Cyber insurance: essential protection or pointless expense?

Since cyber insurance is a relatively new insurance product, its understandable many companies are not as familiar with the products on offer as they could be.

Companies seeking to safeguard themselves against threats like ransomware often find that premiums are high and policies are packed with exclusions. To add to the complexity, many insurers bundle cyber insurance across a number of products, making it harder for buyers to decide what works best for them. 

Partly as a result, many companies don’t have cyber insurance at all – around 75% of Australian businesses are uninsured, with the figure even higher among small and medium-sized firms. So is cyber insurance worth it?  

Cyberattacks are an existential threat – and insurance uptake is patchy

Cybercrime can be devastating: the Australian Cyber Security Centre estimates the average cost of an incident at over $39,000 for small businesses and $62,000 for large businesses. The ACSC describes ransomware as “the most destructive cybercrime”, and IBM puts the average global cost of a successful ransomware attack far higher, at an eye-watering $4.5 million. Factor in the costs of investigation, recovery, customer support, regulatory fines, legal costs and reputational damage, and it’s clear ransomware can threaten organisations’ very existence.

Many of us insure our homes, cars and possessions without a second thought. Yet faced with the colossal risk of ransomware, many businesses do not use insurance. According to reports, Medibank, the victims of one of the worst cyberattacks in recent times, “had considered cyber insurance in the past” but “made the decision to self-insure given the restrictive nature of coverage combined with an assessment of the risk involved”.

It’s not alone in making that call. The first cyber insurance policies were drawn up in the late ‘90s, and at first, the sector grew slowly. The global market is much stronger now – it’s forecast to hit $20 billion by 2027. But even through there’s a lot more awareness now, uptake has still been patchy at best. 

Insurers and their customers have a problem

Part of the problem is the changing nature of cyber threats themselves. Remote work has opened up attack surfaces around the world, online scams have multiplied, and criminal gangs have become more sophisticated. Ransomware incidents have grown more common and more severe, and now make up an alarming 75% of cyber insurance claims.

The result? Insurers have struggled to turn a profit. In 2021, Fitch Ratings found that the ratio of losses to premiums earned was 73% last year. Concerned US and European insurers halved the amount of cyber cover they offered in 2021. In Australia, as claims have surged, the cost of cyber cover has doubled every year for the past three years, making some organisations think twice before signing up. Among those companies with cyber insurance, many are uncertain how deep their protection runs. “My phone has been running hot from companies wondering how their policy would respond in a hack such as the one that hit Optus,” said Kelly Butler, chief client officer at insurance broker Marsh, after a wave of attacks hit Australia in October and November 2022. 

Cyber insurance won’t suit every company

This kind of market results in an insurance product that won’t suit every organisation. Premiums are high and insurers may only be willing to insure data to a fraction of its actual value. Policies may not cover ransom payments or attacks from state-linked groups, and liability may be limited on certain attack vectors (including ransomware). Some policies only cover initial response, excluding longer-term recovery costs entirely.

Cyber insurance isn’t just a high-risk business: it’s also a new one. While home or car insurers may have had decades or even centuries to mature, cybersecurity is still a recent sector. Collecting information on the locks you use, the type of property you own, how often you leave a property unattended and the local crime rate is relatively easy to collect and assess compared to cyber’s rapidly evolving threats, changing regulatory environment and constantly moving attack surfaces. As a result, there’s less transparency and standardisation in cyber insurance, meaning some organisations simply go with the cheapest options – only to get stung when they actually make a claim. 

How to find the right cyber insurance for your business

There are plenty of real-world cases of failed cyber insurance claims – in 2022, automotive services firm Inchcape lost its claim against its insurers in the Federal Court. That doesn’t mean cyber insurance never works out, but it does mean organisations must think carefully about the partnership they open up with insurers. For any company in the market for cyber insurance, there are some steps they can take to make sure they get the products that best suits their needs.

1. Accept that cyber insurance is not a silver bullet

The first thing to emphasise is that cyber insurance is no silver bullet for cybersecurity. You simply cannot outsource all cyber-risk to a third-party. Every company should protect their assets with a layered set of security tools, backed with across-the-board awareness training and a well-rehearsed incident response plan. Indeed, without such measures, many insurers won’t even consider you for a policy.

2. Know your needs

Every organisation is different. Considerations such as what data you have, where it is stored, the cost of protecting it and the impact of its loss should inform your cyber strategy. These factors, especially if they’re assigned a dollar value through a risk-based model, can help you determine the best insurer and level of cover. Some insurers are more streamlined and may offer lower premiums, while others may have deeper resources and infrastructure and be able to handle claims or rectify systems faster. These comparisons will also help you work out whether – like Medibank – you prefer to live without comprehensive insurance and take at least some losses on the chin.

3. Be aware that insurers are active players in cybersecurity

Insurers aren’t simply passive adopters of risk. Many will interrogate your security situation before coming on board. They may undertake pen testing and port mapping to assess vulnerabilities, run through your incident response and report on threats specific to your sector. Some may be able to prevent attacks escalating by analysing threats and sharing data, or take the lead on ransom negotiation or customer outreach.

4. Manage risk via a hybrid approach where appropriate

Different levels of insurance may suit different companies. Adopting lower cover and managing your risk through better defences, or using “captive” insurers (in-house insurance companies that are part of the same corporation) may offer a better way to manage premiums while reserving insurance for when you really need it.

Choosing a cyber insurer, then, isn’t just about comparing prices: it’s about going into a partnership. And as ever, it’s worth making very sure you understand the limitations and opportunities involved before you sign on the dotted line. 

As ransomware ramps up, cyber insurance is becoming a must-have

No company should view cyber insurance as a replacement for basic security measures, and as ransomware threats rise, organisations must take at least some responsibility for their security posture. And while you should be mindful of rising premiums and policy exclusions, cyber insurance should be an integral component of your security strategy. Over a long enough timeline, everyone will get breached at some point. Cyber insurance offers protection if the worst-case scenario hits, and the right partner can be a vital ally in the long, lonely battle against the cyber villains.