). High temperatures and ferocious winds on Tuesday 8th October caused the BFF to intensify and merge with other major fires burning in the area, including the still active Long Gully Fire. This combined fire destroyed an estimated 30 homes and commercial properties as it travelled from its ignition point east toward Rappville (population 170). A noteworthy aspect of this fire, as reported by witnesses and volunteers, was the quantity of embers it generated, which were then carried by strong wind over large distances. Within the town, 16 buildings, mainly dwellings, were burnt. Where debris had not been cleared, the most common construction materials were evidently timber and fibro, with corrugated sheeting and brickwork. At least eight of the 16 destroyed building sites had ‘‘asbestos” warning signs posted and were secured by fences. There was an apparently random distribution of destroyed buildings, and the lack of substantial bushland within the village demonstrated how embers in high winds can propagate fires over long distances. The fire that impacted Rappville and surrounding areas was responsible for significant commercial losses, consisting of 200 claims costing an estimated $25 million. Significant infrastructure damage included a large sawmill located on Old Tenterfield Road, distorted steel tracks and destroyed hardwood sleepers of the Rappville Rail Bridge, and extensive fire damage to numerous large pine plantations.

Statistical dependence of bushfire risk on distance to bush and the influence of ember attack

Proximity to bushland is a significant factor in determining a building’s vulnerability. Figure 1 depicts bushfire damage based on aggregated data from recent major bushfires and shows the percentile of destroyed buildings in relation to nearby bushland (i.e: an ignition source). However, the Rappville (2019) and Duffy (2003) examples suggest that in cases where ember attack is a major element of a fire’s behaviour, this dependence may be less important. At Rappville ~55% destroyed structures occurred between 9 – 100 metres of bushland with the remaining ~45% occurring outside 100 metres. These distances were significantly greater at Duffy. Notably, weather conditions prior to both fires were starkly similar. At Duffy, the Bushfire CRC reported that “unusual severity of the fire was generated by extreme weather conditions” (a combination of particularly strong wind, temperatures near 40°C and drought conditions) and that “most houses were ignited by either ember attack or house-to-house ignition.” 1

Figure 1: Cumulative distribution of buildings destroyed in major bushfires in Australia in relation to distance from nearby bushland. For reference, approximately 42% of homes destroyed in Tathra were within 1m of bushland while 25% of homes destroyed in Marysville and Kinglake were within 1m of bushland. At Rappville, the closest building to bushland was approximately 9m with about 50% of destroyed buildings located between 10 – 100 m from bushland.
1Bushfire CRC Report – INVESTIGATION OF BUSHFIRE ATTACK MECHANISMS RESULTING IN HOUSE LOSS IN THE ACT BUSHFIRE 2003 (2005). http://www.bushfirecrc.com/sites/default/files/downloads/act_bushfire_crc_report.pdf

2019/2020 Australian bushfire season

The Gold Rush Colony, Mogo

The 2019/2020 Australian bushfire season is far from over but has already been unprecedented in its destruction. Since August multiple concurrent and sequential bushfires across many states have resulted in loss of life and destruction of homes, businesses, farms, infrastructure and the environment. By the end of January over 9.8 million hectares has been burnt with over 3048 homes destroyed (AFAC). Unlike other major seasons where destruction has occurred in one day, the damage toll has been the contribution of numerous major fires across the season.

Infrastructure damage has resulted in widespread blackouts and telecommunications failures, with those at risk unable to obtain bushfire warnings. Road closures resulted in isolation, concerns for food security and forced medical evacuations.

The threat of bushfires saw local tourist economies damaged and warnings to international tourists to avoid travel to Australia; bushfire smoke caused public health issues and business disruption; and burning of vegetation in water catchments reduced water quality and contributed to fish kills.

Environmental damage has been severe, with an estimated one billion wild animals killed (UNEP) and threats to those that have survived due to habitat destruction. Smoke from bushfires affected New Zealand and travelled to South America.

Bushfires have occurred at the time of severe drought, when heatwaves, severe storms, floods and cyclones have also threatened Australian communities. Losses from recent hailstorms in NSW, VIC and the ACT are reported as half a billion dollars and rising.

