menu close
  • Back

Cyber security is the topic on every business leader’s mind these days, and for good reason. With highly publicised cyber attacks against Optus and Medibank prompting the federal government to reconsider the state of its cyber laws, Australian businesses are taking stock of their vulnerabilities, as well as the potential costs associated with a cyber security breach. 

This has led to growing concerns about the limitations of professional liability insurance to protect you in the event of a cyber attack. Separate cyber insurance policies exist, but according to the Actuaries Institute’s report on Cyber Risk and the Role of Insurance, only 20% of SMEs carry cyber cover. As an example, Medibank—whose remediation costs may exceed A$200M—does not appear to have had cyber cover in place prior to the attack.

With the risks of a cyber security breach on the rise, why hasn’t cyber insurance been more widely adopted? While cyber insurance can help to mitigate your risks, make sure you understand what’s covered—and what’s not—before investing in a policy.

This article is based on our experience and that of our clients. Cyber insurance coverage and premiums vary widely, and calculations are based on a number of variables. Be sure to seek guidance from a qualified insurance broker who can advise you based on your specific situation.

The process of obtaining Cyber Security insurance 

Applying for cyber insurance cover is often a lengthy and exhaustive process.

Firstly, you’ll want to explore your options by contacting providers and comparing their offerings. You can do this directly, or work with a broker who will communicate with providers on your behalf.

Each provider will require you to submit a detailed report containing all the specifics of your environment and current security protocols. The insurer will use this document to determine if they are able to provide coverage, and if so, what type of policy they can offer you.

It’s possible that they may come back with an offer conditional on making certain changes to your environment or putting specific safeguards in place.

Rates for cyber insurance policies are determined on a case-by-case basis, using a complex calculation involving numerous variables. For this reason, it’s difficult to estimate the cost of your cyber insurance or to understand what variables may affect your premium.

The challenges with Cyber insurance

As the Actuaries Institute report notes, several challenges limit enrollment in cyber insurance policies.

• Market capacity for the policies remains limited: As rates of cybercrime continue to skyrocket, providers are (understandably) hesitant to enter the space.
• Coverage is decreasing, while premiums are going up: As existing insurers tighten their policies, it’s becoming increasingly difficult to get cyber insurance at all, let alone a policy with comprehensive coverage. Of the claims reviewed by the Actuaries Institute, insurance covered just “44% and 37% of data breach and first-party costs respectively”.
• Tightening restrictions around security controls: Many insurers are also increasing demands around protocols that must be in place before policies can be issued. If controls aren’t in place, companies may not be issued policies or their premiums may be increased. Implementing these controls can be especially challenging for SMEs that lack the required resources and expertise in-house.

As a result, companies may find it difficult to qualify for cyber cover in the first place—and near-impossible to access these policies in a way that’s cost-effective.

How to mitigate your risk and lower your Cyber insurance premiums

At CBS, we’ve had a number of companies come to us for help ticking the security boxes required by their insurance providers, often wondering what preliminary actions they can take to boost their eligibility and reduce their premium.

The fact is, there’s no cut-and-dried method to determine your cyber insurance premium. Rather, it’s best to take a collective approach to total security, taking into consideration a multitude of factors and maintaining a continued focus on improving security over time.

Some organisations may find it more beneficial to allocate their security budget towards investing in in-house measures to mitigate cyber security risks rather than relying on insurance. As the Actuaries Institute report indicates, “insurance covered only 44% and 37% of data breach and first-party costs respectively.” Most claims are a result of a data breach, which also tend to be the most costly form of cyber attack.

For companies whose premiums are in the six to seven figure range, we recommend working with a consultant who can recommend additional products, services, features and training that may go further towards improving your security posture and provide a greater return on investment than cyber cover.

With that in mind, the following are some of our best tips for leveraging technology to drive down costs.

IT Security Checklist

Transform Your Cyber Defense: Prioritised Actions for Staying Ahead of Threats.


Tips for getting started with cyber insurance

Using organisational best practices and technology to mitigate both your risk and the insurers can help you to keep premiums tight and reduce the likelihood of experiencing a security breach.

