The following article was written in association with QBE.
The evolution of AI and digitisation is moving at an exponential pace, with businesses continuing to invest more and more in their cyber strategy. However, for every leap forward that new tech offers organisations, it offers the same leg up to criminals looking to exploit gaps in their security.
According to research from PwC, last year saw a 31% surge in disclosed vulnerabilities and a 20% increase in active cyber exploitations in Australian organisations – with data suggesting that 47 million data breaches were reported.
Ben Richardson (pictured), cyber product lead of QBE Australia, is on the frontline of these threats, gaining a bird’s eye view of how cybercrime in Australia compares to the rest of the world. And, as he told IB, while the locations may differ, the risks remain similar.
“Cyber risks are evolving rapidly worldwide,” Richardson told Insurance Business. “There's sophisticated attack methods and there’s also growing regulatory pressures - those are two elements businesses really need to be across. And while there's always local trends, it's very much a global threat - in Australia we’re not isolated from what's happening overseas. After all, threat actors are geographically diverse and businesses interact with the digital supply chain with products and suppliers all over the globe.”
That’s exactly why QBE has invested in their global capabilities for cyber – from both the product and threat intelligence level. At QBE, their threat intelligence team continuously monitor both global and local trends, before sharing insights with brokers and customers in real-time.
“That means we get visibility on what's going on around the globe,” added Richardson. “In terms of specific observations, we're seeing an increase in activity in Singapore, Australia and Japan, with top observed threats being the usual ransomware, business email compromise, social engineering and invoice fund manipulation.”
More recently, Richardson revealed that there’s been a spike in exploitation of vulnerabilities in the digital supply chain – where there’s a vulnerability in a piece of organisational software, it can then be exploited en-masse.
“There’s a need to increase awareness around digital supply chain cyber risks,” added Richardson. “We're now seeing the Australian Prudential Regulation Authority (APRA) place a greater focus on supply chain risk via the CPS 230 regulations introduced in July for financial institutions.”
And, on the regulatory side, there’s been big updates to the Privacy Act in Australia such as statutory tort of privacy, new civil penalties, mandatory ransomware payment reporting and frameworks for smart device security.
“The regulatory environment is very different overseas in Europe and the US, and that’s driven Australia to change shape, which is a positive thing,” explained Richardson. “Businesses need to be aware of the changes and ensure they’re along for the journey.”
And while cyber is a global threat, it’s important to remember that different industries are at risk in different ways. According to Richardson, from QBE’s broad perspective working in sectors such as manufacturing, health, professional services, technology, construction, insurance and retail, it’s an evolving landscape of threats.
“It's a constantly moving target,” he told IB. “Financial gain is obviously the key driver behind what threat actors are doing - but the value of data is a big driver too. For sectors such as professional services and medical, the value of the data is higher - meaning it makes sense for them to be targeted more heavily. However, on the other side of the fence, there’s the issue of business continuity. In manufacturing and retail, a significant outage can essentially halt revenue. So those businesses have a stronger incentive to engage with ransomware or extortion attempts because they need their operations to continue.”
Richardson emphasised that attackers are not static, and neither are their targets.
“Threat actors are opportunistic,” he told IB. “We’re seeing industry-specific threat actors hopping between different segments. That could be a supply chain vulnerability on a piece of software or just a general threat trend.”
As the threat landscape continues to change, Richardson added that risk management hinges on a multi-pronged approach – essentially, organisations being proactive on both technical and governance controls is the key to resilience. It’s here that QBE’s global scale, spanning over 26 countries, offers them a unique edge in supporting customers to manage their cyber risks. Richardson explained that QBE’s Cyber Services team with threat intelligence and risk management capabilities, play a pivotal role in helping clients navigate emerging threats as they happen.
“QBE’s global scope allows us to invest in proactive services and threat intelligence,” he said. “And, rather than channelling that investment into Australia alone, we're meeting the global scale of the risk. Our threat intelligence team on the pre-loss side monitors cyber trends and events and shares those insights with our broker partners and their customers. We also run quarterly threat intelligence webinars providing insights on what ransomware groups are doing, what threat actors are doing and what key exploits are being exploited.”
Richardson sees these engagements as the next step up from your typical sort of education cyber 101 events – and they also feed directly into QBE’s underwriting.
“Having a team that's continuously sharing these insights with us in underwriting, allows us to keep on top of the risks – our risk assessment is up to par, and it influences product design as well,” added Richardson.
Beyond threat intelligence, Richardson stressed the importance of technical and governance controls as twin pillars of cyber resilience.
“Cyber insurance is only one piece of the puzzle when it comes to resilience,” he told IB. “We believe the best defense is a mixture of both technical and governance controls. Staff training, phishing simulations - these create a strong cyber-aware workforce. They'll always attack your weakest link, so you want all your staff operating on the same playing field.”
Richardson shared that businesses could begin with recognised frameworks like the ASD Essential Eight, adding that it’s a good starting point for awareness of key minimum cyber risk controls. At QBE, their mid-markets service team also offers sample governance documents, incident preparedness reviews, tabletop exercises and feedback on existing disaster recovery and incident response plans.
Ultimately, Richardson sees QBE’s role as broader than traditional insurance coverage, acting as a partner in protecting and preventing attacks down the line. And, if an attack does occur, QBE is a human, helping hand to guide you through the chaos.
“We can't only have tunnel vision towards the recovery insurance product side,” he said. “The role for us is expanding from a cover provider to also a partner in risk management. We’re committed long-term to investing in this side of the business to ensure our offerings meet the changing regulatory and threat environment.”
Disclaimer: This content is brought to you by QBE as a convenience to readers and is not intended to constitute advice (professional or otherwise) or recommendations upon which a reader may rely. QBE makes no warranty or guarantee about the accuracy, completeness, or adequacy of the content. Products issued and underwritten by QBE Insurance (Australia) Limited (ABN 78 003 191 035, AFSL 239545) (QBE). To decide if a product is right for you, please read the relevant PDS and TMD or Policy Wording, available at www.qbe.com/au.