An immense effort has been launched by all tiers of Government including contributions by international defence and firefighting agencies. Businesses, not-for-profit and community service organisations have provided immense support. In recent weeks the strain on resources has been compounded by the emergence of the 2019-nCoV outbreak.

The events have provided an illustration of a compound event with its component events made up of multiple cascading consequences which have caused complex resourcing, coordination and recovery challenges.

Australia has been experiencing more frequent fire weather, and fire seasons are longer. This trend is expected to continue under the influence of climate change.
In our 25th anniversary edition we provide a brief overview of Risk Frontiers’ bushfire research to date as well other key analysis related to natural hazards.

Natural Catastrophe Modelling

Intelligently designed, location and portfolio level intelligence. For 25 years, Risk Frontiers has been leading the development of natural catastrophe models for the Asia-Pacific region. Learn more about our tools to quantify insurance and portfolio risk.

Australia needs a national crisis plan, and not just for bushfires

By Andrew Gissing, Risk Frontiers and Michael Eburn, Australian National University
Published in The Conversation, 13th December 2019

Bushfires aren’t the only catastrophic emergency Australia is likely to see. AAP Image/Mick Tsikas

Calls are growing for a national bushfire plan, including from former prime minister Malcolm Turnbull, who says they are an issue of national security and the federal government must provide hands-on leadership.

It’s true that more people are living in high-risk bushfire areas, emergency services are stretched and the climate is rapidly changing. Future crises are inevitable. We must consider the prospect of a monstrous bushfire season, the likes of which we’ve never seen.

But bushfires aren’t the only catastrophe Australia must prepare for. If we are to create a national crisis plan, we must go much further than bushfire planning.

Not just bushfires

In the decade since Victoria’s Black Saturday fires, we have improved fire predictions, night-time aerial firefighting, construction codes and emergency warnings. All of these have no doubt saved many lives.

There are calls for more resources to fight fires, as part of a coordinated national plan. But few people have proposed an all-encompassing vision of such a plan.

For a start, it should not be confined solely to bushfires. Far more people die during heatwaves and residential housefires. Tropical cyclones, floods and hail each cost our economy more.

Any plan must provide a strategic vision across these various facets for at least the next ten to 20 years.

A national firefighting force?

Calls for a national firefighting force to supplement existing state resources are fundamentally short-sighted. A national force – quite apart from the level of duplication it would create – would spend much of its time idle.

Even during severe fires, such as those now raging, there would be limits to its usefulness. At a certain point, the size and energy of the fires means no amount of firefighting technology will extinguish them all.

Research conducted by Risk Frontiers, the Australian National University and Macquarie University through the Bushfire and Natural Hazards Cooperative Research Centre, has focused on better planning and preparedness for catastrophic events.

This research concludes it is unrealistic to resource the emergency management sector for rare but truly catastrophic events. It is wildly expensive to remain 100% prepared for the worst-case scenario.

Despite the smoke blanketing Sydney, we need to think beyond bushfires. AAP Image/Neil Bennett

Instead of simply scaling up existing arrangements, we need to think differently.

Bush firefighting could be improved by innovation and research. Future investments must focus on rapidly detecting and extinguishing ignitions before they spread out of control.

Everyone is responsible

States and territories are traditionally responsible for emergency management in Australia. But almost by definition, a catastrophic disaster exceeds one’s capacity to cope – inevitably drawing on nationwide resources.

This means preparing for catastrophic disasters is everyone’s responsibility.

Existing plans allow for assistance across state borders, and between state and federal governments. But there is no national emergency legislation defining the Commonwealth’s role or assigning responsibility for responding to a truly national disaster.

The Australian Defence Force has a well-defined support role in natural disasters but should not be relied on due to its global commitments. Expanding its role to firefighting would distract it from its primary role of defending Australia.

However, resource-sharing between states could benefit from more investment in programs that enable emergency services to work better together.

Bushfire haze at the SCG in Sydney during a cricket match. AAP Image/Craig Golding

International help in massive emergencies also needs better planning, particularly around timing and integration with local agencies.

Non-government organisations, businesses and communities already make valuable contributions, but could play a more central role. We could look to the US, which successfully uses a whole-of-community approach.

This might mean emergency services help community organisations provide aid or carry out rescues, rather than do it themselves. These organisations are also best placed to make sure vulnerable members of the community are cared for.

