Author: admin

The Australian and New Zealand Institute of Insurance and Finance (ANZIIF) has awarded its top leadership prize to Taylor Fry Principal Win-Li Toh.

Held at The Star Casino in Sydney on 24 August, the 19^th Australian Insurance Industry Awards brought together hundreds of professionals to celebrate excellence in the sector throughout the past year.

Presenting the award for Insurance Leader of the Year 2023, Dr Michael Neary, of DXC Technology, said Win-Li was being recognised for her outstanding leadership and impact that extends far beyond her day-to-day role. “Win-Li advocates for the industry as a whole and has brought pivotal insights, including on the role of insurers in addressing cyber risk. She is an articulate, proactive leader and creative thinker.”

He added Win-Li had fostered collaboration between government and other major stakeholders, an example of her “shining leadership and the goodwill she has brought the industry”.

ANZIIF described the win as a unanimous decision by the judging panel, praising her wider community and media work spotlighting general insurance. It acknowledged her international mindset to problem solving, involving more than 25 years advising clients around the world.

“Win-Li advocates for the industry as a whole and has brought pivotal insights, including on the role of insurers in addressing cyber risk. She is an articulate, proactive leader and creative thinker.”

In accepting the award, Win-Li emphasised the value of generosity and bringing people together across industry, government and business to solve some of societies biggest problems, such as cyber threats.

“It’s so important, especially as the industry – and the world – has to step up to face ever more complex challenges – including but certainly not limited to cyber risk.”

She added that sharing knowledge and collaboration were key to making meaningful connections. “Keep coming together, speaking openly with one another and sharing your skills and knowledge.

“In this age of viral misinformation, I truly believe that with open-minded, generous dialogue, informed by the thoughtful application of evidence-based data, there really is nothing we can’t solve.”

Judges noted Win-Li’s contribution as lead author of the Actuaries Institute’s Green Paper, Cyber Risk and the Role of Insurance, promoting a collaborative approach between government and the private sector to understand how to best address systemic threats in cyber insurance policies.

“In this age of viral misinformation, I truly believe that with open-minded, generous dialogue, informed by the thoughtful application of evidence-based data, there really is nothing we can’t solve.”

The report was welcomed by the Insurance Council of Australia, with CEO Andrew Hall saying it “provides yet another opportunity to discuss how industry and government can work in partnership to tackle this significant challenge”.

Win-Li further contributed between 2020 and 2022, as Chair of the Actuaries Institute General Insurance Practice Committee, supporting several public policy submissions to APRA. These covered issues such as the new cyclone reinsurance pool, AASB17, artificial intelligence and anti-discrimination insurance. In this role, she also mentored the next generation of insurance professionals, working closely with the Young Actuaries Advisory Board.

To arrange an interview with Win-Li, please contact Elizabeth Finch at Elizabeth.Finch@taylorfry.com.au

Global insurance industry players Zurich, Marsh and Gallagher Re recently released studies into cyber claims and what they reveal about how to protect organisations from cyberattack. We look at their research to uncover valuable insights for insurers and their customers in building greater resilience against cyber criminals.

In the Actuaries Institute Cyber Green paper Taylor Fry co-authored last year, we noted “a vibrant cyber insurance market will do more than provide financial recompense for risks … it can offer clear signals and incentives to business – in the form of eligibility, pricing and sharing of insights – on best practice standards”. The maturing cyber industry is starting to do just that: using the data it holds to offer insight into what best practice looks like. When it comes to strengthening protections and in the latest gesture of industry sharing, Zurich, Marsh and Gallagher Re published research in the past couple of months into which cybersecurity controls, among other factors, make a difference.

We found common themes across the three studies to help organisations strengthen cyber resilience

Study 1: Using data to prioritise cybersecurity investments

Earlier this year, global broker Marsh released a study entitled Using data to prioritise cybersecurity investments.

What did this study look at?

This study combined two datasets:

• Cybersecurity posture questionnaire for individual organisations
• Historical claims data from November 2020 to November 2021, consisting of 1) Claims events that resulted in a cyber claim being paid, and 2) Notices of circumstances that didn’t cause an insured loss.

It used the two datasets to look at which cybersecurity controls have the greatest effect on decreasing the likelihood of an organisation experiencing a cyber event.

What did it find?

1. The control with the largest effect on cybersecurity was ‘hardening techniques’ – applying baseline security configurations to system components, including servers, applications, operating systems, databases, and security and network devices.

Rounding out the rest of the top five were:

2. Privileged access management – The organisation manages desktop/local administrator privileges via endpoint privilege management.
3. Endpoint detection and response (EDR) – Marsh notes cybersecurity best practices have evolved since the 2020-2021 period it studied, with managed detection and response, and extended detection and response superseding earlier EDR tools, such as advanced endpoint security.
4. Logging and monitoring – The organisation operates its own security operations centre and/or has an outsourced managed security service provider with the following capabilities at a minimum: a) Established incident alert thresholds, b) Security incident and event management monitoring and alerting for unauthorised access connections, devices and software.
5. Patched systems – The organisation’s target timeframe to patch high-severity vulnerabilities (as defined by the CVSS scoring system) across the enterprise is a minimum of within seven calendar days of release. (CVSS is a security vulnerability scoring system commonly used by information security teams to help them prioritise remediation efforts. For more information on CVSS, see this article).

Study 2: The 10 cyber controls that will help SMEs thwart 70% of cyberattacks

In July, Swiss-based insurer Zurich Insurance Group and researchers at university ETH released the results of its joint study in a summary article entitled The 10 cyber controls that will help SMEs thwart 70% of cyberattacks, noting the challenge for SMEs to navigate the complexity of cyber risks is due to a lack of resources or know-how.

What did this study look at?

This study focused on the cyber controls implemented by small and medium-sized enterprises (SMEs). Zurich says it cross-checked and validated the controls identified in the study against information gathered from its SME customer questionnaire, as well as benchmarking data from global customer assessments and claims.

What did it find?

Zurich listed the following 10 controls that mitigated 70% of the most common SME cyber risks:

1. System monitoring
2. Configuration settings
3. Malicious code protection
4. Baseline configuration
5. Least functionality
6. Continuous monitoring
7. Least privilege
8. Access enforcement
9. Account management
10. Software, firmware and information integrity.

Study 3: Can scanning technologies predict claims?

In June, reinsurance broker Gallagher Re released a study entitled Can scanning technologies predict claims?. External scanning refers to external threat scanning, which looks at an organisation’s network from the outside to find, identify and help close potential external entry points for unwanted intrusion (e.g. by looking for weaknesses in the network’s firewall). Insurers use external scanning information (typically expressed as an overall score) across the cyber insurance policy lifecycle, including for risk assessment and pricing, responding to emerging events and portfolio management.

“External scanning data is most effective at identifying the worst 20% of risks, while revenue and industry factors were more predictive of claims frequency than the external scanning data.”

Previously, Gallagher Re studies found that existing external scanning data was challenging, as each external scanning provider used their own underlying methodology, and the resulting scores showed little or no relationship between the various levels of risk estimated by different providers. This prompted the reinsurance broker to take a new approach to achieve more valuable insight.

What did this study look at?

In order to gain a better understanding of the reliability of external scanning data, the authors built a machine-learning model and combined it with historical cyber claims to capture which elements of external scanning (or technographic) data would have been more predictive of a future claim at the point of underwriting. You can find more about the modelling approach here.

They also noted other publicly available reports on the predictivity of external scanning data have been in partnership with vendors, and that there was value in this study taking a vendor-agnostic approach.

What did it find?

The study offered the following insights:

• External scanning data is most effective at identifying the worst 20% of risks, which they recognised was consistent with how many insurers are using external scanning data for risk selection.
• Revenue is the greatest predictor of claims. In addition to external scanning data, Gallager Re also included organisations’ revenue and industry in the models, and these factors were more predictive of claims frequency than the external scanning data.
• When it came to technographic predictors, patching cadence – the speed at which organisations apply patches to critical external facing vulnerabilities – was the strongest technographic predictive indicator. This highlights “the importance for organisations to maintain a rigorous approach to vulnerability identification and patching”.
• The next strongest technographic indicator was port security. While the study noted that in the previous 18 months remote desktop protocol (RDP) had become a less likely attack vector for threat actors (largely due to security posture improvements), companies with exposed ports will still be enticing for potential attackers.
• Finally, web security – tightening the security posture of an organisation’s external facing web presence – was also important. When three web security risk factors (SSL/TLS configuration, web certificates and HTTP headers) were combined, they presented greater predictive potential for cyber claims than either patching cadence or port security.

