IT Brief Australia logo
Technology news for Australia's largest enterprises
Story image

Shopping for cyber insurance? Six questions to ask before calling the insurer

By Contributor
Wed 4 May 2022

Article by Yubico Asia Pacific and Japan vice president, Geoff Schomburgk.

The cyber threat landscape has always been worrisome, but today there are many more CISOs noticing new grey hairs in the mirror, given an anticipated uptick in cyber-attacks from nation-states and other bad actors.

Ransomware attacks and other forms of account compromise continue to grace the news every month, with malicious actors, state-sponsored or otherwise, potentially costing companies millions in downtime and lost opportunity. There are also serious reputational risks for vendors who might see customers flock to a competitor after a publicised attack.

These attacks have broken the old cyber insurance risk models because it’s become too easy for an attacker to steal credentials and work from the inside. They use relatively simple technology but can cause serious damage through days of downtime, even more than a classic breach or reputation damage. These developments have far-reaching implications across the entire insurance industry, from the insurers to the brokers, to the insured themselves.

Due to a heightened risk profile caused by recent events, cyber insurance premiums have skyrocketed, going up by 150-300 per cent in some cases. So, it’s no surprise that this increased-threat environment has inspired a quick uptick in cyber insurance interest as firms either consider signing up for the first time or seek to increase liability coverage. 

The cyber insurance industry is still developing in response to all the new threats coming from novel sources. However, the basic tenet of insurance still holds: Those companies at the highest risk will pay the highest premiums – or might not qualify at all. 

Asking the right questions

What can companies do as their “homework” before approaching cyber insurance providers? How do they put themselves in the best position to negotiate reasonable premiums on a policy that will pay out if the worst happens? It is worthwhile going through this checklist first before investing in a policy: 

1. What are the minimum-security requirements of the insurer?

Most quotes for cyber insurance will come with a cyber risk vulnerability report. It will be billed as a report beneficial to assessing the risk, but of course, it’s in the insurer’s interest to find any glaring weak links in an organisation’s armour. While minimum requirements will vary, they will likely closely mirror what is included in the Australian Cyber Security Centre’s (ACSC) Essential Eight.

These are eight strategies to mitigate cyber security incidents, and implementing them effectively helps achieve a baseline cybersecurity posture. One of the eight strategies calls for the implementation of phishing-resistant MFA authentication.

You can be sure that simple password authentication isn’t going to be enough to meet cyber insurers’ minimum requirements because the risk is too high for them. So before asking for a cyber insurance quote, it makes sense for companies to grade themselves against the Essential Eight first. 

In the past, a signed attestation from the company’s CISO that minimum standards were in place was sufficient. However, for high-liability or high-risk policies, some insurance firms may now need proper due diligence to go any further.

2. How fast can organisations implement more robust authentication?

If cyber insurance is something an organisation needs immediately, it may not have the time to wait for a full cycle of security upgrades. It’s worth asking what security practices, hardware-based authentication or increased employee training they can do today to make their security profile more attractive to cyber insurers? 

3. Has the pandemic weakened a company’s security profile because more people log in from home? 

Many companies’ pre-pandemic focused security efforts had the office locations set as the boundaries. But as so many remote workers now either work permanently remotely or in a hybrid manner, tightening the organisation’s grip on security has become a lot more complicated.

There is more risk because there are many attack vectors, and cyber insurers are acutely aware of this. It is not enough to focus on firewalls, web proxies, and data protection – today, robust MFA for those logging in remotely must be part of the picture. 

Attackers aren’t breaking in, they’re logging in, and compromised credentials are at the root of 65 per cent of cybersecurity incidents, according to the Office of the Australian Information Commissioner’s (OAIC) Notifiable Data Breaches Report for July-December 2021. Raising the security bar for user authentication beyond passwords is imperative.  

4. Will a policy payout when something bad happens? 

This is a legal question and still developing but keeping up with court cases that lay down precedent on these issues is key. It’s no secret that insurance companies stay in business by NOT paying out when they don’t have to or by keeping their payouts low. Therefore, it is important to carefully document all downtime and losses from the first day of a breach or other incident.

Some good news is a recent ruling on a $1.4 billion attack on the global pharmaceutical company Merck from Russia. Even though the attack was pointed at Ukraine in 2017 (a grim reminder of the physical invasion to come), the court ruled that it was not an “act of war or terrorism,” Therefore, a payout could not be excluded.

Insurance companies will try to limit their losses by breaking up covered items into categories. For example, losses due to downtime, hardware and systems replacement, ransomware payout and identity protection for affected customers may have been covered in a single bundle before, but today they are likely to be itemised. That makes policies more complex, requiring brokers to shop around for reinsurers to spread the risk. 

5. Have we done a full cybersecurity review recently? If not, how do we do it? 

Risk assessments should be carried out on a standard schedule, including both internal and external threats. It can start with a comprehensive review of user access, which identity access management (IAM) system an organisation uses, and what kind of anti-phishing user education they have employed or plan to employ. A review should look closely at privileged users, critical staff and admins, but it should not exclude users. The safest end goal will be to at least start on a path toward strong MFA authentication for all users. 