The most important task is to reduce the risk in the first place. The vast majority of disaster-related spending goes on recovery rather than risk reduction. Calls from the Productivity Commission and the Australian Prudential Regulation Authority (APRA) for more disaster mitigation funding have been largely ignored.

The federal government’s recent National Disaster Risk Reduction Framework highlights the need to identify highest-priority disaster risks and mitigation opportunities.

This would see priority investments in flood mitigation and strengthening of buildings against cyclones in northern Australia. (This will also help address insurance affordability.)

Land-use planning needs to be improved to reduce the chance that future developments are exposed to unreasonable risks.

Infrastructure must be constructed to the highest standards and, following a disaster, destroyed buildings should be rebuilt away from dangerous areas.

Finally, communities have the most critical role. We must understand our local risk and be ready to look after ourselves and each other. Governments at all levels must facilitate this spirit of self-reliance. Local leadership is crucial to any crisis plan and communities need to be involved in its construction.

Eastern Australia’s bushfire crisis has triggered emotional arguments for throwing resources at the problem. But planning must be careful and evidenced-based, taking into account the changing face of natural disasters.

Read more

https://theconversation.com/12-simple-ways-you-can-reduce-bushfire-risk-to-older-homes-122712

https://theconversation.com/what-has-australia-learned-from-black-saturday-111245

https://theconversation.com/extreme-weather-makes-homelessness-even-worse-heres-how-we-can-help-82758

https://theconversation.com/friday-essay-living-with-fire-and-facing-our-fears-128093

 

November 2019: Sunshine Coast Hailstorm

by Salomé Hussein, Foster Langbein, Jacob Evans

On the afternoon of November 17th, 2019, the Bureau of Meteorology (BoM) issued a warning that Queensland would experience severe wind and giant hail. Multiple news sources reported cricket-ball sized hail in the greater Sunshine Coast region. Accompanying videos and images from social media, both during and after the event, often depicted the damage wrought by the deluge, with shattered car windscreens being a common sight. The Insurance Council of Australia (ICA) declared the Sunshine Coast storm a catastrophe two days later. The majority of claims lodged thus far have been for motor vehicle. The current estimated loss value is $115M as reported by the ICA. For comparison, the current bushfires (declared a catastrophe from November 8th) have an estimated loss of $165M.

Risk Frontiers implemented the same approach for this storm as for the December 20th, 2018 Sydney hail catastrophe[1]. To determine storm footprints and estimate damage extents, the Maximum Estimated Size of Hail (MESH) algorithm ((originally due to Witt et al. (1998) )[2] was applied to radar volumes from the Australian Open Radar Dataset (AORD). The Marburg and Mt. Stapylton radars near Brisbane were chosen, over the time period from 10:00AM to 4:00PM AEST. Location of radars and the MESH results are shown in Figure 1. Image processing is applied to the cumulative MESH grid over the time period to extract the boundaries of the storm (using a threshold of 20mm, the criterion for a severe hail event in the BoM Severe Storms Archive). An ellipse is fit to that contour to compare against HailAUS, our detailed catastrophe loss model for hail, in order to estimate losses for the event.

Figure 1. Cumulative MESH grid over the event period, with radar locations indicated. The maximum hail size, using the PyHAIL package and the Marburg radar, was 7.7cm.
Figure 2. Multiple spatially separate footprints, outlined in red, may be extracted from a single event. The largest and most severe is normally selected for simplicity. Ellipses overlain in transparent blue indicate a qualitative goodness of fit to the extracted storm contours. Postcode boundaries are indicated in grey. The December 20th, 2018 storm had two distinct cells, one in the Berowra/Hornsby area, the other near Liverpool, which was consistent with SES callouts and news reports following the event.

Using the 20mm threshold ellipse fit and a range of hail sizes around the absolute maximum size detected of 7.7cm gives estimated damages of $150M +/- $40M using the HailAUS7.1 damage module against the PERILS 2018 Hail Industry Exposure Database. It is worth noting that the apparent storm footprint obtained from radar may not be equivalent to the ultimate damage footprint. The hail trajectories as they fall from the stormcell will be influenced by ambient wind. There is also a discrepancy in the location of max hail size relative to the ellipse centroid (the ellipse is fitted to an outer contour, but the 3D shape of that geometry is asymmetric along the ellipse axis).