One study highlighted the importance of a rigorous approach to patching vulnerabilities at speed

Finding perspective

When considering the three papers and how they might inform best-practice cybersecurity approaches for insurers and their customers, it’s important to bear in mind:

• The results take into account only those organisations that have taken out a cyber insurance policy. Given cyber insurance coverage ranges from about 6% to 13% of corporations in the UK, the security behaviours of those organisations holding cyber insurance may be different to those that don’t hold insurance.
• Insurers don’t get the full picture of cyber incidents from policyholders. For example, some organisations might not be aware an incident has taken place, and some incidents might not be significant enough to warrant paying the policy’s excess, or organisations might be worried about the reputational impact of reporting.
• Additionally, insurers don’t necessarily receive a complete picture of an organisation’s cybersecurity posture at the time of underwriting. Questions asked are open to judgment from staff filling in the information requests, and there may be other controls/behaviours/factors which are more likely to influence a cyber claim being made than the factors collected by insurers.
• The predictive power of some controls may not indicate a causal relationship between the control and a particular attack vector, but rather be representative of an organisation’s overall cybersecurity maturity level.
• The cyber landscape is evolving quickly, so what controls worked in the past should be seen as a baseline of minimum security practice, rather than controls organisations can ‘set and forget’.
• The studies looked at different jurisdictions, types of companies and time periods.

A practical path forward

Beyond the important caveats, we found some common themes from the three studies indicating the most effective controls towards limiting cyber claims:

• Patching within limited timeframe of release
• Tightening web security settings
• Ensuring privileged access management controls are in place
• Conducting continuous monitoring of attacks
• Applying hardening techniques across systems and settings.

Reassuringly, these controls are also broadly aligned with the Australian Cyber Security Centre’s Essential Eight cyber mitigation strategies.

An ever-evolving space

The insurance industry’s role in sharing best practice in this space will grow over time, as it gets more data on cyber claims. It will also take advantage of the technological advances that will allow it to have an increasingly dynamic understanding of an organisation’s cybersecurity posture. This understanding has the potential to assist:

• Organisations to focus their cybersecurity spend on the most effective controls
• Insurers to continue to refine their underwriting process – for example, what minimum controls to have in place to accept risk and how to better advise organisations seeking insurance
• Insurers to better identify predictive factors to price risks more accurately, and ultimately reduce claim frequency and therefore premiums
• Governments in developing and refining recommended cybersecurity controls (e.g. Australia’s Essential Eight).

Taylor Fry’s cyber risk team works with corporates, policymakers, regulators and insurers to understand and quantify cyber risk to optimise cyber resilience efforts. For more information on the services we offer, visit our Cyber Risk page.

Environment, social and governance (ESG) is driving “the biggest changes to financial reporting and disclosure standards in a generation”, according to Australian Securities and Investments Commission (ASIC) Chairman Joe Longo. First up is climate, with Treasury last week releasing its next consultation paper on proposed mandatory climate-related financial risk disclosures. We explore what these are likely to mean for small to medium insurers in Australia.

Analysis of ASX-listed entities suggests the ‘big end of town’ – including Australia’s major insurers – are relatively well advanced with planning and reporting on climate risks and opportunities. Due to the organisational size threshold outlined in the Australian Treasury’s latest Climate-related financial disclosure consultation paper, if implemented, requirements would also be mandatory for smaller and mid-tier insurers.

This second paper incorporates 194 submissions of feedback from the Treasury’s earlier draft. Consultation for the initial paper closed in March and, as we reported at the time, it sought views on design and implementation of standardised, internationally aligned requirements for disclosure of climate-related financial risks and opportunities in Australia.

Now the Treasury’s second draft sets out proposed positions on the detail, implementation and sequencing of mandatory disclosures. We answer key questions smaller and mid-tier insurers will be asking …

Will mandatory disclosures likely apply to my organisation?

Yes, if additional thresholds are final, most insurers will meet the criteria. The Australian Government has committed to applying standard climate-related financial disclosure requirements to large businesses. The latest consultation paper has proposed that entities lodging financial reports under Chapter 2M of the Corporations Act that meet two of the following criteria would need to comply:

• The consolidated revenue for the financial year of the company and any entities it controls is $50 million or more
• The value of the consolidated gross assets at the end of the financial year of the company and any entities it controls is $25 million or more
• The company and any entities it controls have 100 or more employees at the end of the financial year.

In addition, all entities that are registered as a ‘controlling corporation’ reporting under the National Greenhouse and Energy Reporting Act 2007 (Cth) (NGER Act) would be covered under climate-related risk disclosure requirements, even if they don’t meet the threshold criteria above.

This means most insurers will likely be covered. For comparison, in other jurisdictions, climate disclosures are currently mandated only for larger insurance companies:

• In the United Kingdom, with more than 500 employees
• In New Zealand, with greater than $1 billion in total assets under management or annual gross premium income greater than $250 million).

When might mandatory disclosures apply to my organisation?

It will depend on the exact size of your organisation, but medium sized insurers will most likely need to start disclosure in 2026/27, with smaller insurers the year after.

This phased approach is in response to stakeholder feedback. The disclosure regime will start with a limited group of very large entities, and be expanded over two years to apply to progressively smaller entities, with the rationale that smaller entities will need more lead time to build the capability and skills to meet their obligations.

The following table outlines the proposed phasing for mandatory climate disclosures, which entities are covered and when.

What will we be required to disclose?

At a high level, the climate disclosures are expected to closely align with the final IFRS S2 Climate-related Disclosures, recently released by the International Sustainability Standards Board (ISSB). This standard follows the framework of the Taskforce on Climate-related financial disclosures (TCFD), which recommended companies make disclosures about how they manage climate-related risks and opportunities across:

• Governance
• Strategy
• Risk management
• Metrics and targets (including greenhouse gas (GHG) emissions).

The Australian Accounting Standards Board (AASB) will be responsible for developing Australian-specific standards, and will conduct a public consultation process as part of developing our standards.

How do the mandatory disclosure standards compare with APRA’s Prudential Practice Guide CPG 229 Climate Change Financial Risks?

For those insurers who have implemented APRA’s CPG 229 Climate Change Financial Risks, the four categories of disclosure will be familiar. CPG 229 also reflects the framework for managing risk developed by the TCFD. This means insurers who have been applying this prudential practice guide to their organisation’s climate risks and opportunities should be in a strong position to respond to requirements for mandatory climate disclosures.

What type of scenario analyses will my organisation likely need to perform?

The Treasury’s discussion paper proposes that reporting entities will be required to use qualitative scenario analysis to inform their disclosures during the transition period, moving to quantitative scenario analysis by the 2027-28 reporting year (i.e. the end of the transition period).

The TCFD defines scenario analysis as a process for identifying and assessing the potential implications of a range of plausible future states under conditions of uncertainty. For climate change, scenarios allow an organisation to explore and develop an understanding of how various combinations of climate-related risks, both transition and physical risks, may affect its businesses, strategies and financial performance over time.

In the case that an organisation is already undertaking quantitative scenario analysis, the expectation is that they should continue to do so. In the transition period, the Treasury expects the level of sophistication of this scenario analysis to be proportionate to the experience of the reporting entities, their exposure to climate-related risk and the availability of supporting information (methodology and datasets).

… scenarios allow an organisation to explore how combinations of climate-related risks, both transition and physical risks, may affect its businesses, strategies and financial performance over time.

Notably, it’s proposed that companies will be afforded protection from false or misleading representation claims from private litigants related to forward looking statements (such as the results of scenario analysis) for the first three years. This doesn’t rule out regulator actions.

How many scenarios will we need to consider as part of our scenario analysis?

