In 2023, no organisation is safe from the threat of a cyberattack. The demand for cyber insurance is increasing as companies are looking to protect themselves against a potential breach, the after-effects of which can include loss of profits, productivity, theft of personal and financial data, and reputational damage.
Our clients regularly come to us with questions and concerns regarding cyber insurance, what their options are, and how they can mitigate their risk and optimise their premium.
This article contains some of the insights we’ve gleaned over the years and should help you to understand some of the key considerations around cyber insurance.
While our goal is to guide you towards making an informed decision around your cyber security planning, every situation is unique and should be considered as such. A qualified insurance broker can advise you on the best course of action based on the specifics of your organisation.
The following are some of the most common questions we regularly see from clients.
Professional indemnity insurance covers you for acts of professional negligence resulting in damages to a third party. Most policies do not offer coverage for cyber attacks; they may cover you for damages incurred by your clients in the event of a cyber attack.
Unlike cyber insurance, professional indemnity insurance does not provide first-party coverage, and will not reimburse you for your lost revenue or help you to investigate the incident to ensure it doesn’t happen again. As the odds of experiencing a cyber attack increase, you’ll want to make sure you seek out coverage specifically for cyber security.
Cyber crime is at an all-time high. As business is increasingly conducted in the online space, there are more ways than ever for hackers and cybercriminals to infiltrate your business and get their hands on your company or client data, and this can cost your business dearly. Not only can it result in lost profits while you deal with the incident, but you can also be held liable for any third-party damages incurred as a result of the attack.
Cyber insurance can help mitigate the risks of a cyber security incident by identifying your vulnerabilities and providing solutions to strengthen your security posture.
In the event of a security breach, insurance can cover loss of profits, legal expenses, and help you to understand how the incident occurred so you can prevent it from happening again in the future.
Transform Your Cyber Defense: Prioritised Actions for Staying Ahead of Threats.Download
Insurance providers are increasingly moving towards preventative solutions. This often involves helping to increase cyber security awareness, diagnosing vulnerabilities in your environment and encouraging you to adhere to cyber security best practices.
Insurers are not just there in the event of an attack but help to foster a successful cyber security culture within your organisation.
Your cyber insurance coverage can vary depending on your type of coverage and individual policy.
• Covers the cost of lost revenue due to a cyber threat
• Covers ransomware attacks (depending on your coverage limit)
• If a breach occurs, your insurer will investigate and help you to put preventative measures in place to protect against future attacks
Third-party or cyber liability coverage:
• Protects you in the event that you are sued for damages by a third party as a result of a cyber security incident
• Covers court fees, attorney fees, and costs associated with legal proceedings
Technology errors and omissions:
• Covers you in the event that you are responsible for a cyber attack that occurs in one of your customer’s businesses
• For example, if a software program you write has an error in the code and your customer’s data is stolen directly from their computer rather than your database
The Corporations Act 2001 holds company directors responsible for protecting their business and shareholders against major risks—as such, cyber security is now a top concern for business leaders in Australia.
Australian Prudential Regulation Authority (APRA) and Australian Securities and Investments Commission (ASIC) are strengthening regulations and increasing penalties for business leaders who don’t comply.
A cyber insurance policy could be beneficial in the event of an attack; however, it is not a cure-all for every type of cyber attack. Certain organisations may find it more worthwhile to shore up their security in-house and invest in preventative measures rather than taking out a cyber insurance policy.
With the cyber security landscape evolving at such a rapid pace, it’s become increasingly challenging for insurers to keep up with the latest threats.
As such, cyber insurance policies are being scaled back in a big way, and it’s becoming much more difficult to qualify for the right cover at a reasonable rate. We’ve seen many of our clients struggle to access the same level of coverage or to find a provider who will offer them coverage at all.
• In-house vs. outsourcing: Organisations are weighing up their options in terms of the cost and effort associated with managing their risk in-house or outsourcing some of this burden and responsibility by working with an external partner to strengthen their security posture.
• Cost of the premium vs. investing in remediation: As premiums rise and underwriting becomes tighter, organisations are considering whether they are better off investing in cyber insurance or putting that money towards bulking up their in-house defenses.
Insurers require you to provide detailed information about the security protocols in place in your organisation. This can include multi-factor authentication, patching, backup processes, and more.
Once providers have assessed this information, they may come back with questions. They may also ask for additional details in order to accurately assess the security posture of your organisation before providing you with a quote for underwriting the claim.
From here, there can be months of back-and-forth negotiations. Providers may require you to take on additional security protocols before agreeing to provide coverage, and will likely want to see that you have a plan in place to reduce vulnerabilities and strengthen the security of your organisation.
You can estimate if cyber insurance is worth the investment by comparing the premium with the annualized loss expectancy (ALE) for your company. To determine your organisation’s ALE, consider the likelihood of a cyber attack and what that would cost you.
Consider the cost of the worst-case scenario and what you stand to lose if your business operations are down in the event of a cybersecurity breach. This includes not just revenue, but also lost contracts and brand credibility. This will help you to determine how much coverage you actually need.
Cyber insurance is especially important if you are handling customer data, have high revenue, or store important data.
Your board’s participation in and understanding of your cyber security strategy is critical to its success.
On March 31 2022, Parliament passed the Security Legislation Amendment Critical Infrastructure Protection Act (SLACIP), increasing the obligations of responsible entities such as the board of directors to implement and maintain risk management programs.
This requires board members to assess the vulnerabilities within their organisations and take steps to minimise their risk. They must also provide an annual report detailing their risk management program, how it is being implemented and how they plan to uphold it to mitigate their risk over time.
As underwriting becomes tighter and requirements for coverage increasingly stringent, it will become more difficult to qualify for insurance even if you are willing to pay. Premiums will continue to increase, putting cyber insurance out of reach for many organisations. In addition, policies will continue to be reigned in, offering increasingly limited coverage.
If you’re interested in taking out a policy, expect to shop around for insurers. Last year one of our clients started with ten insurers and eventually only one offered them coverage. They are unsure whether they will be able to get coverage this year or in the future, or if the rising cost of policies will price them out.
Cyber insurance is not a one-size-fits-all solution. In order to make the right decision for your organisation, do your research to understand what type of coverage is being offered and at what cost.
To qualify for coverage and reduce your premium, you need to assume the strongest security posture possible. Before reaching out to providers, we always recommend conducting a security assessment to help you understand your current positioning and where you want to be.
CBS can help you accurately assess your current state and create a cyber security roadmap tailored to the needs of your organisation.
Reach out to Canon Business Services ANZ (CBS) for customised support on improving your security controls to qualify for better, cheaper cyber cover.