Why businesses must carefully assess their cyber insurance options
Faced with an increasing risk of attacks against their critical business IT network operations, a growing numbers of Australian businesses are evaluating the benefits of cyber insurance. Murray Mills (Tecala) and Kris Ekeberg (Austbrokers Corporate) outline some of the key considerations
Designed to assist victims overcome the disruption and expense of an attack, cyber insurance policies have become a key component of many cyber security strategies. They help a business get back on its feet and resume normal operations as quickly as possible.
The importance of cyber policies has been highlighted by recent high-profile attacks such as those mounted against Optus, Medibank Private, Telstra and Woolworths in 2022. These incidents demonstrated that even organisations with sophisticated security measures in place can still fall victim to motivated criminals.
Interestingly, despite the increased interest in cyber insurance, its penetration in the business sector is still relatively low. It currently represents only around 4 per cent of the overall international Lloyd’s insurance market and less than 1 per cent of the US market. In Australia, cyber insurance is only 0.4 per cent of the total national market.
Assess the level of risk
Before opting to purchase a cyber-insurance policy, a business should take time to carefully assess their current level of cyber risk. This will involve a thorough assessment of core IT systems, applications, stored data and business process.
This process is important as it will allow the cover offered by any potential policies to be evaluated against the risks actually being faced. For example, if a large volume of personal data is being collected and stored, a business may need higher levels of insurance than others with less enticing targets for attackers.
Businesses also need to remember they are unlikely to obtain cover that will reimburse them for all expenses associated with an attack. Only some insurers will agree to contribute to the cost of necessary IT system improvement, for example, despite this being a potentially important remedial action following a cyber breach.
This coverage needs to be assessed in the light of the actual likely cost of a cyberattack. Industry research shows an attack typically costs a small or mid-sized business between $50,000 and $80,000. Multiply this amount by the number of businesses being successfully hit daily, and we can quickly understand how the costs of this exposure are punishing insurer balance sheets.
Compare insurance options
For these reasons, it’s important that a business carefully assesses the options available on the market before selecting an appropriate cyber insurance policy. Offerings vary significantly in terms of exactly what is covered and the amount of financial compensation that will be paid.
Since the start of the ransomware pandemic in 2020, some insurance companies have stopped writing new cyber insurance policies, while others are backing out of the cyber insurance category all together. Others still in the market have reduced the maximum cover levels being offered and increased excess amounts.
Further reading: Staying insurable for your cyber security insurance policy.
Businesses should also take the time to understand how they would deal/recover from a cyber intrusion. Do they have a cyber crisis and business continuity plan in place that includes a cyber breach event? Does this plan consider the availability of technical expertise in-house, or with the assistance of a managed security service provider, or will they rely on their cyber insurer to facilitate such access to technical experts who can guide a business through the recovery process? Has this ever been tested?
These experts should be able to swing into action within hours of a breach, mitigating the immediate threat and determining the full extent of the intrusion and the damage. As well as overcoming the initial disruption, this is important to ensure that no gaps are left that could provide an ‘open door’ for follow-up attacks.
Key steps to follow
When evaluating and procuring a suitable cyber insurance policy, there are some important steps that a business should undertake. These include to:
Seek advice from an expert
A worthwhile initial step is to obtain advice from a knowledgeable insurance broker. They will be able to provide guidance on what options exist and which will be the best fit for your business requirements.
Assess security requirements
Insurance companies will have a comprehensive set of security preparedness requirements that will be required of any insured. These will spell out exactly what measures need to be in place and how they are managed to reduce the risk of attack.
Work with your IT partner
A business should share the list of security requirements with its chosen IT partner. They will be able to critically access what is already in place and what will need to be improved to achieve compliance and secure your business.
The list of requirements provided by an insurer may be lengthy depending on the size and nature of the business, however some common items are:
- Firewalls and Intrusion Prevention Systems
- Endpoint Protection and Response capabilities
- Email Security
- Strong password, authentication, and multi-factor authentication (MFA)
- The tools to complete regular Software/Hardware Patching and audit the compliance of these updates
- Data backup and recovery
- Cyber security training for all employees
- Incident response planning and testing
- Regular Penetration Testing and Vulnerability Management
- Security information and event management (SIEM)
Avoid misunderstandings
As with any insurance policy, it’s vital for a business to know all the compliance details. The business needs to ensure security measures match policy requirements so that cover will be upheld should it be required. This goes beyond full disclosure during the insurance application process, and means that system security needs to be maintained during the life of the insurance policy.
For all businesses, cyber insurance must always be viewed as a last resort rather than a first line of defence. It is designed to augment security measures and processes rather than replace them.
By carefully assessing existing security elements – and working with a specialist to enhance them where required – businesses can be better placed to ward off any attacks that might be attempted. An insurance policy, therefore, becomes a layer of final protection should these security steps fail.
With cybersecurity threats showing no sign of abating, and indeed all the signs of increasing, businesses need to understand the role of insurance and how it can complement their existing security strategies. This will ensure they are both well protected and able to respond should a breach incident occur.