Cyber insurance and managing risk: What boards need to know

Tuesday, 22 August 2023

Win-Li Toh
Taylor Fry actuary and principal

    Following a tumultuous year of cyber incidents in Australia, boards are rightfully concerned about the risks posed by cyber incidents.

    In the Australasian region, cyber-related risks took up five out of the top seven risks concerning directors, according to global insurance broker WTW in its 2023 Directors’ and Officers’ Liability Survey.

    Given directors’ familiarity with the role of insurance in risk transfer for other critical business risks, a logical question for directors to be asking is – how does cyber insurance fit into our overall risk strategy?

    Can my organisation even get cyber insurance in the first place?

    Unlike many other types of insurance, the prerequisites to obtain cyber insurance are significant. Insurers typically conduct comprehensive risk and maturity reviews of the cybersecurity readiness of an organisation before offering quotes.

    These can run into scores of questions, including on cyber controls, the nature and amount of sensitive data held, the policy and procedures an organisation has in place and the physical security of the organisation.

    If organisations are unable to meet minimum standards, it may be that they are not able to get coverage at all. Key questions for directors to ask at the start of their cyber insurance journey are – what is our level of cyber maturity and is it sufficient to be considered for coverage? If not, what does our organisation need to do to be cyber-insurance ready?

    What does cyber insurance actually cover?

    Cyber insurance is a relatively new product, so it pays to be aware of what types of losses are covered by the policy. Typically, a cyber insurance policy will cover:

    • First-party losses – This includes costs related to the loss or damage to data, content-related claims related to data, investigation and remediation costs, public relations costs, liability for denial of service from or access to electronically provided data and costs associated with cyber extortion reimbursement
    • Third-party losses – This includes fines and penalties imposed by regulators and compensation to third parties for failure to protect their data.

    The nature and limits of cover will vary by insurer. Boards should ask management if there are other critical costs their organisation would face in the event of an incident that aren’t included in a typical cyber policy – and how they might pre-empt or alleviate them. For example, some losses that are commonly not covered by a cyber insurance policy are: loss of revenue associated with reputational damage and loss of company value due to intellectual property theft.

    In the event of an incident, does the insurer become a ‘shadow’ director?

    This is a commonly held misconception. Insurers don’t have the power to take over management of the incident against the wishes of the organisation’s management and board. As with other classes of insurance, the organisation is required to keep the insurer updated and involved in the claim.

    Does purchasing cyber insurance make sense for my organisation?

    There isn’t a ‘one size fits all’ answer to the question of whether it makes sense to purchase cyber insurance. It requires careful thinking and is highly dependent on the specific nature, complexity and budget of each organisation.

    The first step is to understand your exposure, which can be confusing and complex. One approach – cyber scenario quantification – is helping organisations gain clarity by better exploring 1) whether it makes sense to purchase insurance or whether it might make more sense to self-insure, 2) what policy limits make sense for an organisation’s size and level of complexity, and 3) what types and quantum of losses would not be covered by a particular policy. Cyber scenario quantification involves:

    • Developing several plausible cyber scenarios (tailored to your organisation’s key threats and cyber security maturity)
    • Working through the financial impact of each of these scenarios, with and without cyber insurance, projecting over a period of at least a couple of years (IBM research reveals 18 per cent of the cost of a data breach occurs after two-plus years post breach).

    It is also important to know that a cyber insurance policy will often offer access to specialist support services. These can include crisis communication support, IT forensics and remediation and legal and regulatory support.

    If we purchase cyber insurance, can we ‘set and forget’?

    Unfortunately, the ever-changing nature of cyber risk means an organisation will need to continually reassess how effective cyber insurance is in its overall cyber risk management approach. Some prudent questions to ask management include:

    • What are we doing to manage the residual risk – the categories of losses our policy won’t cover?
    • What are we doing to prepare for next year’s insurance renewal process (is there anything the insurer has mentioned that needs to be remedied within a certain timeframe)?
    • Has the external landscape or our business fundamentals changed significantly since the last renewal and does the level of coverage and/or policy limits still make sense for our business?

    The information on cyber insurance in this article is intended as general knowledge. Speak to your insurance broker for further assistance on the terms and conditions of your insurance policy.

    Win-Li Toh

    Win-Li Toh is an actuary and Principal at independent consulting actuarial firm Taylor Fry. She is also the Vice-President of the Actuaries Institute and the author of the Actuaries Institute Green Paper ‘Cyber Risk and the Role of Insurance’.

    Latest news

    This is of of your complimentary pieces of content

    This is exclusive content.

    You have reached your limit for guest contents. The content you are trying to access is exclusive for AICD members. Please become a member for unlimited access.