The discussion paper’s proposal is that reporting entities would be required to disclose climate resilience assessments against at least two possible future states, one of which must be consistent with the global temperature goal set out in the Climate Change Act 2022 – which is designed for Australia to contribute to “holding the increase in the global average temperature to well below 2°C above pre-industrial levels and pursuing efforts to limit the temperature increase to 1.5°C above pre-industrial levels” (in line with the Paris Agreement’s global temperature goals). Reporting entities would be required to report against at least one other scenario that reflects a different climate future.

What GHG emissions will I need to disclose?

Reporting entities will need to:

• From commencement, report on scope 1 and scope 2 emissions
• From their second reporting year onwards, report on scope 3 emissions.

As a refresher, scope 1 are direct GHG emissions that occur from sources that are owned or controlled by the company (e.g. emissions from combustion in owned or controlled vehicles). Scope 2 are emissions from the generation of purchased electricity consumed by the company, and scope 3 are all other indirect emissions.

For the reporting of scope 3 emissions:

• These are anticipated to be mostly estimates in the immediate term, reflecting available information, and potential lack of internal capability to undertake scope 3 estimation to a high level of sophistication.
• In recognition of the significant data availability issues, the application of misleading and deceptive conduct provisions would be limited to regulator-only actions for the first three years. This is to allow organisations to build capability of calculation and estimation.
• These can have accrued in any one-year period that ended up to 12 months prior to the current reporting period (e.g. scope 3 emissions reported in FY2027-28 could be those incurred (actual or estimated) in the company’s supply chain in FY2026-27, which recognises that other reporting entities’ scope 1 and scope 2 emissions may form inputs for an entity’s scope 3 estimation). The discussion paper has noted this is particularly important for insurers.

Will I need to report on insurance-industry-specific metrics?

Yes. By the 2027-28 reporting year onwards, the Treasury is anticipating that reporting entities would be required to disclose industry-based metrics. These would be subject to consultation with members of that sector.

What else do I need to know?

We’ve summarised other key points from the discussion paper in the following table. Bear in mind, these could change after stakeholder feedback.

What are the next steps?

The Treasury is looking for feedback on this consultation draft by 21 July 2023, specifically whether the proposed positions relating to coverage, content, framework and enforcement of the requirements are workable. Insurers should consider making a submission, either individually or as part of the Insurance Council of Australia, to ensure the views of smaller insurers are incorporated into the final design.

We’ll be sure to keep you posted on the final design and what that means for insurers.

With more than 20 years’ experience partnering with the insurance industry, and a team of climate risk specialists, Taylor Fry can help insurers think strategically about their response to climate change, including applying our well-honed skills in forecasting uncertain risks. For more information on the services we offer, visit our Climate and Sustainability page.

From initial concerns to serious questions that remain, Hugh Miller looks beyond the hype and controversy of generative AI to reflect on where we really are and where we may be headed.

It’s now been about six months since OpenAI unveiled ChatGPT. This wasn’t the first text creation model, but it feels like the moment that the world stopped and took notice of generative AI.

A technology that produces a passable limerick on quantum physics probably deserves the attention. So, too, image generation that can put puffer jackets on Popes. Thousands of articles have already been written about generative AI and its implications. No doubt, a fair few of the articles were already co-written by ChatGPT and its competitors*. Now that we’re (hopefully?) nearing the end of the initial hype cycle, we can reflect on some implications that are now much clearer.

Dispelling fears about big tech and model misinformation

First, there was initial concern that large AI models, including ChatGPT-style Large Language Models (LLMs), would become the domains of a small number of large technology companies. Happily, it seems that this is not the case – several nimbler startups have emerged, and the speed of other companies releasing products suggests that the barriers to entry for the technology are not too high.

Happily, large language models don’t seem to have become the domain of big tech companies

Second, there was a lot of concern about the impact of hallucinations and misinformation flowing from these models. Here I mean the type of misinformation where a model directly gives poor or wrong advice that turns out to be harmful (as opposed to cases where people deliberately use the technology for their own nefarious purposes). By and large, I think the technology has passed this test. While some unhinged behaviour has emerged, it does not seem to be a rampant issue and users have seemed well-informed enough to understand (and appreciate!) the imperfections. Vigilance and education is still required, but it hasn’t led to planes falling out of the sky (April Fools articles notwithstanding).

Third, it is a technology being recognised as a big deal by the people who should know about these things. Most of tech’s elder statesmen seem to think so. OpenAI and Microsoft’s progress was enough to send Google into a panic, attempting a gaggle of AI innovations in rapid time – hopefully, with more success than the company’s haphazard social media efforts, a similar panic response to Facebook’s rise.

Positives and negatives for education

Fourth, the implications for education specifically seem profound. There are clear positives – the technology can be used to create a private tutor that can dynamically offer advice on work, and show much greater patience than regular human tutors (or regular human parents, for that matter). On the negative, we have an education system that relies heavily on assessments, and many of these are no longer fit for purpose when a tailored essay is a few keystrokes away.

“Will AI create jobs, morph them or destroy them? Time will tell, but there doesn’t seem to be a need for immediate pessimism.”

Questions remain. Perhaps the biggest is we still don’t have clarity on what it all means for jobs and services going forward. For LLMs, the fundamental question is what contexts can benefit from a very intelligent chatbot whose accuracy cannot be guaranteed. Examples already exist, such as improved productivity for online chat and incorporating AI-suggested text into workflows. Computer coding similarly seems a space where a dynamic virtual assistant can increase speed. General white-collar work may see productivity gains (or maybe just more polite emails), whereas my plumber will not see a massive impact. And it’s unclear how big the market is for self-driving, AI-powered prams. Will AI create jobs, morph them or destroy them? Time will tell, but there doesn’t seem to be a need for immediate pessimism.

The effects of content creation at speed

One change that we are already seeing is an internet with even lower barriers to content creation – whether articles, images, videos, ads or other forms of content. A small team can now build a large website with hundreds of articles very quickly. These can be geared towards specific searches, crowding out existing content. Whether this becomes an unmanageable deluge, with a declining ability to search for quality content, remains to be seen. Perhaps improved search AI will counterbalance the increasing challenges of separating out quality.

Transparency, regulation and a place for humans

The other big question is around transparency and regulation. If hundreds of new models are produced, many of them private, then how do we know when AI is driving decisions and how can we be confident of the basis for decisions when this happens? And relatedly, what are the implications of private web-scraped data collections being used to create the models? This is all a tricky space, where regulation is likely to move rapidly, and at different speeds around the world. As ever, Europe appears to be on the front foot in nailing down what a world with AI should look like.

My approach? I think taking a natural interest in how things are evolving is important – some things will change rapidly – and it helps to be forewarned. But for now, I’ll assume the world will continue to need human-led, data-based analysis and advice – and I’ll need to make sure I’m making use of the best tools and technologies to provide them.

* I did not use AI to write this article. But I did ask ChatGPT to rate it out of 10 – and got an 8. And then 7.5. And then 8.5.

This article first appeared in the Actuaries Institute magazine, Actuaries Digital, in Hugh’s regular column, Normal Deviance.

In the past 12 months, Australia has experienced the most significant data breaches in its history. It’s been a sobering alert for government, business and community across the country about the importance of cyber security. With the spotlight now firmly on improving cyber resilience, we explore some of the promising developments in train to tackle the issue.

In September 2022, the Actuaries Institute released its Green Paper Cyber Risk and the Role of Insurance, co-authored by Taylor Fry. Since its publication, Australia has faced the three largest data breaches in its history:

• In September 2022, Optus was the victim of a cyber attack affecting 9.8 million former and current customers
• In October 2022, Medibank was the victim of a cyber attack affecting 9.7 million former and current customers
• In March 2023, Latitude Financial was the victim of a cyber attack affecting 14 million former and current customers.

A number-one risk emerges

As a result, cyber risk made national headlines and conversations around cyber security became commonplace – at the kitchen table and board table alike. In January, the Australian Securities and Investments Commission’s Chairman Joe Longo said, “For all boards, I think cyber resilience has got to be a No. 1 risk facing everyone. From my perspective, I see it as the top-of-the-house, the board-of-directors-level  issue.”  We understand the Australian Institute of Company Directors (AICD) publication Cyber Security Governance Principles, released in October 2022, was the most downloaded publication in AICD’s history.