Following the above event, on November 26th, the North Shore and Northern Beaches of Sydney experienced severe winds and pea-sized hail over a relatively short time window. The hail from this event is not expected to have generated much damage given the size. However, fallen trees from the wind disrupted transport and damaged structures and vehicles. The event caused multiple power outages in those areas, affecting 52,000 addresses at the peak of the storm with 13,000 addresses still without power 4 days later. The loss from this single event would be relatively small, but similar events could accrue substantial costs over the course of one season (hail is most frequent in the summer months).

[1]  Risk Frontiers, March 2019 Newsletter

[2] An Enhanced Hail Detection Algorithm for the WSR-88D, Witt et al, 1998

Australia’s 2020 Cyber Security Strategy

Tahiry Rabehaja[1], Denny Wan[2] and Ryan Springall[1]

The Australian Government, through the Department of Home Affairs, has called for views regarding the cyber security strategy that Australia should adopt from 2020. This strategy will be the successor to the 2016 initiative which the Government accompanied with an investment of $230 million in cyber security. The call for views consists of a series of 26 questions ranging from technical solutions to legislative discussion. Few questions in the call for views were directly related to regulation and cyber insurance. In the response that Risk Frontiers submitted to the call, we stressed that Cyber Security is a risk and thus should be managed as such. This means that whilst mitigation and deterrence are important components in risk management, insurance has a role to play as a mechanism for risk transfer and for reinforcing robust cyber security practices through pricing and policy signals. Here is a summary of the top five questions that Risk Frontiers addressed.

4. What role should the government play in addressing the most serious threats to institutions and businesses located in Australia?

To accurately price risk, insurers require a robust quantitative understanding of frequency (how often) and severity (how much financial loss). These data are often obtained through years of claims data and experience dealing with natural catastrophes, for example. In the case of cyber-risk, this understanding is currently lacking. Overcoming this deficiency will require strong and pragmatic leadership from the government to ensure a cyber-risk resilient Australian economy.

The USA is amongst the countries with well-developed cyber security laws and regulations. In addition, the US government actively encourages US businesses to implement robust cyber risk management and, in particular, promotes the incorporation of cyber insurance into their Enterprise Risk Management strategy. According to a 2018 Aon report[i], the current global cyber insurance market premium is estimated to be between 4 and 5 billion US dollars with the US accounting for more than 80% of this market. Figure 1 shows the breakout of global cyber insurance premiums. The US market is considered to be maturing while the rest of the world is developing and expected to grow. In 2018, the Australian cyber insurance market premium was approximately $60 million US dollars, which was about 2% of the global market by premium volume.

Figure 1: Measured and estimated written premiums (source: Aon Cyber Insurance Market Insights 2018).

In Australia, the recent enforcement of the Notifiable Data Breach (NDB) scheme as well as the introduction of APRA’s CPS 234 regulation are positive steps towards improving the resilience of Australian businesses to cyber threats. However, more information on breach frequency and severity needs to be shared with the insurance industry to assist in understanding frequency/ severity relationships underpinning risk transfer policies and to educate businesses and the community on the value of taking up cyber insurance.

Such governmental regulations have already proven effective for other countries and regions. In the case of the US, the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) and the Federal Information Security Management Act (FISMA) form the three pillars for digital security compliance for businesses and governmental institutions.

Corresponding regulations for Australia are framed through the Privacy Act 1988 and subsequent amendments such as the NDB in 2017. However, compliance alone does not ensure resilience as shown by high profile cases such as the Target breach. At the end of 2013, hackers exfiltrated more than 100 million records containing credit card details and other Personally Identifiable Information (PII) from Target’s internal network. Target was PCI compliant and deployed state-of-the-art security systems but the breach still occurred due to a third party weak link, poor network segmentation and other system misconfigurations[ii]. Target did have cyber insurance that proved useful in offsetting some of the financial losses incurred during the post-breach response period.  A well-planned response is an equally important defence strategy and cyber insurance will go a long way to providing a better incident response and business continuity.

