Cyber insurance is not just becoming increasingly common, it is also becoming a requirement for many suppliers/vendors.
There’s little doubt cyber incidents can be extremely expensive. Just months ago, cyber criminals demanded a ransom payment of $5 million from HWL Ebsworth (which the firm declined to pay). And while the firm ‘saved’ $5 million by not paying the ransom, the likely costs of the breach – including recovering compromised systems, dealing with regulators, managing reputational harm and lost clients – are going to be far greater in the long run. It’s been reported that last year’s Medibank data breach cost the health insurer $46.4 million in the 2022-2023 financial year, and the total cost by next year could pass $80 million.
With the costs of cyber incidents growing each year, cyber insurance is being considered by more organisations than ever. But is it worth it?
(Before we delve in, we are not insurance brokers and do not have a complete picture of the cyber liability insurance products available in Australia or elsewhere in the world or the appropriateness of these products for your unique circumstances. This article is not intended to be advice about the suitability of any insurance product – instead, we’re looking at some of the things organisations should consider before purchasing cyber insurance).
First of all – what is cyber insurance? Fundamentally cyber insurance provides financial coverage for the costs and losses involved with a cyber incident. Coverage is often limited to specified direct costs, and subject to conditions. This is where care must be taken.
While all insurance products differ by provider, the range of assistance provided under a cyber policy might include overage for:
Where the data breach is due to the malicious acts of a foreign government actor or criminal gang coverage may also include costs related to:
However, cyber insurance usually won’t cover loss of intellectual property or the reputational harm that may result from a cyber event. It is also unlikely to cover damages or penalties payable to your clients for breaching Service Level Agreements or contractual provisions.
Where did cyber insurance come from?
Cyber insurance products first developed in the United States in the late 1990s. US still accounts for about 90% of the global cyber insurance market.
In Australia, standalone cyber insurance is not, as yet, a well-known or understood insurance product According to the Insurance Council of Australia, only about 20% of SMEs and 35-70% of larger businesses in Australia have standalone cyber insurance.
this leads to some real issues for cyber insurance has some issues in Australia: there is only a small number of insurance providers offering a cyber insurance product in Australia and, because of the limited uptake, a small premium pool (which impacts the development and maturity of the available product). This means there is limited data on cyber risk in Australia and limited insurers with the resources to respond to incidents.
The Insurance Council of Australia has highlighted these issues which put significant pressure on insurers and businesses alike and released a paper calling for cyber policy reforms (including greater data sharing about cyber incidents).
Cyber liability insurance isn’t going to be worth it for every organisation. Like with any insurance, the value stems from the policy helping manage a risk that may otherwise be untenable.
For some organisations, their risk of a digital data breach might be low enough that cyber liability insurance isn’t worth it (particularly with sky-rocketing premiums). This is more likely for organisations that do not collect or store ‘risky’ personal information (like credit card numbers, health information, biometric information, or images of personal documents like passports or licences).
Cyber insurance can be expensive – and for some organisations, that money may be better spent on other priorities, like training, infrastructure, new team members, or better third-party service providers.
Before purchasing a cyber insurance policy, it’s worth considering what that money could otherwise be spent on and whether that spending might more adequately address higher priority risks your organisation is facing. As with anything else, cyber insurance comes with an opportunity cost.
For some, the ‘crutch’ of insurance can inadvertently foster complacency or, worse, bad habits. Perhaps your organisation would previously have avoided collecting the physical address of your customers – but now, it might seem worth the risk. Or, perhaps you would have invested in employee privacy training but you’re choosing to now forego it.
Given that there is a risk your insurer will not extend coverage following a cyber incident, it’s worth monitoring your privacy and security programs continually – not just in the context of your insurance policy.
Insurers define breaches differently. It’s important to carefully consider the policy wording before purchasing a cyber insurance product to see whether it covers the risks you anticipate.
Some questions to ask include:
Many policies only cover breaches that happen after the policy date. However, data breaches can take a long time to uncover:
Depending on your risk profile, it may be worthwhile engaging a security firm to thoroughly vet your systems to check for breaches prior to the effective date of your policy.
If you have cyber insurance and experience a breach, your insurance policy may include terms that allow your insurer to dictate your response. For instance, the insurer may have a panel of law firms, cybersecurity consultants, PR firms, or other professional services providers that you may be required to use.
They may also make decisions about paying a ransom – something that your organisation may want to be more involved in.
This isn’t necessarily a bad thing – but it is something to watch out for if you would prefer to use providers you have existing relationships with.
Privacy 108 offers a comprehensive suite of privacy legal and consulting services, delivered by our team of privacy and security experts, to help establish or improve your data breach preparedness capability and ensure your team is equipped to respond quickly and effectively to a data breach.
Breaches in security can happen and, in our experience, it is often the way that a breach is handled that has the most long-term impact, rather than the breach itself.
Wherever you are on your data breach path, we can provide the advice, support, implementation, improvement and testing assistance you need.
Our data breach management services include:
"*" indicates required fields
"*" indicates required fields
Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.