Partnership between government, industry, academia and community are central to cyber resilience

Organisations were quick to contact their insurance brokers to check the adequacy of their cyber insurance coverage or contemplate taking out coverage for the first time. Another consideration was increasing the amount they spend on information security.

A survey by cybersecurity software firm Netskope indicated about 70% of Australian organisations surveyed had seen an increase in their leadership’s willingness to bolster information security investments. The survey found the proportion of organisations planning bigger cyber security budgets between 2022 and 2023 jumped to 63%, up from the 45% that increased their budgets between 2020 and 2022.

How is this escalating interest helping to combat the threat landscape and improve our cyber resilience? We draw out some of the most promising developments for government, industry and community in response to Australia’s cyber security wake-up call.

Government and industry are coming together to tackle cyber issues

One of the major conclusions of the Green Paper was that the challenges associated with cyber risk couldn’t be solved by individual players – the issues are too vast to be solved in isolation.

In December 2022, Australia’s Minister for Cyber Security, Clare O’Neil, announced the development of the 2023 – 2030 Cyber Security Strategy, led by an expert advisory board comprising the former CEO of Telstra, Andrew Penn, retired Air Marshal Mel Hupfeld and Rachael Falk, CEO of the Cyber Security Cooperative Research Centre.

“… the proportion of organisations planning bigger cyber security budgets between 2022 and 2023 jumped to 63%, up from the 45% that increased their budgets between 2020 and 2022”.

When announcing the development of a revised strategy, Minister O’Neil said the “approach demonstrates the Australian Government’s enduring commitment to collaboration. Cyber security is a team sport and we must all work together to make Australia the most cyber secure nation in the world by 2030”.

In February, the expert advisory board released the 2023-2030 Australian Cyber Security Strategy Discussion Paper. The discussion paper notes “the Strategy will be developed in partnership with industry, academia, state and territory governments and the Australian and international community. Like Australia’s cyber security, the Strategy will be a team effort, building on our history of collaborative cyber resilience”. It calls for collaboration to ensure Australia is a world leader in cyber security by 2030. The focus areas for the strategy are:

• Enhancing and harmonising regulatory frameworks
• Strengthening Australia’s international strategy on cyber security
• Securing government systems
• Improving public-private mechanisms for cyber threat sharing and blocking
• Supporting Australia’s cyber security workforce and skills pipeline
• National frameworks to respond to major cyber incidents
• Community awareness and victim support
• Investing in the cyber security ecosystem
• Designing and sustaining security in new technologies
• Implementation governance and ongoing evaluation.

Consultation on the discussion paper closed in April 2023, and we will be eagerly following development of the strategy.

Signs of a softening cyber insurance market – some respite for business?

At the time of publication of the Green Paper, we identified that the previous two years had been tumultuous for the cyber insurance market, particularly:

• Significant reduction in capacity offered – with reductions in policy limits
• Increases in premiums (which had averaged more than 100% from Q4 2020 to Q4 2021), with price increases all the way up the insurance coverage tower, and no tapering off at higher levels of cover.

“Brokers are expecting to see meaningful price decreases, on primary and especially excess insurance, as well as improvements in coverage for businesses with a detailed focus on security.”

In the first half of 2023, we’ve started to see signs of a softening insurance market. Major brokerage firms have reported that the Asia-Pacific region is seen as a growth target, with the market increasing coverage back to the historical maximum line size of $10 million, and some markets offering limits exceeding $10 million. On pricing, rate increases declined over the second half of 2022. Brokers are expecting to see meaningful price decreases, on primary and especially excess insurance, as well as improvements in coverage for businesses with a detailed focus on security.

We’ll be watching how a softening market will impact the take-up of cyber insurance, particularly whether it will flow through to increased demand in the small to medium enterprise (SME) market – currently, only about 20% of SMEs hold cyber insurance.

Prioritising resilience for small business

The Green Paper pointed to several challenges facing small businesses in protecting themselves against cyber risk, including:

• Low spend on cyber security, with an Australian Cyber Security Centre Small Business Survey revealing almost 50% of small businesses spend less than $500 on cyber security
• On average, poor cyber security hygiene
• Limited education on cyber risks, and low awareness of available educational resources.

Australia’s federal Budget in May 2023 announced $23.4 million to support small businesses to build resilience to cyber threats. This will be delivered through a Cyber Wardens program that aims to equip small businesses with the foundational skills they need to improve cyber safety. It will be delivered by the Council of Small Business Organisations Australia and will support more than 15,000 small businesses.

What else we’ll be watching out for

In the ever-evolving world of cyber risk, we’ll also be keeping a keen eye on:

• The results from ASIC’s cyber pulse check on corporate Australia – ASIC has been conducting surveys about the cyber resilience of financial market firms since 2016. This year, it will be surveying corporate Australia more broadly, asking for entities to self-assess their cyber security and controls, governance arrangements and incident preparedness. It will be one of the largest surveys conducted into Australia’s cyber resilience and ASIC will publish a report with key findings later in the year.
• The results of consultation on the proposed expansive reforms to the Privacy Act – In February 2023, the Attorney-General proposed expansive reforms to the Privacy Act, intending to strengthen and modernise privacy protections for Australians. The proposed reforms are broad, and aimed at strengthening the protection of personal information and the control individuals have over their information. These reforms are in consultation, and are expected to culminate in new legislation before Parliament in the next 12 months.

For co-founder Alan Greenfield, the Taylor Fry adventure has been a wild ride. As the firm turns 24, he looks back at some of the riskier life moments that led him there, the humanity that drives his passion to do more and his hopes for the future.

When did you know you wanted to become an actuary?

I guess I have always been obsessed with maths, numbers and puzzles. I played chess from age five and loved probability puzzles, magic squares and the Rubik’s Cube. I hadn’t heard of actuaries until year 12, when another student said he wanted to be one. He did four-unit maths, like me, so I looked it up. It was a small profession then, but highly regarded with great job prospects. And as it turned out, a lot of the study and work that followed seemed pretty close to my idea of fun.

Alan played chess from age five and loved probability puzzles, magic squares and the Rubik’s Cube

How did that relaxed approach become entrepreneurial spirit to start a business?

I don’t think of myself as having an entrepreneurial spirit. It’s more about risk taking for me. I’ve noticed since my twenties, I’m willing to take more risks than some people, and that the best things in my life have happened when I’ve taken risks, from off-the-beaten-track experiences while travelling to setting up Taylor Fry.

Taking a risk helps you move ahead. You don’t get far if you’re not willing to risk something – even something small. Not everything will turn out smoothly, but if you try to make the most of the inevitable bumps along the way, I’ve found it’s definitely worth taking the leap.

What was your strength at the beginning?

Probably enthusiasm! The thought of building something from scratch was exciting and fun to me, plus the three of us [Alan and co-founders Greg Taylor and Martin Fry] shared a distaste for process for the sake of process, and too much internal politics. We wanted to right wrongs, make things fair.

Greg and Martin had established reputations, so they mostly took care of bringing in the clients, while I threw myself into finding cheap premises – a long way from our beautiful new offices now – and interviewing and hiring people. I knew the workplace I wanted to create – one with smart people whose focus was the company, not the individual. I even wrote the job ads. I’ve always had an irreverent attitude and I liked to have a laugh with the ads, but we’re a lot more professional these days!

It seems to have paid off because many people have long careers at Taylor Fry. What’s the secret to finding the right fit?

It’s hard to put my finger on it, but there’s definitely something around cultural fit – wanting a balanced approach to work and life – but also something around curiosity and looking for innovative ways to solve problems. We also look to hire people with a variety of backgrounds and diverse perspectives, which adds dimension and strengthens the work we do.

Alan at Taylor Fry’s first office in Sydney

How has your role changed over almost two-and-a-half decades?

