In today’s cyber landscape, a data breach isn’t a matter of “if,” but “when.” In response, a growing number of Australian and New Zealand businesses are turning to cyber insurance as a crucial safety net. It can provide financial support for everything from incident response costs to legal fees and business interruption.
However, a cyber insurance policy is not a replacement for a robust cybersecurity strategy. In fact, many policies now require a certain level of security maturity before they will even offer coverage or pay out on a claim.
At Orro, we believe that understanding your cyber insurance policy is a two-part process: knowing what it covers, and, just as importantly, understanding what it doesn’t.
What Cyber Insurance Generally Covers
Most cyber insurance policies are designed to cover both “first-party” and “third-party” losses, offering a financial backstop in the event of a cyber incident.
- First-Party Costs (Your Business’s Losses):
- Incident Response & Forensic Investigation: The cost of hiring a cybersecurity firm to investigate the breach, contain the threat, and identify the root cause.
- Data Recovery: Costs to restore corrupted or lost data and rebuild affected systems.
- Business Interruption: Reimbursement for lost profits and extra expenses incurred during a period of network downtime following an attack.
- Cyber Extortion: The cost of paying a ransom demand (where insurable) and professional negotiation fees.
- Third-Party Costs (Liability to Others):
- Legal Fees: Costs associated with defending a lawsuit brought by a customer or partner affected by the breach.
- Regulatory Fines: In some cases, coverage for fines and penalties from regulators like the Office of the Australian Information Commissioner (OAIC).
- Notification Costs: The expense of notifying affected individuals under the Notifiable Data Breaches (NDB) scheme, including credit monitoring services.
The Hidden Dangers: What Your Policy May Not Cover
Simply having a policy is not a guaranteed shield. Insurers are becoming more specific about their requirements and exclusions. A common phrase is “we insure for a cyber incident, not a lack of cyber security.”
Here are some of the critical areas where policies may not protect you:
1. The Security Requirements Clause
Many insurers now require businesses to have foundational security controls in place to qualify for coverage. This is often based on frameworks like the ACSC’s Essential Eight. Without these basics—such as Multi-Factor Authentication (MFA) on all key accounts—your claim could be denied.
Case in Point: We’ve seen an instance where an Australian SMB was a victim of a sophisticated business email compromise (BEC) scam. The company submitted a claim to its insurer, but because the business had not implemented MFA for its key email accounts as required by the policy, the claim was denied. The financial loss was devastating.
2. Exclusions for Specific Threats
Some policies may contain exclusions for specific types of attacks, such as those related to critical infrastructure, acts of war, or state-sponsored cyberterrorism. It’s vital to read the fine print and understand the geopolitical landscape of cyber threats.
3. The ‘Human Error’ Blind Spot
While some policies may cover losses from negligence, they may not cover all forms of human error, especially if it’s tied to a failure to follow clear company policy. This is why employee training is non-negotiable.
The Orro Approach: Technology & Insurance in Partnership
At Orro, we believe that the ideal approach to cyber risk is a holistic one. Cyber insurance should be a part of your strategy, not the entire strategy.
We work with businesses to help them understand and manage their cyber risk profile from the ground up, making them a more attractive client for insurers and, most importantly, more resilient against a real-world attack.
Our services can help you:
- Become “Insurable”: Our Security Maturity Assessment helps you identify and close security gaps, ensuring you meet the baseline requirements of many cyber insurance policies.
- Prevent Claims: By implementing foundational controls like the ACSC’s Essential Eight and providing comprehensive Security Awareness Training, we help you reduce the likelihood of a successful cyberattack in the first place.
- Respond Effectively: In the event of a breach, Orro’s Incident Response Team is your first call. We provide the expert investigation, containment, and recovery services that your insurer will require to process your claim, ensuring a smooth and rapid response.
Cyber insurance offers a valuable financial safety net. But to truly protect your business, you need a proactive partner who can help you build the robust defences that ensure your policy will be there when you need it most.
Contact Orro today for a consultation on your cyber risk profile and how our services can strengthen your position with insurers.
