Unravelling Cyber Security Insurance

20 February 2024

Cyber security insurance has emerged as a key line of defence for Australian organisations. The recent proliferation of attacks, including those involving ransomware, has elevated the important role that cyber security contributes toward overall organisational resilience. The insurance market is, however, a complex environment that should be navigated with caution and prudence.  

Insurance market research
Leading research company Delinea has conducted extensive polling to understand the challenges faced by companies when acquiring cyber security insurance. Delinea provides Privileged Access Management (PAM) solutions for the modern, hybrid enterprise by specialising in authorisation for all identities, controlling access to an organisation’s cloud infrastructure and sensitive data to help reduce risk, ensure compliance, and simplify security. They are uniquely positioned to provide market clarity. 

Qualifying for cyber insurance
Insurance companies are not automatically obliged to cover your organisation. Prospective clients need to demonstrate strong internal security before an insurer will offer a policy. Detailed questionnaires will need to be completed, but still may not be sufficient for an insurer to accept your risk. Questions will cover the scope of your IT systems, including their functionality, dependencies, sensitive data, and security controls.

Polling of insured companies reveals that more than half were required to conduct an external evaluation, with 55% calling in a cyber security provider. Given the risks involved, many insurers will need to be convinced that a thorough examination or assessment has been conducted before putting pen to paper. A reputable external security provider should also be able to make cost-effective recommendations that will improve your chances of acquiring coverage and ultimately lower your insurance premiums. 

The essential cyber security tools to have in place before applying for insurance
Cyber insurance policies are typically dependent on implementing a range of security tools to help mitigate risk. Requirements will vary from one policy and insurer to the next, but given that many cyber-attacks involve fraudulent credentials, this serves as a logical starting point. Insurance companies are likely to demand security controls that focus on preventing credential theft and include post-attack containment. 

Most poll respondents invested in security tools to meet insurance requirements, with 96% purchasing more than one such solution before a policy could be signed. Topping the list of recommended solutions are:

  • Identity and Access Management
  • Access controls/ Privileged Access Management
  • Multi-Factor Authentication
  • Password vault/ complexity and rotation
  • Privileged session monitoring and recording
  • Disaster recovery

Common post-incident expenses that may not be covered
Should you fall victim to a cyber-attack, your organisation must be prepared to take responsibility for the consequences, including any damage that might affect third parties such as business suppliers.  You can expect to face a litany of expenses to get back on track, some of which may be covered by insurance. The most common expense to be recouped relates to data recovery. It should be noted that the term can have different meanings to different insurers.  

If business data is being held for ransom, some insurers reserve the right to decide whether to pay the ransom demands or not, regardless of a client’s preference. Almost half of companies polled were confident that their policy covered at least a portion of incident response expenses, which can include activities conducted by internal or third-party providers such as forensic investigations, and expenses for public relations and crisis response communications.

Expenses that are the least likely to be covered by insurance policies include lost revenue, government fines, legal fees, and ransomware payments.

Typical mistakes that may nullify your policy   
As the cyber security insurance market matures, carriers are becoming increasingly focused on evaluating an organisation’s ability to mitigate risk. Post-incident investigation procedures have also become much more stringent, and any internal data management that does not meet best practice may impact your payout. If the failings are found to be the cause of the attack, coverage may be voided altogether. The following conditions may void your policy. 

  • Internal bad actors: Employee behaviour such as illegal or unauthorised activity that compromises data may lead to a claim being denied.
  • Human error: If an incident is proven to be caused or exacerbated by misconfigurations or failure to rectify known vulnerabilities, the insurer may be able to legally deny your claim.
  • Acts of war or acts of terrorism: This is a legal grey area with current court cases being conducted to provide clarity of responsibility. Insurers may argue that an attack that can be attributed to an act of war or terrorism can limit their responsibility.
  • Noncompliance with procedures: Evidence of non-disclosure or misrepresentation of pertinent information during the application process may result in the insurer later denying coverage.
  • Not reporting: If an organisation fails to notify their insurer of an incident within the agreed reporting period or provides incomplete information, a claim may be denied.

The cyber security insurance market is still undergoing a rapid maturation process. The dynamic nature of the cyber battlefield adds layers of complexity to all agreements. Organisations are advised to conduct thorough internal security reviews, seek the assistance of external providers when required, bolster their defences, read and understand the fine print, and remain aware that insurance does not equal protection. Policies will change from one year to the next, insurers will conduct extensive research before making a payout, and internal failings may potentially void your policy. 

For more information about cyber insurance, contact Intalock today.

back to blog

We protect australia's leading brands and businesses against cyber threats.

Cyber security is in our DNA