I gradually became established as an actuary, thanks to Greg, who was always generous about giving people responsibility. I took over some of his major clients and began building a reputation. For many years, I did what is considered ‘traditional’ general insurance actuarial work, for insurance companies and injury schemes. In time, it became my comfort zone. Luckily, I had the right people to help me see that I also needed to push myself harder to expand my horizons and those of the company to help grow the business. It was quite brutal and confronting to hear, but it had a positive effect.

In the mid-2000s, I was involved in building our analytics practice, but in 2011 I had a major role in a project we won that changed everything about my career. It also set Taylor Fry on a course that helped develop us into the organisation we are today. It was a first-in-the-world valuation of a national welfare system at an individual level. We built forecasts of people’s lifetime welfare service use for the New Zealand Ministry of Social Development. Before we knew it, we were presenting to senior government officials, cabinet ministers and the media. It was ground-breaking work and a cornerstone of the development of our now much bigger Government practice. It has been a wild ride. [Alan was awarded Actuary of the Year in 2015 for his role in this work].

I never saw myself as somebody whose day-to-day role would centre on developing and winning business, marketing or networking, but that’s a big part of my contribution these days. My career has really moved away from a lot of the technical work. We have amazing people at Taylor Fry who do all of that, which allows me to focus on making sure we really communicate what the numbers mean for our clients. I still love building spreadsheets though!

At Taylor Fry, we’re now working on developing our actuarial skillset to help clients navigate their climate risk. It’s exciting to take part in finding solutions and in our own way contribute to hope for the future.

You’re also responsible for the firm’s stance on sustainability. What led to your interest?

My mother particularly shaped the way I see the world. She had an Eastern European Jewish background, with her family escaping Europe in the 1920s when they realised the writing was on the wall. Like many of her generation, she was deeply impacted by losing relatives in the Holocaust. As a child, I travelled with her throughout Europe, the Middle East, Asia and the United States on trips that mostly revolved around searching for her or my father’s long-lost cousins. But along the way she also introduced me to nature – the Grand Canyon, Swiss Alps, the Great Barrier Reef and Uluru.

Being exposed to travel and nature gave me a love of the natural world. It planted a seed – together with my parents’ histories of losing everything and starting again when they migrated – a real sense of not abusing resources, being compassionate towards others and being frugal to survive.

On a trip to Uluru with his mum and dad, 1972

How did this focus continue into adulthood and into your work?

A back-packing trip to South America changed my life. I was lucky enough to be able to spend almost a year going from Guatemala to Chile and I did things I didn’t expect I’d be physically or mentally capable of doing, like climbing very high, very icy mountains. I travelled with a mate and we had some lucky escapes. We climbed the highest mountain in Peru [Huascarán, 6768m] and while we were there, two well-known rock climbers died. They were caught in a rock avalanche and fell a kilometre to their deaths. It was tragic and shocking.

At another point in the trip, we were stuck in the Amazon jungle in Peru for days. Trying to make our way to Bolivia, we hitched a ride on a canoe full of diesel drums, then slept in a disused police building on the Bolivian border. Eventually, we bought a dugout canoe and a couple of paddles from the locals, and stocked up with a few rusted tins of expired food, a bit of pasta and chocolate, and a handful of plantains, a type of savoury banana.

With no map of the river and no real direction or idea of how long it would take to reach safety, we paddled for five days in the middle of nowhere along the Rio Madre de Dios – the Mother of God River – a tributary of the Amazon. Somehow, we even managed to keep ourselves upright through a stretch of rapids. We were utterly alone, surrounded by wilderness and wildlife. It was spectacular. South America was unforgettable and affected me profoundly.

As a young person in my twenties, that trip, combined with the travels of my childhood, brought into stark relief the impact humans were having on these incredible places I’d experienced. In the 2000s, I started an environmental column in the Actuaries Institute’s magazine (I thought I was very clever in making a play on words with my surname, calling it Green Fields). It was my way of trying to shed light on climate change and the not-fast-enough progress governments around the world were making, including ours. I still believe we’re collectively not making enough progress and, alongside governments, individuals and companies also have a role to play. At Taylor Fry, we’re now working on developing our actuarial skillset to help clients navigate their climate risk. It’s exciting to take part in finding solutions and in our own way contribute to hope for the future.

Alan with his climbing partners on the summit of Pisco in Peru

What makes you most proud about the company you co-founded and what’s the key to its success?

For us, success means creating a place that provides a supportive and growing environment to provide our younger staff with opportunities and give them lots of variety. This ranges from traditional actuarial work with insurance companies and injury schemes to customer analytics for Qantas and other companies. In the social sector, our projects cover everything from welfare and homelessness to disability, mental health, child protection, aged care, and recently projects with a First Nations context. We recently authored an Actuaries Institute green paper that details the economic divide in Australia and paints a shapshot of income inequality. Cyber is a critical concern for organisations today and we’re deeply involved in this area as well. Our work culminated in another Actuaries Institute green paper, for policy and other decision-makers to consider the role of insurance in the cyber environment. This diversity means people can find their niche here and grow in their careers.

Do you think about passing the baton to the next generation? How would you like to see Taylor Fry move forward with you and after you?

The future is incredibly exciting for our younger people. Data can now be used in so many ways for so many different types of organisations, and Taylor Fry is well placed to provide the opportunities for our people in these interesting spaces. Research and development has been encoded in our DNA right from the beginning, with Greg’s use of generalised linear modelling in traditional areas for actuaries to our expansion into analytics in the social sector, and machine learning and AI techniques for our corporate clients. The focus for us has traditionally been on innovating predictive techniques, but for some time we’ve wanted to explore causal links – the underlying story that leads to an event. This means creating models to understand from the data why things happen, in addition to what will happen and when.

Our analytics team has set up an internal working group called TF labs to research this next frontier of advanced analytics, alongside predictive modelling techniques more generally, testing ideas and commercially focused applications. In the labs, one of our projects is designing trials that study problems and aim to identify causal relationships with more certainty. Keeping up this kind of momentum ensures we’re continuing the legacy of our original ideals to chart our own path, steer clear of the bureaucracy as much as possible, look after our people and continue to pioneer in ways that can make a difference to the community.

As for when I’m not here, I’m not sure when that’ll be, but I’m sure the firm and everyone in it will be fine without me!

Enjoyed this read? Take a look at the stories of Taylor Fry’s other co-founders, Greg Taylor and Martin Fry, as they share some choice excerpts and a touch of wisdom from an actuarial life lived.

The deep economic divide between Australia’s rich and poor is now significantly higher than in the 1980s, and is in danger of worsening, unless wide-ranging government policy reform is undertaken.

In Not A Level Playing Field, a Green Paper commissioned by the Actuaries Institute, Taylor Fry authors Dr Hugh Miller and Dr Laura Dixie, carried out an in-depth analysis to determine the role demographic factors, such as age, gender, disability, location, education and employment backgrounds play in determining inequality, as well as the resulting flow-on effects across society.

The paper brings together, for the first time, a raft of Australian survey data with new analysis to paint a snapshot of income inequality in Australia. Importantly, it builds on the established work of the Australian Actuaries Intergenerational Equity Index, led by Taylor Fry and the investment valuation work actuaries pioneered for Federal and State governments.

Lead author Hugh Miller says, “Our analysis has found that where you live, your gender, age, First Nations status, ethnicity, disability, education and employment backgrounds are all drivers of income inequality in Australia. But the big disconnect between robust economic growth and tepid wages growth in our two-speed economy is what has really exacerbated the inequality gap.”

The fear is that the income gap could widen even further because of the increasing casualisation of the workforce and more people being employed by the ‘gig’ economy.

Existing economic inequalities translate into large differences in wealth and wellbeing

Eighty per cent of people in the Organisation for Economic Co-operation and Development (OECD), and 70% within Australia, feel income disparities are too large in their country. Australia’s income inequalities are midrange by international standards – many developed countries have greater inequalities, but others significantly lower.

“This (inequality) gap has a variety of impacts on everything from poverty levels to housing affordability and life expectancy, as well as your chances of being a victim of crime, being able to pay your insurance bills and enjoy a comfortable retirement,” Hugh says.

