Cyber extortion has debuted for the first time on the list of most pressing worries for Australian executives, adding to closely aligned fear of cyber attack and data loss which have taken out the top two spots for the third year running in the annual Directors’ Liability Survey from Willis Towers Watson and law firm Clyde & Co.

The three categories led concerns by a significant margin, with more than half of executives in Australia listing cyber attack as their top worry as ransomware incidents grow.

“There is a consistent theme,” WTW Australasian cyber and technology risk team leader Ben Di Marco tells insuranceNEWS.com.au.

“The general concept or tenor of being worried about cyber risk and cyber exposure has been there for a few years, and it is a little bit more now.”

Rounding out the top ten were the risk of a health & safety/environmental prosecution, regulatory risk, climate change, economic crime, becoming the focus of a social media campaign, and return to work/covid safety and vaccination status.

Taken together, WTW says the survey insights are a “clarion call” to all business in the region to uplift their cybersecurity and privacy compliance activities, Mr Di Marco saying the results make clear that organisations need effective incident response with their own independent assessment and can’t “just rely on third parties”.

Executives are justified in their concerns as cyber incident frequency, sophistication and scale escalates, he says.

“By the time you become aware of it, 90% of the damage is done. You are often not forewarned. So if someone is deploying ransomware that has compromised you there’s a lot of imperfect information, but you have to make decisions really quickly,” he said.

“Senior management are the ones that are making the really tough decisions – do we or don’t we pay the ransom – and all of those things are attaching in a very real and transparent sense for them, in a way I don’t think they would have thought about cyber security a number of years ago.”

The past year saw attacks evolve from just encryption of data to “double extortion” – encryption and exfiltration – and then to “triple extortion”, where the attackers extract money from third parties such as customers. WTW urges businesses to focus on preparing adequately for a cyber event to occur, simulate board-level cyber exercises to “cut through decision paralysis”, reduce supply chain dependency, and take out appropriate cyber insurance cover.

Mr Di Marco says very few organisations have the capabilities internally to fully manage a cyber event and the mechanics of data and operational restoration is becoming “so much more onerous”.

“The malicious actors and a lot of the variants are much more destructive than they were a few years ago but the other part is this is just historically a bit of a blind spot,” he said. “The call out of ransomware is actually in some ways quite promising because it shows that we are not just thinking about cyber as this really unusual, unwieldly, giant concept. We are really starting to grapple now with some of the issues that sit around business interruption.”

The threat is reflected in the severely hardened cyber insurance market, where cover is much harder to obtain than a year ago, and rates have gone up very significantly – particularly the rate per million – as the limit offer has halved to $5 million while insurers are “charging more than what they were charging for the $10 million,” Mr Di Marco says.

Insurers are insisting on mitigation efforts such as multi factor authentication, phishing training, offline backups, endpoint detection, segmentation and privileged access management, and he says 2022 will remain tough but there is light at the end of the tunnel.

“This year is going to be bad – anyone who tells you it is going to get better this year is just lying to you – but there are enough green shoots to think things will start improving next year,” he said. “This is probably the new norm for rates but I think we can get a little bit better in terms of both the underwriting and the industries and the classes that are really distressed and are really difficult to get insurance for. I think they become viable.”

Clyde & Co Partner Lucinda Lyons says the survey results reflect a market comfortable managing traditional risks such as employment claims, insolvency and regulatory risk, but concerned with emerging, less well-understood risks.

It is “most interesting” that in local responses the significance of shareholder actions/disputes is lower when compared to other regions – despite Australia being one of the most litigious countries for securities class actions.

This may bode well for cyber risk management, she says, noting directors have faced the risk of securities actions in record numbers over the last ten years and have adapted to the environment with robust risk management, and appear to have confidence recent government law reform of securities law and litigation funding will “have the desired effect”.

“We hope this presents an example to directors and officers grappling with the emerging cyber and data loss risks. These risks can be managed with appropriate risk mitigation once correctly understood,” Ms Lyons said.