1800 777 111
Menu
Search icon

 

Is cyber insurance the missing link in your cyber security plans?

 

Cyber Insurance_Article Featured Image

Understanding the role of cyber insurance in helping you prevent, respond to and recover from cyber incidents

As risks increase and the ramifications from cyber incidents become more severe, insurance is becoming an essential piece in the cyber security puzzle.

At Truis, we’ve partnered with leading incident response firm Clyde & Co to support our clients to improve cyber incident readiness and resilience. We asked Clyde & Co partner Reece Corbett-Wilkins to share his insights on how cyber insurance helps to protect against the consequences of cyber-attack incidents, and why it’s important to look at it as separate from your typical insurance policies.

When is the right time for an organisation to look into cyber insurance?

“Businesses in Australia are significantly uninsured, and under-insured, with only around 15% holding cyber insurance—this figure should be closer to 50%.”

“Obviously seek your own advice from a broker. But from my perspective in dealing with hundreds of cyber incidents a year and seeing the true costs of cyber losses, you should be looking at cyber insurance now. Buy it now. It’s never been cheaper, the terms on offer have never been wider, and the price has never been more effective.”

When evaluating the investment, it’s important to appreciate that unlike traditional insurance policies, cyber insurance isn’t just a promise to pay in the event of an incident—it also provides cover for your losses and liabilities associated with events, as well as hands-on support.

 “Look at it as a promise to respond,” Reece explains. “Cyber insurance is like a retainer service, where you have 24/7 access to all these cyber response experts, ourselves included, with insurance on top to cover the losses that aren’t attributable to incident response—business interruption, financial crime, and privacy liability.

Some policies are even looking towards property damage tied to a cyber event—covering your digital and physical assets. It’s a fast-evolving product to keep up with the nature and impact that incidents are having on the economy.”

What level of cyber insurance is sufficient for most SMEs?

While Reece is quick to emphasise the importance of working with your broker to utilise their risk quantification strategies, he does have some general guidance on assessing your risk exposure.

“Organisations aren’t placing enough emphasis on understanding the cost of not just the incident response component, but the liability component of a breach,” he says.

“Over the next two years, there’s going to be increased regulatory scrutiny from multiple regulators, including the Privacy Commissioner. We know there’s going to be class actions, with the tort of serious invasion of privacy about to be introduced. The fines and penalties have been put into place ready to support the liability component of cyber risk.”

Reece suggests seeking out policies that cover both the cost of the incident response, as well as any liability arising from it, including fines, penalties, regulatory investigations and any resultant claims. This is an emerging area of loss that isn’t really on the radar of business owners with the focus just being on ‘get us back to business’. But the ‘long tail’ of cyber risk is certainly changing the conversation from ‘incident response readiness’ to ‘privacy liability readiness’.

In terms of dollar figures for policies, it’s about understanding your risk exposure. The cost impact of a breach will vary wildly depending on the nature of the business and the data compromised, however a 2024 IBM report showed that the average cost of a data breach rose to a record $4.26 million.

This is very US heavy data—and there are plenty of examples where the losses are less than this, and then examples where the losses are significantly more than this. For an SME—a misdirected $250k invoice could be their trading profit for the quarter. For a larger corporate, the ongoing regulatory intervention, or the reputational harm associated with suppliers upstream, could be the bigger exposure. Not to mention consumer customers at the end of the line.

“The cost of buying $5 million of cyber insurance coverage is comparatively quite small."

What industries are facing challenges when it comes to cyber risk and insurance?

As well as the typical targets of financial services, professional services and the healthcare sector, Reece points out that the real estate industry and SMEs in general also face a very high risk.

“Real estate is a massively de-segregated industry, sitting on trillions of dollars each year,” Reece explains. “You’ve got the property exchange that sits in the middle, with conveyancers, lawyers, real estate agents, developers, banks and buyers all sitting around it transacting thousands of property settlements a week. Critically, the purchaser of properties, unless they’re institutional investors, are individuals—mums and dads, first home buyers—and they’re typically corresponding from personal email accounts, which we know aren’t secure.”

“Not-for-profits and SMEs with revenues of less than $3m annually face a similar risk. They’re under-resourced generally, with limited cyber risk capabilities and if they’re not working with a MSP, say like Truis, they’re wholly reliant on security being built into the technology they buy, and the technology service providers themselves for security. We know this is where issues lie—because often the technology itself isn’t defective, it’s just misconfigured or misunderstood.”

There’s talk in the industry about policy claims being declined. Can you share any insights on that?