The paper highlights that inequality is significantly higher than in the 1980s, with the wealthiest 20% of households currently having six times the disposable income of the lowest 20%. Wealth inequality is even larger with the wealthiest quintile having 230 times more net assets.

These big gaps in income and wealth have translated into poorer social outcomes for low-income households. Most notably, comparing the poorest 20% of households to the richest 20%, those living in the lowest income households were:

• 9x more likely to be an unpaid carer
• 7x more likely to have experienced homelessness and unemployment
• 5x more likely to have a child at risk of harm
• 4x more likely to have recently been unable to meet rent or mortgage costs
• 3x more likely to be a recent victim of crime
• 2x as likely to suffer psychological distress or die by suicide

There were also significant gaps in home ownership, access to childcare, and Year 12 completion rates. Reliance on welfare payments was also higher for low-income households.

Considering inequality in setting policy direction

The Green Paper outlines that targeted solutions supporting improvements in equality are likely to generate even broader benefits and support significant gains in overall wellbeing.

“We believe Inequality needs to be a prominent consideration in setting policy direction,” Hugh adds. “Providing targeted assistance (financial or otherwise) to lower income households will deliver significantly more benefits than generic ‘one-size-fits-all’ assistance programs for all households.”

The paper outlines several areas for policy reform based on suggestions by the Actuaries Institute, Productivity Commission, the Australian Council for Social Service and other expert bodies and reviews. Areas for reform span continued investment in improved data collection, linkage and modelling to support effective targeted government assistance, to specific policy changes in the tax and transfer system such as increasing rental assistance, changes to the Age Pension means test and to superannuation to address equity issues in retirement.

Listen to the Actuaries Institute podcast here.

As organisations increasingly focus on measuring the outcomes of their decisions, recent developments in causal analytics are helping decision-makers evaluate the decisions they have made in the past to improve the decisions they will make in the future.

In 2022, the electronics manufacturer Hisense sponsored the FIFA World Cup and invested a significant amount in getting the Hisense brand associated with the massive global event. Naturally, Hisense would want to quantify the return on investment in the form of brand awareness and sales.

Measuring impact can be complex

With the increasing availability of large amounts of data, organisations like Hisense have become more aware of the competitive advantages of measuring the impact of marketing campaigns – but the world of marketing is diverse and complex. The impacts of routine direct marketing activities through owned channels, such as direct-marketing email campaigns, can be easily tracked with well-established statistical methods. The effect of broader based campaigns, such as mass media campaigns across an entire country or the world (like sponsoring the FIFA World Cup), are much more difficult to attribute back to the marketing.

Seeing the unseen

The crux of this challenge lies with identifying a ‘what if?’ world, where you can see what would have happened if a marketing intervention was not implemented. In the case of direct marketing, this can be done with carefully constructed control groups.

But what do we do when it’s not possible to construct matched controls, as in Hisense’s case? Establishing the business benefit from its investment decision is inherently difficult, as it requires comparison to a scenario which did not occur – one where Hisense chose not to sponsor the World Cup.

The question of ‘what if?’ lies at the heart of evaluating the impact of most high-cost, high-risk decisions. What if we had decided not to proceed with this marketing campaign? What if we had decided not to enact this government policy?

Causal analytics help to capture the impacts of major campaigns, like sponsoring the FIFA World Cup

Lifting the veil on ‘what if?’

Recently, advances in the field of causal analysis are lifting the veil on ‘what if?’. We can now take a peek at alternate counterfactual scenarios, even where direct controls are not possible, helping us to put firmer estimates on the returns from broad-based marketing activities. Advanced analytics is allowing us to explore the road not taken.

For Hisense, this means we can reasonably answer questions such as Can we see evidence of the effect of its near-blanket coverage across the largest sporting event in the world on brand sentiment? How large was the effect? Did the effect persist beyond the World Cup and, if so, for how long?

Understanding what would have happened

If determining the impact, or causal effect, of a decision requires us to understand what would have happened in the absence of that decision, we can do this by calculating a ‘treatment effect’. This is defined as a comparison between the outcomes of a group impacted by an intervention (for example a marketing campaign) compared to the outcomes in a control group with no intervention.

In some scenarios, a ‘randomised controlled trial’ (RCT), can help determine a treatment effect. In an RCT, a random selection of participants receives the intervention (the treatment group) while other participants do not (the control group). Because the allocation of the intervention is random, it can be reasonably asserted that the difference in the outcomes between the treatment and control groups is mostly due to the intervention, and not due to other ‘confounding’ factors.

However, there are many scenarios where an RCT is not applicable. Sometimes, defining a treatment and control group could be unethical, for example in instituting government policy. In other situations, it might simply be impossible. Hisense cannot designate a control group for its World Cup sponsorship as it is a global event watched by a significant proportion of the world population.

How ‘mental availability’ offers the first clues

A plausible first step to finding answers is to identify and measure proxies for ‘mental availability’. This refers to a brand coming to mind as a potential customer considers a purchase.

A credible proxy for this measure is the level of search interest on Google, where we assume consumers actively searching for a brand reflects mental availability. Google search statistics are available for any topic and any region through the Google Trends service. In the graph below, we show the worldwide Trends data for the search term ‘Hisense’ from January 2021 to March of 2023.

How can we tell if the surge in interest is due to the World Cup? A synthetic control holds the key

It is apparent that Hisense had a large increase in Google search activity in the period around the World Cup in November of 2022, but this coincides with another large event in the marketing calendar – Black Friday on 25 November. Moreover, we can see several surges in interest in previous time periods. What caused these surges? Is the post-World Cup increase a direct, causal outcome of the World Cup? Or is it just part of the normal rhythms of the universal sales calendar, such as Black Friday and Christmas sales? To answer these questions, and in the absence of a ‘matched’ control, we need a robust ‘representative’ baseline control – enter the synthetic control.

The synthetic control – something out of nothing

If it is not feasible to have a real life, ‘organic’ control, then one possible solution is to have an artificially constructed post-hoc ‘synthetic’ control. Synthetic controls approximate a real control by piecing together information from other similar groups not impacted by the intervention.

For example, it is plausible that the brand awareness of Hisense at any given time could be approximated by taking a weighted sum of the brand awareness of other similar competitor brands. And, further, given no competitors sponsored the World Cup, it could then be possible to simulate an alternate reality where Hisense also did not sponsor the World Cup.

Kicking goals with Structural Time Series

An analytical technique that has received recent prominence for tackling this problem is the Bayesian Structural Time Series model. These models are highly customisable and can ingest a variety of different factors to approximate a time series, including trends, seasonal effects and dependent variables.

The significant advantage that Bayesian Structural models have over other time series modelling techniques is that they are explainable, predominantly for two reasons. Firstly, because they are made up of constituent ‘building blocks’, it is easy to understand the underlying dynamics of how the observation is changing over time. Secondly, they inherently generate an estimation of uncertainty, which gives a measure of how confident you should be in the prediction.

We can extract search trends for several electronics retailers, including Samsung, Sony and LG, to be used to create the synthetic control. The general movements of the curves are in good alignment in the pre-World Cup period – when the interest levels of a brand rise typically the interest levels of the other brands also rise. This suggests that the competitor brands are good candidates to be used as building blocks in the Bayesian Structural models.

Extracting trends for similar brands helps us better attribute the surge in interest for Hisense

Applying the Bayesian Structural Time Series technique^1,2 to the Google search data for the competitor brands yields a synthetic control for Hisense interest levels. In addition to an overall predicted synthetic control, the algorithm also produces representations of the building blocks or components, which we illustrate below.

This shows rising interest in Hisense in addition to effects not captured by the comparison brands

Effects from interest levels of other brands. Together (a) and (b) create our synthetic control

The first component (a) represents the trends and natural volatility in the Hisense interest levels. This captures the general increasing trend in the Google search interest of Hisense over time in addition to any volatile effects that are not captured by the interest levels in the other brands. The second component (b) represents the effects that can be extracted from the interest levels of other brands, including seasonal sales, general consumer sentiment, consumer expos and more. These two curves are blended to create the overall predicted synthetic control curve.

