Cyber Insurance into 2024
Introduction
Cybersecurity is a hot topic in Australia, especially with the recent high-profile breaches of Optus, Medicare and Toyota. If even the big names with the big cyber budgets can get it wrong, then how can small and medium businesses with more modest budgets hope to recover from cyber attacks in today’s security climate?
This conversation inevitably leads to a discussion of cyber insurance, one of the key tools businesses use to recover financially from a successful cyber attack.
Cyber insurance is a tough and complex area for business. With the number and cost of cyber attacks increasing year on year, the importance of cyber insurance increases, but so does the cost of premiums. In the first half of 2022 alone, cyber insurance premiums increased by 60% - 80%. At the same time, major underwriters are adding new policy limits and exclusions to cover their own rising costs.
Now more than ever, businesses need to get cyber insurance right. In this whitepaper, we cover how cyber insurance works, some common mistakes to avoid and what businesses must do before purchasing cyber insurance to ensure they don’t end up with skyhigh premiums.
How Cyber Insurance Works
1. Mandatory cyber controls
Most providers insist businesses have a minimum set of standard cybersecurity protections in place before being eligible for any level of cyber insurance.
Common examples include multi-factor authentication and employee training against social engineering attacks. It’s important to understand that such security measures are not only mandatory for a business to qualify for cyber insurance, but must be maintained for the policy to remain valid.
2. Incident response
Most cyber insurance underwriters will have a specific way in which cyber incidents must be handled. Often, the underwriter or a selected partner will handle the response on behalf of the business.
Cyber insurance policies often stipulate a maximum amount of time in which an incident must be reported to the appropriate party. These requirements are extremely important to follow, as a business can invalidate its coverage by following the wrong process or taking too long to report an incident.
3. First-party coverage
First-party refers to the insured business itself; examples of first-party losses due to a cyber incident include:
• Incident management expenses, such as labour associated with forensics and recovery and call centres or additional employees to deal with customer concerns in the wake of a cyber incident.
• System or data damage and the cost to repair systems and regenerate data
• Business interruption and lost profits
• Redirected funds as a result of social engineering
• Ransom payments
• Damage to brand and customers lost due to reputation damage
4. Third-party coverage
Third-party costs are those incurred by other businesses or individuals. Some examples include:
• Anything on the above list but incurred by a client due to the action or inaction of the insured business
• Costs arising from privacy breaches of individual data
• Credit monitoring services
• Legal defence costs and payouts
Common Cyber Insurance Mistakes to Avoid
Cybercriminals are constantly changing their tactics and techniques, so businesses need to be prepared for new threats in order to adequately protect their operations.
One in five companies that experience a cyber attack will go out of business within six months, so selecting the right policy is instrumental in protecting a business against cyber threats. However, business owners must understand how different policies work before choosing one to fit their needs – otherwise, it is very easy to end up paying more than necessary or having insufficient coverage.
The following are the top five mistakes businesses make when selecting cyber insurance:
1. Skipping the risk assessment
In the post–Optus breach world, many businesses may be tempted to get cyber insurance as quickly as possible, taking the first available off-the-shelf policy. However, without a solid understanding of its risks and their potential impact, how can the business be sure it’s purchasing enough coverage and not overpaying?
The best place to start is with a risk assessment. This will evaluate what data the business holds, how sensitive it is, what security controls are already in place and how much they reduce the risk of a breach.
2. Assuming all cyber insurance policies are created equal
Many different insurance carriers offer some form of cyber insurance coverage, and some are much better than others. Policy terms and amounts will vary widely by carrier and type. Be sure to spot the differences in the following: Incidence response coverage limitations Exclusions for incidents resulting from specific causes.
Minimum security control and breach notification requirements The requirement to carry other types of insurance (e.g., business continuity or crisis response)
3. Not understanding policy exclusions
Just like any type of insurance, cyber policies will come with some exclusions, and the business needs to understand what will not be covered. Carriers often specify exclusions that pertain to a business’s particular risk profile. Exclusions to ask about include:
• Unfair trade practices
• Regulatory action
• Breach of contract
• Terrorism and war
• Inadequate security
• Third-party vendor breaches
4. Not understanding how the sub-limits of a policy work
Many cyber insurance policies, especially add-on cyber coverage endorsements, offer coverage capped at a sub-limit. This means the liability coverage for any one incident is most likely not as high as the policy’s total aggregate liability limit.
Understanding the policy’s sub-limits and how they suit the business is important. If a business has an area of significant risk, then it needs to have an appropriate amount of coverage under the relevant sub-limit or risk suffering catastrophic losses.
5. Not checking their IT provider’s thirdparty cyber insurance coverage
When a business outsources its IT services, it should be aware of the provider’s third-party insurance coverage. If the provider suffers a cyber attack that impacts the outsourcing business and/or its clients, it’s usually the provider’s thirdparty insurance that will cover any costs and losses rather than their own.
What Cyber Insurance Won't Do
While cyber insurance will help to offsets the costs of a cyber attack, it certainly doesn’t do anything to prevent cyber attacks in the first place. Cyber insurance is one brick in the wall of holistic cyber security. Businesses must weigh the costs and benefits of cyber insurance against investing in defensive measures.
It’s also important to understand that while cyber insurance will offset the costs of cyber attacks in the long run, it’s unlikely to help with short-term cash flow. Claims can take weeks, months or even years to be paid out/ While this is helpful in the long run, the payout timeframe is unlikely to help a business that’s struggling to make monthly payroll because its website is unavailable and orders are not coming in.
Before Buying Cyber Insurance
Before choosing a cyber insurance policy, businesses should:
1. Understand their unique risks and the associated costs
This can be done either through an internal risk assessment or by using an external specialist IT provider. In many cases, low-cost controls can be put in place that greatly reduce the risk to the business and, therefore, the cost of cyber insurance premiums.
2. Ensure cyber security controls and practices are appropriate
Ensuring that appropriate defensive tools, technologies and services are in place can greatly reduce both the likelihood and impact of cyber attacks. Without these in place, businesses may not be eligible for cyber insurance or may have to pay much higher premiums for the same level of coverage.
3. Obtain multiple quotes
Working either directly with brokers or through the business’s IT provider and their partners, obtaining multiple quotes is a way to not only compare premiums but also coverage areas, total and sub-item coverage limits.
4. Ensure the broker/underwriter fully understands their cyber security posture
Discounts may be offered for businesses with a high level of cyber security, while businesses premiums may be increased for businesses deemed to be a higher level of risk. Businesses must ensure their security posture is well documented and presented to the insurance broker or underwriter in the best possible way.
5. Understand the selected policy
Understanding precisely what the selected policy covers, to what levels, and what it doesn't cover means reading the policy thoroughly and consulting insurance professionals for any areas of uncertainty.
Conclusion
Protecting against losses from cyber attacks is more important today than ever, but cyber insurance is a complex field that requires careful consideration. In order to select the best policy, businesses need to fully understand their risk profile and the associated potential costs and losses. Finally, before choosing a policy, businesses must take measures to reduce both the likelihood and impact of a cyber attack to ensure they get the lowest possible premiums for the appropriate level of coverage.