Opinion: Understanding the nuances of cybersecurity insurance

Recent highly publicised cyberattacks in Australia, coupled with increasing regulatory obligations, are keeping security and risk top of mind for boards and the C-suite.

As the frequency and cost of cybersecurity incidents continues to rise, there is renewed interest in cybersecurity insurance. While not making organisations more secure, it can be an important part of a comprehensive cybersecurity program.

One of the major challenges for cybersecurity insurance is that most policies are complex and filled with exceptions. That makes it difficult for organisations to understand cybersecurity insurance’s intended role, the costs associated with it and the limitations inherent in the coverage.

As a consequence, there is significant underinsurance in Australia for cyber risk. In 2023, the Insurance Council of Australia (ICA) reported that only about 20 percent of SMEs and between 35 and 70 percent of larger businesses have standalone cybersecurity insurance.

Cybersecurity insurance is designed to offset recovery costs that an organisation would have to pay in the event of a security incident. It can also offset a variety of non-IT business costs associated with a cyberattack, such as reputational damage and legal fees.

Another qualitative benefit often provided by cybersecurity insurance is accessibility to experts who can augment your existing team or improve your ability to respond and recover.

Your insurance provider will potentially give you access to expertise in incident response or forensic services; planning, response and recovery strategies; or legal, PR and law enforcement fields.

What is and isn’t covered

There is often a disconnect between client expectations and insurer coverage in terms of what types of incidents are covered and which ones are excluded.

The reality is that some items that clients expect to be covered, such as regulatory fines, funds transfer fraud and intellectual property (IP) theft, may not be covered under all policies.

The key take-away here is to understand in detail what is not covered by your policy. Consider asking a series of questions to understand the exact limitations of coverage.

These questions should include a range of hypothetical, “what if” situations covering specific scenarios or technical conditions.

The goal in this line of questioning is to completely understand where there may be gaps. You can then decide to either accept that level of risk or put in other controls to minimise or prevent it from being exploited.

It’s not a replacement for immature security programs

Cybersecurity insurance is risk transference. It doesn’t replace the need for your organisation to invest in an appropriate security program of controls. It represents a purely reactive incident response activity, rather than negating the need for investment in prevention and recovery.

If you don’t have a good security program, you should invest first in a good program, before seeking insurance. Insurers have been known to deem organisations uninsurable due to a lack of minimally acceptable security controls.

Engage with relevant business stakeholders

To ensure adequate coverage and fully address business risk, you will need input from various groups within the organisation. Reach out to other stakeholders, including compliance, legal, risk and finance.

You will be asked to make representations about your organisation’s cybersecurity capabilities as part of the process.

Be prepared with audit, compliance and pen test reports; existing policies; governance; awareness training success; and third-party risk management processes. If your representations are found to be inaccurate after a breach, the insurance company may deny your claim.

Meet with your insurer

Be prepared to discuss your organisation’s security roadmap and the improvements you are implementing. This adds clarity and colour to the simple “yes/no” answers in a questionnaire.

Insurers will want to know what you’re doing to improve your security posture, as well as what you are doing to remediate any deficiencies or vulnerabilities identified in prior audits or assessments. Providing this added level of detail may have an impact on your premium.

Give yourself adequate time

Don’t rush the process. Policy purchases or renewal activities should commence 90 to 120 days ahead of the active date. This will provide you with adequate time to collect multiple quotes and make an informed decision.

Align your incident response plan with insurer expectations

Your insurance provider will have specific conditions that must be met to be compliant with your organisation’s policy during an active incident. Make sure these conditions are addressed in your incident response plan and acted on in accordance with the policy requirements to prevent a scenario where a claim may be denied.

Some insurance providers offer incident response services as part of their policies. These can be valuable, time-saving resources during a security incident.

However, you need to fully understand their scope of work and what information they might share with the insurance provider, as it may also negatively impact any claim settlement.

If you do plan to use the insurance provider’s services, make sure to update your incident response plan with the appropriate contact information for the approved incident response/forensic services organisations that will be utilised.

Paul Furtado is a VP analyst at Gartner, responsible for providing insights into cybersecurity trends, threats, prevention and governance.