As cyber exposures and losses continue to magnify, the burgeoning cost of cyber insurance has led many companies into an impasse; is the best security strategy investment suited to prevention or resiliency?
Our team address the issues that need to be considered regarding the increased scrutiny around the value of Cyber Insurance vs an alternative approach of the reallocation of this premium spend to internal posture improvements.
Challenging market, challenging decisions
With an ongoing hardening Cyber Insurance market leading to significant year on year premiums for some insureds, many organisations may be thinking of either:
1. Allocating potentially large premiums elsewhere to improve their own risk posture; over: 2. Continuing to transfer their cyber risk to insurance.
However, with the challenges of the marketplace, cyber insurers aren't running for the exits. In fact, 84% said they expect they'll continue to offer coverage over the next three years, according to a recent survey from Panaseer. 
Despite that position from insurers, insureds are increasingly subjected to rising premiums and extensive scrutiny. That’s why some insureds now find themselves re-evaluating their Cyber Insurance.
While Cyber Insurers predictably suggest they are proving the value of their coverage, with “market loss ratios” to validate their assertion, insureds are understandably exploring all avenues of their own capital allocation.
What is Cyber Insurance actually covering?
In considering the question, it is important to first establish the risk-based discussion our team is having with respect to cyber risks.
Cyber risk discussions can traditionally be heavily weighted towards IT/IS exposures; investment specific to these areas, and only involve those responsible.
Organisations, however, must remember that a cyber/privacy event can equally or more so impact a company’s legal, operational (revenue), management (D&O) and reputational profile.
In our view, cyber events; the costs and resources, far extend beyond those associated with Information Technology. The recent cases of RI Investment (ASIC fines) and Landmark White (ultimately almost business demise) are two pertinent examples. 
A shift away from the data heavy focus that often drives these discussions is needed. Data rich businesses are not the only type or organisation susceptible to being significantly impacted by a cyber event. An inability to operate and the associated revenue and reputational impact can be just as significant if not more-so than a large “data breach”. In fact, a recent Net Diligence report outlined a significant upward trend in Business Interruption (BI) claims and associated costs. 
These broader exposures encompassing technology reliance, legal/regulatory/contractual exposures, operational (BI) impacts, data, management liability and reputational risks can lead to first party and third party associated costs. Such costs can be significant at the start of an event (traditionally 1st party) but continue long after the initial incident, with long tail (traditionally 3rd party liability) exposures occurring sometime in excess of 12 months after day one.
Policy coverage refresher
Cyber insurance policies provide coverage across two key areas.
First party loss:
Includes costs for engaging third party vendor assistance, and business interruption exposures:
Breach Event Expenses incl. forensics
Network Business Interruption – loss of revenue
Data and System Recovery
Hardware and equipment damage
Third party loss:
Includes losses incurred by your clients or by way of regulatory breach:
Network Security Liability incl. civil actions
Regulatory Liability and Penalties
Privacy breach Liability
Another vital aspect of Cyber Insurance arises from the 24/7, 365 incident response capabilities, that directly complement and assist an organisation's risk management resources in the event of a claim. Even below the deductible, an insured will still be afforded access to insurers crisis response providers at “panel rates”, which is often significantly reduced when compared to standard rates.
Where to invest?
Understanding the above brings us back to our original question: is the best security strategy investment suited to prevention or resiliency?
Looking at this from an IT/IS perspective, an insured would have to consider investment across:
Practices and Procedures (i.e. patching)
Actual incident response capabilities
SOC/SIEM capabilities; and so on.
Even with a significant increased focus on improvements on internal infrastructure and capabilities, how would an organisation also effectively deploy this capital to reduce their exposure to third party vendors/supply chain exposure? The most recent (and ongoing) Frontier breach is a good reminder of the exposure these parties bring. 
Additionally, how much of this capital is invested upfront and how much is saved to be utilised in the event of a claim, to engage (where required) third party assistance around forensic, legal, public relations vendors or otherwise?
Common examples of these costs include (but certainly are not limited to):
Legal costs (i.e. identifying and meeting contractual exposures and breaches)
Ransom payments and associated legal advice (notably, organisations need to understand the decision to pay the ransom or not is a business-level decision, rather than just a security one)
eDiscovery costs (costs associated with determining data accessed, breached, exfiltrated)
Finally, when allocating this capital, consideration again needs to be given to how much to allocate/save for an organisation’s long tail, third-party liability claims and costs exposure.
For example, one can see how investing in improving an organisation’s back up redundancies can leave a plethora of other areas unaddressed.
Consequences of wrong investment?
With cyber events being so mercurial, misguided investment could have far greater financial consequences than the impact of paying a large premium.
Maintaining a high standard with respect to cyber security within an organisation and the associated ongoing investment has been and will remain important. Reducing an organisation’s exposure and using prevention tools helps to block an enormous number of potential cyber exposures.
