A report prepared by professional services consultancy Aon has revealed policy costs for cybersecurity insurance leapt more than 113 per cent across its portfolio in the past year. The hefty lift in premiums has come on the back of a broad retreat from the space by major insurers, stung by cybersecurity claims that are proving unsustainable.

Aon notes Australian insurers brave enough to write cybersecurity cover have reduced their exposure to the space, with most walking back their line sizes by an average of 50 per cent.

Cybersecurity cover renewals are now forecast to come in at least 70 per cent dearer in the coming quarter of the financial year according to Aon.

Aon cyber insurance practice leader Michael Parrant said insurers had previously been writing cybersecurity cover to last several years, but the huge lift in hacks and breaches was now seeing those policies topped out within a year.

“Over the last few years we’ve seen a much faster loss manifest far quicker than insurers have anticipated,” he said.

Mr Parrant said the pullback by underwriters was now making it far harder to place cybersecurity cover.

“A few years ago we placed the biggest cyber tower, which was over $1bn. That program now you would not be getting $1bn, you’d be getting probably closer to $600-700m.”

Mr Parrant said almost every insurer has walked back their potential cover, with Australian insurers willing to write maximum of $5m capacity per policy.

He said the rise of ransomware, which sees systems shut down unless a victim pays hackers to unlock files, was causing a massive lift in costs for insurers.

“These ransomware attacks, which have been truly weaponised over the last few years, sees these losses being something, when it’s a bad ransomware event, that leads insurers to lose their entire limit very quickly,” he said.

Mr Parrant said the use of cryptocurrency as the form of payment in ransomware attacks has grown to cover almost every hack.

He noted while most policies did not offer to provide the cryptocurrency payment, most would reimburse businesses for the cost of purchasing the tokens to meet the ransom demands.

Mr Parrant said it was likely Russia’s attacks on Ukraine would, for the moment, reduce cyber attacks on other actors.

“The average Australian organisation is probably no worse off in the current environment, as the major criminal groups are likely being subverted for nation state actions. But critical infrastructure is clearly not your average organisation and they are more likely to find themselves being targeted in the current environment.

“It is possible that collateral damage may emanate from these global issues, and all organisations would be well advised to operate within a heightened risk environment.”

Mr Parrant said while almost two thirds of hacks go unreported, their costs were astronomical. He said he was aware of one financial institution hack in the US that had inflicted a $200m cost.

“In Australia we think the average loss is around $4m per hack,” he said.

Mr Parrant said businesses seeking cyber insurance cover were now facing growing demands by insurers to implement stronger security features.

These security features include but are not limited to multi-factor authentication, endpoint protection software, endpoint detection and response, privilege access management and network security, as well as dedicated cyber business continuity plans, disaster recovery plans, incident response plans, and functional and resilient back-ups.

“A number of insurers 90-80 per cent of claims have become a problem for them due to a lack of multi factor authentication,” he said.

“There’s a lack of hygiene at this point in time in the security space. Organisations are not implementing low level hanging security options.”

Originally published as Cybersecurity insurance costs explode as hacks, ransomware hit