The best insurance strategy is to invest in strong cybersecurity and keep the external insurers vested in providing coverage for incident-response.

When you buy car insurance, you do so on the promise that you will demonstrate good behavior.

If you broke the speed limit you would not expect your car insurer to pay out, or never had your brakes or tires checked, or left your car unlocked overnight.

There is a mutual, legal pact between you and your insurer. You take responsibility for your car’s safety and your own actions, and they pay out when bad things happen that you could not have foreseen, prevented, or mitigated against. 

The same principle applies with cyber insurance. As an organization, you are 100% responsible for your own cybersecurity, and the insurance providers are there in the event of the unthinkable and unpreventable. For some businesses, especially small and medium-sized enterprises, having cyber insurance could mean the difference between staying open and going bust.

However, as the volume of cyberattacks increases, insurance cover is now harder to get. That is because the financial losses from a breach have become disproportionate to the premiums that insurers charge.

Navigating the cyber insurance landscape

According to various sources, the global average cost of a data breach in 2023 is US$4.45m, 15% more than in 2020. Recent high-profile incidents including a ransomware attack on MGM and other resorts, suggest there may be a causal link between being cyber insured and getting attacked — with attackers using exfiltrated cyber insurance policies to dictate their ransom demands.

Meanwhile, insurance premiums continue to soar, and insurers have become increasingly cautious about the risks they undertake. This surge in costs is compounded by the fact that insurers are beginning to question whether their existing premiums adequately cover the risks associated with cyber threats.

To offset pay-outs, some insurers have taken steps to exclude certain costs. For example, Lloyds of London announced last year that they would no longer cover state-sponsored attacks in its cyber insurance policies because it “exposes the market to systemic risks that syndicates could struggle to manage”.

You may wonder then, about what your cyber insurance covers.

    • Would you get compensation for losses as the result of an employee clicking on a phishing email?
    • Would your provider honor a pay-out if you voluntarily pay a ransomware demand? This issue could become problematic when countries such as Australia and the United States are considering a ban on ransomware payments.

It is common that a cyber insurance policy would mostly cover the Incident Response (IR), forensic investigation and recovery costs associated with an attack. Most businesses are happy to insure on this basis, as the cost of that investigation could adversely impact cash flow, knowing that the cost of a data breach would be even more. However, many have not considered the actual financial impact, like loss of market share and the influence that has against share price. 

When a cyber insurance company covers the investigation and recovery following an attack, it may bring in their approved legal and IR teams to determine if any of the risks can be covered, and the cost of that. They are not seeking to perform the IR in a way that encompasses all the potential business risks mentioned above. 

In the regulatory scene, there are also increased penalties for data breaches, which may make some organizations look immediately to cyber insurance to try and help cover those costs. However, it is unlikely any underwriters would include these fines. This will be in the realm of legal counsel and law firms, which means the IR and investigation will need to be prompt and accurate, and the findings be defensible in a legal hearing.  

The way forward

The details of what is and is not covered by a policy will largely depend on the insurance provider, but across the board you should expect underwriters to take a thorough look into your security practices.

They need confirmation that you have implemented preventative measures to mitigate risk and stop an attack from happening in the first place. They will check everything from email security, multi-factor authentication status and backup procedures to endpoints, encryption, firewalls, and user awareness. 

In the long term, the viability of the cyber insurance business is still up for debate, but we know that prevention is the most effective way to supplement rather than rely on cyber insurance to survive cyber incidents. In reality, the best insurance any organization has is to be more proactive in putting the tools, processes and people in place to do everything to avoid a breach.