10. Is the regulatory environment for cyber security appropriate? Why or why not?

Regulatory frameworks such as the NDB primarily focus on protection of privacy. In contrast, other regulation such as the CPS 234 is more balanced due to its focus on broader information security challenges beyond the protection of PII. While only currently enforced on APRA regulated entities, CPS 234 is applicable to other organisations and presents an encouraging point of departure to lift cyber security standards in the Australian economy. The standard is principle based and non-prescriptive, offering regulated entities scope to leverage their current investment in Information Security Management Systems (ISMS) to achieve compliance.

The 2019 update of CPG 234 (guidance for implementation of CPS 234) includes some concrete best practices such as information to be presented to the business board tabled in Appendix H. Implementation of the standard can be assisted by taking advantage of a standard cyber risk quantification framework such as Factor Analysis of Information Risk (FAIR).

The FAIR methodology is a quantitative approach that provides estimates on the frequency and severity of loss events using historical data, heuristics and expert opinions. FAIR is a comprehensive methodology that provides a framework for analysing tail losses through quantitative metrics such as Value at Risk. The quantification process provides a structured approach to prioritise risk and remediate efforts based on expected reduction in potential financial loss, enabling a prudent investment culture in cyber security based on established financial management principles.

15. Are there any barriers currently preventing the growth of the cyber insurance market in Australia? If so, how can these be addressed?

In the insurance industry, cyber-risk is broadly categorised either as affirmative (named as a risk) or as silent (covered without explicit recognition of the risk as it is not excluded). Increasingly, traditional commercial general liability and property insurance policies exclude cyber risk[iii] with insurers looking to provide explicit policies that are accompanied by robust risk management processes. However, there remains significant ambiguity, especially when it comes to attribution of a cyber-attack[iv][v]. This means that cyber insurance is emerging as a stand-alone coverage and insurance companies with “silent cyber” built into their products are exploring ways to isolate that component. Current cyber insurance policies are covering a relatively wide range of costs depending on the level of coverage. A comprehensive cover will typically include direct costs associated with a post-breach response. Figure 2 shows the classification of costs due to cyber-attacks[vi][vii]. Blue costs are direct first- or third-party losses and are usually explicitly attributed to the cyber event. Grey costs are less tangible and hard to measure. Costs with purple outlines are currently covered by various branded cyber insurance products. For instance, asset destruction is generally covered under silent cyber.

Figure 2: Costs of a cybersecurity breach (source: Risk Frontiers in-house analysis).

The first obvious observation here is that current coverage is generally restricted to direct costs and excludes intangible losses or long-term impacts such as reputational damage. One example is the 2017 Equifax data breach where losses in market share prices and subsequent security improvements were not covered by their insurance policy.

Another barrier for the growth of cyber insurance in Australia, and globally, is that cyber risk is not well understood. Brokers and underwriters lack the training and tools to quantify this emerging risk efficiently as the tools to assessing cyber risk (and hence pricing and policy construction) are different from traditional property and casualty insurance. In fact, current approaches to assessing cyber security risk rely heavily on manual assessments that greatly impede the scalability and application to small and medium enterprises. Unlike other mature risks such as those arising from natural catastrophes, cyber security risk is extremely hard to quantify due to its dynamic nature, the scale, the lack of physical boundaries upon which accumulations are analysed and the aggregate expertise required to produce a good model of the risk. This gap in cyber risk modelling has a major impact on pricing where premium prices becomes unsound or unaffordable for SMEs.

Another issue with current cyber insurance is regarding policy terms, which drives the lack of certainty in successful claims. Since cyber-insurance products are still young compared to P&C insurance, the policy terms are constantly being tested in court and usually contain explicit exclusion clauses for cases such as “act of war”[viii]. A recent example of a more subtle exclusion occurred in the court case confronting National Bank of Blacksburg to its insurer Everest National Insurance Company[ix].

The above issues and challenges can be addressed (at least partly) through:

  1. Governmental initiatives including the development of a compelling regulatory framework for cyber security risk as well as the promotion of the cyber risk management with particular emphasis on cyber insurance.
  2. The government should encourage and support collaboration between academia and the industry into paving the way towards better understanding and modelling of the cyber-security risk landscape as it pertains to Australian businesses. Without a proper understanding of the risk, there is only a small degree of price differentiation across different firms.
  3. The government also needs to work with insurers to assist in the “attribution” process (which is important for certain policy exclusions) and potentially consider establishing a cyber reinsurance pool.
  4. Finally, the government should increase awareness and provide platforms for SMEs to explore their alternatives in terms of cyber risk transfer.