Despite headlines to the contrary, Clyde & Co see a very marginal declinature rate. In most instances, Reece says, it’s more about inaccurate expectations from policies.

“I always eye roll when I read those headings. They’re seriously damaging to the confidence of the economy and can unwind all the hard work and good that the cyber insurance industry does daily to help their clients repel cyber incidents and bounce back. If you dig beneath the surface on those cases, it wasn’t that cyber insurance policies weren’t paying—they didn’t have cyber insurance. What they were trying to do was wedge a cyber loss into another policy.”

Reece likens it to having a car accident and expecting to be able to claim on your home insurance policy. “Unfortunately, that’s lost on people and so they think ‘cyber insurance doesn’t pay’. In my experience of seeing 2,500+ cyber incidents play out, cyber insurance does ‘exactly what it says on the tin’. Though it is important to ensure the policy meets your needs—the excess applicable, the limit of liability, and the various add on components that are central to your business risk exposure.”

How do Truis and Clyde & Co work together to support clients?

“We’re all experts in our own domain. At its heart, we are incident responders. It’s all we do, all day long. We see every version of what happens when things go wrong. What we bring to the table is the quick response to help clients navigate the first 72 hours, and the following weeks of incident response. On top of that, we provide key insight into not just regulatory law reform changes, but how incident response capability enhancement in certain areas now can make a real difference.

Why we like working with Truis is they help it fit together. We help lift the lid on the things that we see and that we worry about, so that Truis’s clients don't have to worry about it. Unfortunately, we still meet 80% of clients when they have an incident. And while we can jump on a fast-moving train very quickly, it’s always nice to plan in peace time rather than during war time, and speak to clients beforehand.”

This is where Truis supports clients, ensuring security processes meet best-practice expectations. We can help structure systems to meet the needs of cyber insurers, and liaise with brokers and insurers to provide the essential information to secure the right policy. Critically, during an incident, Truis is the first port of call and can help mobilise the right response team through your insurance response solution, so that you have the full bench behind you, depending on what is needed.

If businesses are ready to explore cyber insurance, where should they start?

The first step is simple: “If you don't have insurance, speak to your broker and ask them to provide you with some options around cyber insurance. There is incredible competition in the market at the moment and as a consequence a lot of insurers are broadening what's covered.”

Reece sees a clear need to speak to brokers who understand the industry. “If your broker isn't a specialty cyber broker—and most of them aren’t—it’s okay to say ‘can we please speak to a specialty cyber broker within your broader team’.”

Reece also has advice for businesses who already have policies in place: “If you’ve got insurance, amazing. But take that next step. Call your broker and ask them to set up a free onboarding call, or a meeting with the incident response hotline behind it all. Seeing the whites of each other’s eyes, identifying roles and responsibilities, when to call the hotline, and how to ensure you get a good insurance outcome should something arise—these are all the topics to cover in these calls. Essentially, you are getting the most out of your insurance retainer service and demystifying all of the common queries that arise.”

“The next step is then bedding in the incident response process into your incident response plan and critically, testing that through a tabletop exercise or simulation. For example, in our team alone we have a full-time team just doing simulations all year around. It’s all about getting your teams rehearsed and being able to respond decisively and effectively. Avoiding common mistakes, but also focussing on team building is what it’s all about. You can flush most of the issues out that impact the severity of an incident within 4 hours—the time investment undertaken pre-breach you get back 10 times at least, should an incident arise.”

“You can also do these internally yourself. That said, we are seeing an increase in clients conducting these exercises with specialist incident response firms like Truis or Clyde & Co. These exercises act as an opportunity for our collective teams to embed ourselves within your internal processes, helping with a more efficient and effective response during a cyber incident. Peace of mind, and certainty, is what you’re aiming for.”

Here to support you

Reece is a leading member of Clyde & Co’s cyber incident response team. Within his team, Reece has advised on a range of local, regional and global incidents across all industry sectors. His clients include government and private organisations, ranging from small businesses to large multinational corporations. To learn more about Clyde & Co’s work, head to their website. 

Prepare for the year ahead

There’s never a better time to boost your cyber incident response readiness than now. Make 2025 the year to secure your cyber insurance, meet with your incident response team and obtain that essential peace of mind. The first step is booking in a consultation with Truis and the Clyde & Co team. We’ll chat through the options and answer your in-depth questions so you can feel confident in what’s right for your business. You can reach out to us on our contact form or contact your Truis Account Manager. 

 

 

Jargon-free, pain-free, IT experts.

If you’re looking for IT solutions that make total sense, get in touch.

Contact us