Identification and mitigation of exposures remains extremely important. No one should be proposing that we move away from investment here. However, cyber exposures are constantly evolving. Threat actors are continuously learning and improving their capabilities, organisational skills, and modus operandi. And due to the proliferation of cyber tools, they have an advanced variety of techniques at their disposal.
The attacker-defender asymmetry ensures cyber criminals only need to exploit one weakness to access an insured’s environment. This is the role Cyber Insurance plays. 
Corporate ecosystems today are so complex that it is nearly impossible to determine the extent of exposure due to even a single common vulnerability. For example, the well-publicised Log4j exposures that impacted tens of thousands of organisations globally. Because organisations are almost certainly not aware of all the dependencies in their own software, and in third-party software components, it is extremely difficult for them to truly be across and be able to effectively remedy these exposures. The adoption of cloud and software-as-a-service components have created a new, interconnected mesh of corporate IT, bringing with it significant security implications in organisations that may not have the skills and experience needed to handle them.
While internal investment is always advised, organisations cannot invest to a point where they are completely secure. Implementing a policy to cover off the unknowns is the role of Cyber Insurance and should continue to be implemented as part of an organisation’s broader risk management strategy.
Implementing insurance for the right purpose
The hardening market has rightfully forced a rethink on the merits of Cyber Insurance. Purchasing a policy should be perceived as balance sheet protection as opposed to the previous soft market approach of a commodity purchase. Ultimately, cyber insurance should be relied upon as the last line of defence in a catastrophic cyber event. The limit and deductible structure should address this, and in doing so a properly thought out program structure can assist in addressing premium and costs challenges.
For those organisations under contractual obligations with third parties to carry a minimum level of Cyber Insurance, these obligations will not dictate deductible/excess minimums, allowing the organisation to address cost increases in this manner.
Finally, policy implementation and structure is not a discussion that should be dictated from an IT/IS standpoint. The broader business/reputational impact to organisations means policy discussion should involve risk managers, in-house counsel, public relations/marketing, chief security or privacy officer, key IT personnel and executive and non-executive management.
Directors & Officers (D&O) considerations
Cyber Insurance has an important role to play in directors' and officers' meeting their duties. Addressing cyber deficiencies, having assessments performed by independent third parties and transferring the risk to insurance will assist in demonstrating prudent governance of a business’s critical risk, thereby mitigating directors’ and officers’ exposures.
Whilst significant premiums and retentions can - on the face of it - make the insurance seem less appealing, choosing to not insure a business-critical risk due to high premiums could present directors' and officers' liability issues should an organisation face a significant uninsured loss. The process can also contribute significantly to an insured’s environmental, social, and governance (ESG) principles, showing further commitment to the S (i.e. data protection) and the G (management leadership).
Finally, the implementation of a Cyber Insurance policy complements the position recently taken by ASIC in the RI Group matter. Whilst specific to a financial services licensee, RI Group was recently found to have breached its license obligations by failing to adequately manage cyber risk. ASIC outlined an expectation on directors to educate and equip themselves to drive their organisation’s cyber risk culture. They further encouraged directors to consider their risk management framework, enquire about incident response plans, and ensure access to appropriate risk management resources.
Cyber Insurance policies can directly and indirectly address all of these three points, through insurers add values, and incident response panel access. ASIC noted that a failure to address cyber risks or comply with disclosure obligations may be a breach of directors’ duties.
"ASIC encourages directors to consider their risk management framework, enquire about incident response plans, and ensure access to appropriate risk management resources. Failure to address cyber risks or comply with disclosure obligations may be a breach of directors’ duties."
Implementing a Cyber Insurance policy assists in demonstrating that the Executive and Board seriously address cyber risk through investment, education and risk transfer.
Risk transfer has not lost its relevance
Cyber policies and the value-add benefits provided by insurers provide vital assistance following the occurrence of a cyber event. Additionally, the increased scrutiny from insurers has helped insureds drive improvements in their own understanding and mitigation of risks. However, not to a point where risk transfer has lost its relevance. Cyber Insurance offers an extremely effective method to address these broad exposures, and complement internal investment.
1. Look to address internal investment, improvements in posture and preparedness in a complementary manner with the insurance.
2. Review the intention and structure of your program, remembering policies are designed to respond to catastrophic events should lead the policy implementation discussion.
3. Implement a policy to cover off the unknowns is the role of Cyber Insurance and should continue to be implemented as part of an organisation's broader risk management strategy.
We hope you found this an insightful read. Please let me know if you have any feedback.
Mark Luckin Manager, Cyber & Technology Lockton Companies Australia M: +61 433 337 922 E: Mark.Luckin@lockton.com
2. https://www.clydeco.com/en/insights/2022/05/australia-the-dawn-of-a-new-afsl-cyber-risk-manage https://rouselawyers.com.au/a-lesson-from-landmark-white/