Big sponsorship impact, shown by actual interest levels above synthetic levels after the World Cup

The trend estimates from the model approximates the real Hisense Google interest reasonably accurately before the World Cup, even in times of disruption like Black Friday of 2021. This gives some comfort that the synthetic control will appropriately simulate the alternate reality where Hisense did not sponsor the World Cup.

Comparing the synthetic control and actual search data yields interesting results. Clearly the actual interest levels are well above the synthetic interest levels following the World Cup – indicating a strong impact from the sponsorship. Overall, across the World Cup period, the middle estimate of the change in search interest of the Hisense brand on Google is a healthy increase of 22%.

Overall, the change in interest for Hisense across the World Cup period is a healthy 22% increase

The cumulative benefit increases rapidly at first, coinciding with the initial excitement of the opening games of the tournament, and then begins to tail off as the festivities draw to a close, eventually falling back to the baseline in January 2023. The return to the baseline poses an important question: is the increased brand awareness in Hisense transient or is it long lasting? At first glance, it appears to be transient, but a longer observational period into the future is required to assess properly. Clearly, assessing the long-term impact of the sponsorship is vital to assessing value for money.

A force for good

Causal analysis is a rapidly evolving area, with new developments in the field being discussed in earnest within the analytics community. Although much of the new interest has been driven by a greater desire within the corporate world to understand the impact of business decisions, understanding causal relationships is also vitally important in evaluating public policy.

Synthetic controls have proven especially useful in the government space – so much so that the technique has been described as “arguably the most important innovation in public policy literature in the last 15 years” by 2021 Nobel laureate Professor Guido W. Imbens and causal analysis expert Professor Susan Athey³.

Ultimately, exploring the road not taken – those ‘what if?’ scenarios – is an enormous step towards making better decisions –in terms of bolstering the benefits in business and improving outcomes for members of the community. And this is just the beginning. There is much potential to achieve this complementary effect across many industries to make a difference now and well into the future.

Citations

1. Brodersen, K.H., Gallusser, F., Koehler, J., Remy, N. and Scott, S.L., 2015. Inferring causal impact using Bayesian structural time-series models.The Annals of Applied Statistics, pp.247-274.
2. Causal Impact 1.3.0, Brodersen et al., Annals of Applied Statistics (2015). https://google.github.io/CausalImpact/
3. Athey, Susan, and Guide W. Imbens. 2017a. “The State of Applied Econometrics: Causality and Policy Evaluation.” Journal of Economic Perspectives 31 (2): 3–32.

The most urgent issues in cybersecurity affecting organisations today are complex and often perplexing for organisations. An Actuaries Institute panel of experts and thought leaders came together recently to help navigate a pragmatic and effective path forward.

The cyberattacks on Optus, Medibank and Latitude Financial are growing evidence at home of the increasing sophistication of hackers across the globe. As criminals scan cyber space for any vulnerability, it’s clear no organisation is immune and the need for protection is more important than ever. But how can organisations and particularly boards build their cyber mettle?

In a lively panel discussion for the Actuaries Institute, Taylor Fry Principal and cyber lead Win-Li Toh explored the way forward for organisations and the role actuaries have to play in shaping their cyber resilience. She was joined by Simon Mitchell, of the Australian Institute of Company Directors (AICD) and Amanda Zeller, of the Australian Securities and Investments Commission (ASIC).

The panellists covered some of the most concerning topics for boards. These ranged from the pros and cons of paying a ransom during a ransomware event to how internal cyber education fits into an information security budget, and the availability of cybersecurity professionals to service this escalating risk area.

We outline the panel’s four key messages for organisations and their boards in building their cyber resilience:

1. Organisations should start with their existing risk framework to understand cyber risk

Organisations have struggled to understand and engage with cyber risk in the same way they look at other business risks. Reasons include the technical and at times jargon-heavy nature of information security technology, as well as the less clear link between cyber risk and the balance-sheet impact (compared to more familiar types of risks). AICD’s research and engagement, as part of the development of its recently released Cyber Securities Governance Principles, identified a real advantage in using and adopting traditional governance processes to engage with and tackle cyber risk. Using the existing governance and risk management approach provides a common language, helping to bridge the gap between management’s deeper understanding of the technical details and the board’s broader supervisory role.

2. One size doesn’t fit all when it comes to comparing cyber controls

Organisations would like to know how they are measuring up when it comes to implementing cyber controls, not to mention the money they spend on cyber resilience. But finding ‘one size fits all’ metrics is challenging due to the differences in organisations’ size, complexity and data assets, as well as the regulatory landscape.

For example, the AICD considered including a metrics dashboard in its Cyber Securities Governance Principles, but decided there wasn’t a gold standard that would work for everyone. Similarly, while ASIC’s imminent cyber survey of regulated entities broadly aligns with the National Institute of Standards and Technology (NIST) framework for managing cybersecurity risk, it doesn’t strictly follow the NIST framework.

3. It’s imperative to keep on top of the fast-changing regulatory and policy landscape

In tackling cybersecurity risk, actively seeking information and staying up to date with requirements are critical. Some of the most recent policy developments with implications for organisations include:

• The Australian Government’s 2023-2030 Australian Cyber Security Strategy Discussion Paper, released in February
• The recently strengthened Security of Critical Infrastructure Act 2018
• Potential changes to the Privacy Act
• The Federal Court Judgment in the case of ASIC v RI Group Pty Ltd, which found the company breached its Australian Financial Services licence obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage its cybersecurity risks.

There is a fine balance between protecting consumer privacy and limiting organisations’ abilities to innovate and take advantage of the big data they collect. Even so, the panel believed the obligations on organisations would be increased if regulators do not see the cybersecurity uplift they are expecting from entities.

… it is imperative organisations build a strong cyber-aware culture, and that this is led from the top.

The panel acknowledged that growing government attention and reform in the cyber space meant organisations really needed to be proactive and build their cyber resilience now, which will put them in a good position to meet their increased obligations down the track. In addition, regardless of any policy changes, it is imperative organisations build a strong cyber-aware culture, and that this is led from the top.

4. Actuaries have a real role to play in demystifying cyber risk for boards

Cyber risk has been classified a ‘non-financial’ risk by boards, but the major breaches of the past year or so have shown there are direct financial implications beyond reputational risk, including customer remediation and class-action activity. A key role for actuaries going forward will be leading the modelling and estimation of cyber risk presented to boards, which would help make the risks clearer and more tangible to directors, and concentrate their focus.

Actuaries should also consider working closely with auditors, who are increasingly including cyber risk in notes to financial statements.

About the panellists

• Simon Mitchell is a Senior Policy Adviser in the Education & Policy Leadership team of the AICD. He focuses on cybersecurity, financial services and the not-for-profit sector, and how policy and governance developments in these areas impact AICD members. Simon led the development in 2022 of the AICD CSCRC Cyber Security Governance Principles. Previously, Simon had an extensive career in Commonwealth regulatory agencies, including the Australian Prudential Regulatory Authority, and the Australian Competition and Consumer Commission.
• Win-Li Toh is a Principal and cyber lead at Taylor Fry. She was one of the lead authors of the Actuaries Institute Green Paper Cyber Risk and the Role of Insurance, released in September 2022. Check out Win-Li’s profile to find out more about her work, experience and extensive industry contributions.
• Amanda Zeller is the Senior Manager of Supervisory and Operational Resilience at ASIC. She works with a dedicated team to deliver ASIC’s Supervisory Cyber Resilience Strategy, focusing on engaging with stakeholders, building internal capabilities, benchmarking our regulated population and driving behavioural change. She works in partnership with stakeholders, including industry and government. Amanda is also Regional Commissioner, Queensland, and represents ASIC locally in this capacity.

Flood risk is a big issue for New Zealanders, given recent weather events and more intense climate impacts on the way. Ross Simmonds looks at the shifting landscape of flood risk and the options for decision-makers in navigating the issues of affordability and market sustainability.

We are not yet a quarter of the way through 2023 and Aotearoa has already experienced the two largest weather events in our history. Insurance costs for the Auckland anniversary weekend floods that occurred in late January have already exceeded $1B. This event was followed by Cyclone Gabrielle, which battered large parts of the North Island in February, causing widespread flooding. The total costs of this event are expected to run into the tens of billions of dollars.