Determine how much cover you need. Understand that insurance may not cover you for all types of cyber attacks. To determine whether you will receive value from an insurance policy, the cost should fall below your business’s annualised loss expectancy (ALE), a calculation of your business’s potential loss in the event of a cyber attack.
• Implement multi-factor authentication (MFA). This is one of the primary requirements of most insurers, as well as one of the simplest methods to significantly boost your organisation’s security posture. MFA acts as your second line of defence; in the event that a bad actor gets their hands on your passwords, this will prevent them from infiltrating your environment, so it’s essential to implement two-factor authentication wherever possible. This is especially important for financial accounts, system admins, and other privileged users.
• Make sure to back up all data. Insurance providers will want to see that you have a system in place to regularly back up your data. This is one of the most important factors, both for qualifying for cyber insurance and recovery in the event of a cyber attack. We recommend immutable backups - as in our private cloud - through data that’s fixed, unchangeable and can never be deleted – vital to meet recoverable data needs, protect backups from new ransomware infections, and guarantee recovery from an attack.
• Be aware of and manage insider risk. Your organisation is only as strong as its weakest link. While you may not think your receptionist needs cyber security training, if they have their identity compromised and you haven’t got role-based access control set up properly, that could be just the window bad actors are looking for to infiltrate your business and gain access to your valuable data. Regular cyber security training and education is essential for all team members.
• Stay on top of patching. Outdated software can create vulnerabilities in your organisation that act as open doors for cybercriminals. We recommend only running current, vendor-supported operation systems that offer regularly scheduled updates, as well as testing available security patches and applying them to production systems based on the severity of the risk they mitigate.
• Invest in a business contingency plan (BCP). A business contingency plan is a strategy for how your organisation will respond in the event of a cyber attack. Identify roles and responsibilities as well as processes that will help to minimise the effects of the incident and keep your business operations on track as much as possible.

Right-sizing your cyber insurance requirements

Before you start shopping around for cyber insurance, it’s important to have a thorough understanding of exactly what you’re looking for.

A cyber security assessment can help give you an accurate picture of your organisation’s existing security posture. Compare your results to your target security posture, and then identify what actions you need to take to bridge the gap.

If you aren’t able to assess your security requirements on your own, an experienced partner can help. Speak with an expert at Canon Business Services ANZ (CBS) today.

Similar Articles


What are the advantages of Microsoft Azure

Discover the advantages of Microsoft Azure: Scalability, security, cost-efficiency, and innovation. Learn how Azure enhances operations and drives digital transformation in New Zealand.

What is Security Automation?

Learn how automated security transforms cybersecurity, making it simpler and more efficient. Protect your business data with CBS New Zealand’s expert insights now!

What are the effective Azure cost optimisation strategies

Maximize Azure efficiency for your New Zealand organisation. Reduce costs, optimize resources, and align spending with business goals using our expert strategies and tools!

What are the benefits of penetration testing?

Gain confidence in your digital security with the benefits of penetration testing. Enhance cybersecurity, identify vulnerabilities, and fortify your defences with CBS New Zealand's expert insights now!

Cybersecurity Threat Detection: Proactive strategies

Stay ahead in cybersecurity with our 2024 guide on threat detection. Learn advanced technologies & response plans to protect your business against threats with CBS New Zealand.

The key differences between CIO vs CISO in business

Uncover the distinct roles of CIO and CISO in New Zealand business: Key responsibilities, overlaps, and IT leadership evolution.

The essential drive behind healthcare IT outsourcing

Discover how IT outsourcing transforms healthcare efficiency and compliance in New Zealand.

Ultimate guide to internal penetration testing

This Internal Penetration Testing guide covers techniques, analysis, and best practices for identifying vulnerabilities & strengthening your cyber defense in New Zealand.

Level 1 support in IT

Discover the importance of Level 1 support in IT. Get insights into efficient problem-solving and customer service with CBS New Zealand's expert insights now!

RMM Meaning and its significance in IT management

Evolving technology, key benefits, and its impact on efficiency and security. protect your business data with CBS New Zealand’s expert insights now!

The Threat Intelligence Lifecycle explained

Discover how to navigate the Threat Intelligence Lifecycle in 2024. Our guide covers phases, analysis, and best practices for cybersecurity decision-making in New Zealand.

What are the latest cyber threats and defense strategies?

Enhance cybersecurity, identify vulnerabilities, and fortify your defences with CBS New Zealand's expert insights now!