16. How can high-volume, low sophistication malicious activity targeting Australia be reduced?

The first and foremost protection against high-volume and low sophistication threats is the adoption of good cyber hygiene. Credential management (password usage, multi-factor authentication for example), regular patching and employee training (resilience against phishing and frauds) are amongst the top low-cost but high return strategies to prevent attacks in this category. These types of attacks are most prevalent for lower-tier enterprises, which should be encouraged and made aware of the impact of good cyber hygiene. This cyber security strategy mirrors the public health management strategy in encouraging hand sanitation to minimise the spread of the common cold and flu viruses that help to prevent flu pandemics. Through insurance engagement, the insurance industry can provide the services as part of a broader product offering to increase cyber hygiene.

20. What funding models should Government explore for any additional protections provided to the community?

A cyber reinsurance pool is one form of funding that the Government should explore to improve confidence in the cyber insurance market, increase the resilience of the economy and community to cyber-attacks and, more generally, as a signal to build market confidence. For instance, in the UK, Pool Re was established by the insurance industry and the government as a reinsurance pool to protect insurance companies against large claims originating from terrorist incidents. Since 2018, Pool Re also covers cyber-terrorism14. Thus, similar extension or more innovative approaches, such as Hiscox’s cyber Insurance-Linked Securities[x], can be explored through the ARPC to cover cyber-attacks on critical infrastructures. Risk Frontiers can provide more detail on these schemes if required.

About Risk Frontiers

Risk Frontiers specialises in the assessment and management of risk across the Asia-Pacific region. We help organisations ranging from the global insurance industry and infrastructure operators to government departments and emergency services.

Our research and expertise cover major hazards affecting the region including floods, tropical cyclones, storms, bushfires, heatwaves, coastal erosion and earthquakes. We also continue the development of a cyber risk model in partnership with the Optus Macquarie University Cyber Security Hub.

Our work with government encompasses a diversity of projects including understanding community risk perception, evaluation of resilience and recovery programs, research into catastrophic disasters and the development of resilience frameworks.

As a partner of the Australian Research Council Centre of Excellence for Climate Extremes, Risk Frontiers is well positioned to deliver the latest in climate change solutions to enhance our clients’ decision making.

Rigorous, independent and data-driven, Risk Frontiers is one of Asia- Pacific’s leading providers of risk management and catastrophe modelling solutions.


[1] Risk Frontiers

[2] Security Express


[i] Aon. Cyber Insurance Market Insights, 2018.

[ii] Xiaokui Shu et al. Breaking the Target: An Analysis of Target Data Breach and Lessons Learned, 2017

[iii] Sasha Romanosky et al. Content analysis of cyber insurance policies: how do carriers price cyber risk?, 2019

[iv] Mondelez International Inc. v Zurich American Insurance Company. No. 2018L011008. Circuit Court of Illinois, October 10, 2018.

[v] Milton Mueller et al. Cyber Attribution: Can a New Institution Achieve Transnational Credibility?, 2019

[vi] The Council of Economic Advisers. The cost of Malicious Cyber Activity to the U.S. Economy, 2018

[vii] Deloitte. Beneath the surface of a cyberattack, 2016

[viii] Mondelez International Inc. v Zurich American Insurance Company. No. 2018L011008. Circuit Court of Illinois, October 10, 2018.

[ix] https://krebsonsecurity.com/wp-content/uploads/2018/07/1-main.pdf

[x] Insurance Day. Hiscox plans dedicated cyber ILS fund, 2019

Community Resilience

Resilience

Risk Frontiers has a great deal of experience in delivering a wide diversity of consulting projects for commercial, infrastructure and government clients relating to hazard analysis, social research, risk management, resilience planning, policy development and risk assessment.

Underwriting solutions

Underwriting Solutions

Risk Frontiers’ Underwriting Solutions enables better risk selection, more informed decisions on premium and capital allocation, as well as quantitative understanding of peak risk aggregation, policy limits and deductibles.

Learn more