These events have highlighted the impact climate change will have on weather-related risks for Aotearoa. As noted in the National Adaptation Plan (NAP), released by the government last year, climate change is expected to result in more frequent and extreme weather events in the future. A warmer climate means the atmosphere can hold more moisture which is predicted to increase total rainfall (total global precipitation is expected to increase by about 3% for every degree Celsius of global average warming) as well as lead to more intense rainfall hence an increasing flood risk.

So how can we better prepare for the floods expected at our doorstep and protect New Zealanders from the devastating impacts? With flood protections tending to fall into two categories – mitigation and mop up – we break down the options and what they mean ahead for the future of insurance and the communities at risk.

Widespread flooding was experienced across New Zealand’s North Island in February 2023

To pool or not to pool

In the past flood risk was largely ‘community-rated’ for home insurance in Aotearoa – that is, the cost flooding losses is spread across many homes – as flood risk information was patchy and unreliable at an individual house level. In recent years insurers have been improving their understanding of flood risks. Insurance catastrophe modellers have released a model that estimates the flood risks for all properties in Aotearoa. This enables insurers to charge premiums that more accurately reflect the flood risk for each individual property, known as ‘risk-based’ pricing. To date, most insurers are yet to implement risk-based pricing for flood risks. Given the scale of the two recent events, we can expect an increase in risk-based pricing for flood insurance in Aotearoa.

Internationally, the introduction of risk-based pricing for flood risks has resulted in insurance becoming unaffordable for high-risk properties. In Australia and the UK, the introduction of risk-based pricing has resulted in the governments establishing insurance pools, in tandem with mitigation strategies, to provide affordable insurance.

Would pooling work in New Zealand? The answer is not straightforward. In Aotearoa private insurers cover all hazards, including flood. As a seismically active country, the largest risk insurers face is from earthquakes. The Earthquake Commission, Toka Tū Ake EQC, is an insurance pool established in the 1940s to provide insurance coverage for seismic perils. The EQC also covers some land damage caused by floods, which is not covered by private insurers. Unlike flood risks, seismic risks are much harder to mitigate. As a result the Insurance Council of New Zealand is urging the government to focus on flood resilience measures to support properties and protect lives, as opposed to an insurance pool solution for flood risks

The case for mitigation

Following the recent events, the insurance industry and local government in Aotearoa have been vocal in the need for the central government to invest in flood mitigation. This will improve the ability of communities to withstand flood risks and reduce the cost of damage caused by floods. Regular investing in mitigation means costs are pre-funded prior to events occurring, rather than waiting for events to happen and incurring costs through disaster relief and recovery efforts. In a risk-based pricing insurance environment, investing in mitigation options lowers insurance premiums, as they reflect the underlying risks faced by a property.

Managed retreat and a government buyout

Another area discussed recently is the potential for managed retreat. This means houses in high flood-risk areas are not rebuilt in their existing location but are instead relocated to safer areas. Following the Auckland floods, there have been calls from some property owners for the government to buy them out, due to the flood risk their properties face. This approach was used in Christchurch following the 2011 earthquake, where several residential areas were declared as red zones due to the land damage. Properties in these red zones were bought out by the government. Managed retreat is not without its issues. Potentially some property owners will not want to leave but may to be forced to leave if their land is rezoned. There are also funding issues to consider, as traditional insurance does not cover land values.

Managed retreat means that houses in high flood-risk areas are not rebuilt in their existing location but relocated to safer areas. It’s not without its issues though, as traditional insurance does not cover land values.

Resilience-focused adaptation

The NAP released by the government last year is part of the government’s strategy in response to the expected impacts of climate change. Two of the four priorities of the NAP are to enable better risk-informed decisions and to drive climate-resilient development in the right places. The recent events have highlighted the dangers of building in flood-prone areas. The NAP has various actions that aim to provide improved information to local councils and property owners, as well as reforming the resource management system to encourage development in areas that are less prone to climate hazards.

The catch is that these actions will take several years to be developed. In response to the NAP, IAG NZ called for more specific, urgent and targeted steps to reduce the risk of flooding via a three-step plan:

• A joint government and private-sector project to build common understanding of priority flood-prone communities
• Implementing a National Policy Statement to cease development in flood-prone locations
• Establish a national program of investment in flood.

The last two points are mitigation actions, designed to reduce costs prior to a severe flood event occurring. This benefits communities and insurers whilst aligning with the key priorities of the government, as outlined in the NAP.

The right path – finding balance amid complexity and uncertainty

Due to the management and costs of flood risks being shared across multiple stakeholders, there is no clear single solution when considering how best to manage the flood risks for Aotearoa.

The management of flood risks in Aotearoa primarily rests with local governments. Although, with the introduction of the Three Waters reform program, due to be implemented from 1 July 2024, the management of stormwater will be more centralised. When flood events occur, the costs of these events are covered by a combination of insurance companies, property owners, local and central governments.

High premiums provide a signal for investment

Insurers have traditionally provided financial support to their customers following an event, with no influence on how flood risks are managed, through either mitigation actions or the location of development of new properties. As insurers increase the sophistication of their premium setting for flood risks, properties that are most at risk of flood damage could see a significant increase in their premiums. In extreme cases this can result in the premiums becoming unaffordable. This risk signalling can highlight the areas where government investment in flood mitigation can have the largest impact. For example in the town of Roma in Queensland, insurance premiums increased significantly due to flood risk. Following the build of a levee, a major insurer cut property insurance premiums in Roma by 45% on average, returning these to more affordable levels.

Risk-based pricing, relocation and buybacks

An alternative approach to mitigation for extreme flood risks is aiding property owners to relocate to lower risk areas. Following the 2022 floods, for example, the Queensland government established a $741M Resilient Homes Fund, which includes a voluntary home buy-back program for homes that are at risk of severe and frequent flooding. As with mitigation, risk-based insurance pricing can be a driver to highlight the areas where such an approach may be needed.

Pools as part of the solution

Mitigation or managed retreat may not be possible for all properties that are at risk of flooding. If increasing insurance pricing sophistication results in insurance becoming unaffordable for certain properties, this can result in property values reducing as property owners will be unable to secure a mortgage. This is turn results in political pressure on government to either intervene in the insurance market, or to provide a protection pool for high-risk properties. Examples of such schemes include Flood Re in the UK and the cyclone reinsurance pool, which was established last year in Australia. Both of these schemes have been established with the aim of keeping insurance affordable.

Insurance pools can be fraught with problems and should generally be used as a tool of last resort. Establishing a pool with no additional consideration of mitigation options does not change the underlying risks that properties face, it just changes how these risks are funded. This dampens the risk signals that private insurance provides to property owners about the risks their properties face and may result in continued poor risk management practices, such as building houses in flood-prone areas.

Establishing pools with no additional consideration of mitigation options does not change the underlying risks that properties face, it just changes how these risks are funded.

Insurance pools can fund more than just insurance costs, as shown by the EQC, which funds research into natural disasters and ways of reducing their impact. Pools can also be used to provide cover for uninsurable risks, such as the terrorism reinsurance pool in Australia.

EQC levies for earthquake risk already make up a significant portion of insurance premiums in low-risk seismic areas such as Auckland. If flood risks were also included in an insurance pool, either through an expansion of the EQC or the creation of a new pool, this would further increase the size of levies relative to insurance premiums. While this reduces some of the claims risks insurers face, it also potentially reduces their profitability, which may result in some insurers exiting the domestic property market, which impacts the community.

Last word for decision-makers – a conversation for all

Managing flood risk is a matter of balance between risk mitigation and how to fund the costs once events have occurred. The uncertain nature of flood risks, combined with the expected increasing underlying risk due to climate change, highlight the need to continually invest in mitigation measures. Like all resources, the funds available for mitigation are finite, so thought needs to be spent on how these resources are best used. Insurers and their core function of assessing risk can assist the public sector in identifying how to get the greatest impact from mitigation costs. Bringing all stakeholders together to identify the most effective response will result in safer and more resilient communities that can adapt to the changing natural environment.