Cyber Insurance – Is It Worth It?
Cyber insurance is not just becoming increasingly common, it is also becoming a requirement for many suppliers/vendors.
There’s little doubt cyber incidents can be extremely expensive. Just months ago, cyber criminals demanded a ransom payment of $5 million from HWL Ebsworth (which the firm declined to pay). And while the firm ‘saved’ $5 million by not paying the ransom, the likely costs of the breach – including recovering compromised systems, dealing with regulators, managing reputational harm and lost clients – are going to be far greater in the long run. It’s been reported that last year’s Medibank data breach cost the health insurer $46.4 million in the 2022-2023 financial year, and the total cost by next year could pass $80 million.
With the costs of cyber incidents growing each year, cyber insurance is being considered by more organisations than ever. But is it worth it?
(Before we delve in, we are not insurance brokers and do not have a complete picture of the cyber liability insurance products available in Australia or elsewhere in the world or the appropriateness of these products for your unique circumstances. This article is not intended to be advice about the suitability of any insurance product – instead, we’re looking at some of the things organisations should consider before purchasing cyber insurance).
What is Cyber Insurance?
First of all – what is cyber insurance? Fundamentally cyber insurance provides financial coverage for the costs and losses involved with a cyber incident. Coverage is often limited to specified direct costs, and subject to conditions. This is where care must be taken.
While all insurance products differ by provider, the range of assistance provided under a cyber policy might include overage for:
- forensic investigation
- data restoration
- customer notification and rectification eg engaging call centres, and
- indemnification of penalties imposed by government regulators.
Where the data breach is due to the malicious acts of a foreign government actor or criminal gang coverage may also include costs related to:
- the services of a negotiator
- legal advice to determine if any ransom payment is legal or reportable, and
- indemnification of the ransom the business decides to pay.
However, cyber insurance usually won’t cover loss of intellectual property or the reputational harm that may result from a cyber event. It is also unlikely to cover damages or penalties payable to your clients for breaching Service Level Agreements or contractual provisions.
Cyber Insurance in Australia
Where did cyber insurance come from?
Cyber insurance products first developed in the United States in the late 1990s. US still accounts for about 90% of the global cyber insurance market.
In Australia, standalone cyber insurance is not, as yet, a well-known or understood insurance product According to the Insurance Council of Australia, only about 20% of SMEs and 35-70% of larger businesses in Australia have standalone cyber insurance.
this leads to some real issues for cyber insurance has some issues in Australia: there is only a small number of insurance providers offering a cyber insurance product in Australia and, because of the limited uptake, a small premium pool (which impacts the development and maturity of the available product). This means there is limited data on cyber risk in Australia and limited insurers with the resources to respond to incidents.
The Insurance Council of Australia has highlighted these issues which put significant pressure on insurers and businesses alike and released a paper calling for cyber policy reforms (including greater data sharing about cyber incidents).
Is Cyber Liability Insurance Worth It? 3 Things to Consider
What is your risk?
Cyber liability insurance isn’t going to be worth it for every organisation. Like with any insurance, the value stems from the policy helping manage a risk that may otherwise be untenable.
For some organisations, their risk of a digital data breach might be low enough that cyber liability insurance isn’t worth it (particularly with sky-rocketing premiums). This is more likely for organisations that do not collect or store ‘risky’ personal information (like credit card numbers, health information, biometric information, or images of personal documents like passports or licences).
What’s The ‘True Cost’ of the Insurance Policy?
Cyber insurance can be expensive – and for some organisations, that money may be better spent on other priorities, like training, infrastructure, new team members, or better third-party service providers.
Before purchasing a cyber insurance policy, it’s worth considering what that money could otherwise be spent on and whether that spending might more adequately address higher priority risks your organisation is facing. As with anything else, cyber insurance comes with an opportunity cost.
Will Cyber Insurance Foster Bad Habits in Your Organisation?
For some, the ‘crutch’ of insurance can inadvertently foster complacency or, worse, bad habits. Perhaps your organisation would previously have avoided collecting the physical address of your customers – but now, it might seem worth the risk. Or, perhaps you would have invested in employee privacy training but you’re choosing to now forego it.
Given that there is a risk your insurer will not extend coverage following a cyber incident, it’s worth monitoring your privacy and security programs continually – not just in the context of your insurance policy.
3 Things to Watch Out For
The Definition of a ‘Breach’
Insurers define breaches differently. It’s important to carefully consider the policy wording before purchasing a cyber insurance product to see whether it covers the risks you anticipate.
Some questions to ask include:
- Does it include insider threat coverage?
- Is unauthorized access a breach?
- What about employee mistakes?
- Does it only cover first party loss (i.e. costs incurred directly by the business) or third-party loss as well (e.g. customer losses that your business may be liable for)?
Many policies only cover breaches that happen after the policy date. However, data breaches can take a long time to uncover:
Depending on your risk profile, it may be worthwhile engaging a security firm to thoroughly vet your systems to check for breaches prior to the effective date of your policy.
Your Insurer May Dictate Your Response
If you have cyber insurance and experience a breach, your insurance policy may include terms that allow your insurer to dictate your response. For instance, the insurer may have a panel of law firms, cybersecurity consultants, PR firms, or other professional services providers that you may be required to use.
They may also make decisions about paying a ransom – something that your organisation may want to be more involved in.
This isn’t necessarily a bad thing – but it is something to watch out for if you would prefer to use providers you have existing relationships with.
Data Breach Management with Privacy 108
Privacy 108 offers a comprehensive suite of privacy legal and consulting services, delivered by our team of privacy and security experts, to help establish or improve your data breach preparedness capability and ensure your team is equipped to respond quickly and effectively to a data breach.
Breaches in security can happen and, in our experience, it is often the way that a breach is handled that has the most long-term impact, rather than the breach itself.
Wherever you are on your data breach path, we can provide the advice, support, implementation, improvement and testing assistance you need.
Our data breach management services include:
- Developing an information security incident response capability;
- Preparing a data breach response plan;
- Testing and training staff in your incident response;
- Participating as legal advisers and/or privacy experts as part of your data breach/incident response team;
- Keeping you up-to-date with new or changing data breach notification obligations;
- Providing a legal opinion on your data breach notification obligations;
- Participating in or leading the post-incident review process.