16 October 2023

Don’t confuse cyber insurance with cyber resilience

Rahul Prasad
Manager

elevenM’s Rahul Prasad looks at some of the questions and complexities around cyber insurance.

Australian companies are expected to spend over $800 million annually on cyber insurance. This represents an increase of approximately 70% and comes off the back of a spate of high-profile cyber breaches that have unnerved boardrooms across the country. At the same time, cyber insurance premiums have surged by as much as 80% in the past year.

So, in an age when businesses are more exposed than ever to cyber-attack, can you rely on cyber insurance to protect your business? The answer is: yes and no.

On the yes side, it can protect your business against the costs associated with responding to a cyber incident. With the most recent IBM/Ponemon Cost of a Data Breach report showing that the average total cost of a data breach is USD 4.35 million, this is an important factor. Having the financial stability to appropriately respond to (and recover from) a data breach may be the deciding factor in your business surviving such an event.

However, cyber insurance is not a panacea. Having cyber insurance does not mean your organisation is more cyber resilient — it merely allows you to transfer some of the financial risk to an insurer. And no matter how well insured your business is, in the event of an attack, questions may continue to be asked about your organisation’s cyber security — potentially for an extended time. Every organisation still needs to invest in uplifting their cyber maturity

But cyber insurance may have a role to play in your broader cyber security strategy. In this blog, we explore some key questions about cyber insurance.

What is cyber insurance and why is it deemed important?

Businesses today face a growing threat from cyber criminals who are becoming increasingly sophisticated and motivated. The costs of responding to a cyber incident can be substantial and have a lasting impact on a business’ financial viability. Not to mention the increased frequency of cyber attacks — Ponemon found that 83% of the businesses they surveyed for the 2022 Cost of Data Breach report have had more than one breach, which means these expenses are not a one-off.

Cyber insurance is designed to protect your business against losses incurred as a result of a cyber-attack or data breach. This can include coverage for the cost of investigations, public relations efforts, and legal expenses. In some cases, cyber insurance can also cover ransom payments that may be necessary to regain control of your data. Cyber insurance policies vary widely, but the following types of losses are the kind that might be covered:

  • legal fees and expenses incurred through defending against a lawsuit related to a cyber-attack or data breach
  • the cost of notifying affected individuals or customers of a data breach
  • the cost of providing credit monitoring services to affected individuals
  • reimbursement for lost or stolen information
  • reimbursement for lost income due to a cyber-attack or data breach that disrupts normal business operations.

From a Board perspective, and in the modern cyber threat environment, planning for this potential cost is an important component of financial risk management. In this context, cyber insurance can provide business leaders with peace of mind.

What are some complexities associated with cyber insurance?

  • Cost: Cyber insurance can be expensive, especially for small businesses, and the cost can vary depending on the size and type of the organisation, the level of coverage required, and the perceived level of risk. Some companies find that the cost of cyber insurance outweighs the potential benefits.
  • Coverage limitations: Many cyber insurance policies have specific coverage limitations and exclusions that may not adequately address all potential cyber risks faced by a company. For example, some policies may not cover certain types of attacks, such as social engineering or phishing, which are becoming increasingly common, as they are often classified as ‘human error’.
  • Pricing the value of lost/stolen information: Potential future earnings from information that’s been lost/stolen/exposed are almost impossible to quantify. A company that has had proprietary information stolen may advise an insurer that they could have made $10 million over coming years from sole knowledge of that information, but that’s almost impossible to prove definitively to an insurer.
  • Complex claims process: Filing a cyber insurance claim can be a complex and time-consuming process, and insurers may require extensive documentation and proof of the damage. This can be particularly challenging for small businesses with limited resources.
  • Lack of standardisation: Unlike other types of insurance, cyber insurance is a comparatively new and rapidly evolving field, which can lead to a lack of standardisation in policy language and coverage. This can make it difficult to compare policies and understand exactly what you’re getting (and not getting).
  • Moral hazard: Underwriters are concerned that when companies think they will be fully covered by cyber insurance, they may be less likely to invest in uplifting their cyber maturity and may be more willing to pay ransom demands. This is leading some insurers to either stop providing coverage for cyber incidents, or significantly increasing premiums.

Some industry experts are even predicting that cyber will become uninsurable in coming years. While we don’t think that will happen, many insurers are becoming hesitant to provide cover for emerging cyber threats, such as artificial intelligence-powered attacks or supply-chain attacks, as the risks and potential losses associated with these types of incidents may be more difficult to quantify and manage.

Additional considerations for executives

Below are some additional considerations for executives when assessing whether or not to take out cyber insurance.

  • Risk assessment: Conduct a comprehensive risk assessment of your organisation’s cyber vulnerabilities, potential threats, and potential financial impact. Understand your specific risks and exposures to determine the appropriate coverage needed.
  • Cyber security maturity: Evaluate your company’s cyber security practices and maturity level. Insurers may assess your cyber security posture before offering coverage. Strengthening your cyber security controls and implementing best practices can help in obtaining favourable terms and coverage.
  • Coverage and policy terms: Thoroughly review and understand the coverage offered by different insurers. Ensure that the policy aligns with your organisation’s needs and covers key areas such as data breaches, business interruption, legal expenses, and regulatory compliance.
  • Exclusions and limitations: Pay close attention to policy exclusions and limitations. Understand what events, circumstances, or types of data breaches may not be covered. Assess if any exclusions align with your specific risks and if additional endorsements are required.
  • Incident response support: Evaluate the insurer’s incident response support. Check if they provide access to cyber security experts, legal counsel, public relations support, and forensics teams to assist in managing and recovering from a cyber incident.
  • Claims process: Understand the insurer’s claims process, including reporting requirements, response times, and the level of support provided. A smooth and efficient claims process is crucial in the event of a cyber incident.
  • Premiums and cost-benefit analysis: Assess the cost of premiums against the potential financial impact of a cyber incident. Perform a cost-benefit analysis to determine if cyber insurance is a worthwhile investment compared to other risk mitigation measures.
  • Vendor requirements: If your organisation works with third-party vendors or partners, check if they have cyber insurance coverage. Some contracts may require specific insurance coverage or limit liability in the event of a breach.

Contact us

If you’re interested in learning more about cyber security risk and resilience, contact us: hello@elevenM.com.au or on 1300 003 922.