Organisations should review their cybersecurity posture in line with the Essential Eight. They can bring this information into conversations with insurance brokers, which will put them in a stronger bargaining position when they negotiate cyber insurance premiums. 

6. Is the cyber policy specific about what is covered and what will be paid out? 

Boilerplate policies are never good because each firm will have specific threat vectors and, most likely, scenarios for how an attack would happen. Businesses taking out a cyber policy should make sure there are enough specific references to the organisation’s vulnerabilities and that they are satisfied with how third-party liability is considered.

In general, the more specific it is in terms of what falls under covered attacks, the better. Note: This is when having a proper legal advisor, preferably with cyber insurance experience, would help. What we say here shouldn’t be taken as legal advice to follow. 

These six questions are only a starting point for cyber insurance research, but it’s a good foundation to consider how to get the best deal on premiums and the most comprehensive protection for the years ahead.

Related stories
Top stories
Story image
Southern Cross Cable
Southern Cross Cable launches the SX NEXT cable to connect NZ to the world
The new Southern Cross NEXT fibre cable (SX NEXT) is set to connect Australasia to the US and further enhance connectivity between New Zealand, Australia, and the US.
Story image
Elders signs five-year agreement with Microsoft to boost innovation
Australian agribusiness Elders has signed a five-year agreement with Microsoft that looks to transform its customer experience, efficiency and sustainability outcomes.
Story image
Examining the future of ransomware threats with Vectra’s CTO
As customers' valuable data move to the cloud, so will ransomware. What is the current landscape and what do we need to know?
Story image
Your tools, your choice: why allow employees to choose their own devices?
Jamf Australia says giving your team the freedom to work with their digital device of choice could help to attract and retain top talent in a tight labour market.
Story image
Digital Fingerprint
Decline in counterfeit cherries after digital fingerprinting
Reid Fruits says there’s been a dramatic decline in counterfeit products for its cherries over the past three export seasons to Asia because of digital fingerprinting.
Story image
MYOB snaps up Sydney-based management software specialists
MYOB has announced the acquisition of Sydney-based business management software and support specialists, GT Business Solutions.
Story image
Document Management
NZ's FileInvite raises $10M in latest investment round
FileInvite has raised $10 million in Series A investment to fast-forward the extinction of email for requesting and collecting documents online.
Story image
Bridgestone Australia uses Dematic's AGVs to optimise warehouse operations
Bridgestone Australia has deployed Dematic's Automated Guided Vehicle solution across its new Melbourne warehouse in Truganina.
Story image
Artificial Intelligence
Decision Inc. partners with to expand offering
Decision Inc. Australia has partnered with to expand its offering to clients in the retail, FMCG, manufacturing, supply chain and logistics sectors.
Story image
Ping Identity appoints Deloitte Australia as a partner
Ping Identity has appointed Deloitte Australia as a Consulting Technology Partner, uniting its offerings with the company's consulting services.
Story image
Jamf introduces new content filtering solution for education providers
Jamf has announced the launch of Jamf Safe Internet, a new offering that looks to deliver a safe online experience to students while offering better management options for admins.
Story image
Video: 10 Minute IT Jams - An update from Paessler
Sebastian Krüger joins us today to discuss how unified infrastructure monitoring enables MSPs to seamlessly deliver services to their clients.
Story image
Marketplacer and Adobe accelerate partnership for enhanced commerce solutions
Marketplacer has accelerated its partnership with Adobe in order to further enhance the global commerce marketplace.
Story image
Enterprise Resource Planning / ERP
Five ways your ERP is letting you down and why it's time for a change
Wiise explains while moving to a new system may seem daunting, the truth is that legacy systems could be holding your business back.
Story image
Four things wholesale distributors need to consider for FY2023
In a post-pandemic world, there are many things for a distribution business to juggle. ERP solutions company Wiise narrows down what companies should focus on.
Story image
How organisations can mitigate IoT and IIoT security risks
IoT and IIoT come with inherent risks because they are often deployed faster than they can be secured, putting organisations in danger of cyber threats. Here are tips on how to mitigate those risks.
Story image
Honeywell named Frankston facility services provider
Honeywell has been named the joint facility services provider for Frankston Hospital’s AU$1.1 billion redevelopment.
PwC's Consulting Business and PwC's Indigenous Consulting are proud to play an important role in helping Australian Indigenous Mentoring Experience build IMAGI-NATION, a free online university for marginalised communities around the world.
Link image
Story image
To win at 5G, telcos must tame their quoting chaos
The catalogs of CSP (communication service providers) market offerings are set to explode as new digital services emerge, powered by B2B2X business models.
Story image
Data Protection
Five signs your business is ready to move to the cloud
Many organisations are thinking about moving to the cloud. But what are the signs you are ready, and what are the reasons to move?
Story image
How New South Wales state departments achieved cloud migration success
State departments in New South Wales are heading to the cloud to achieve better workflow solutions, and one company is paving the way for their success.
Story image
ASI Solutions
Western Australia CUA panel picks ASI as preferred supplier
Western Australia's Common User Arrangement (CUA) panel has chosen ASI Solutions as a preferred supplier for device hardware.
Supply chain
Discover the 4 critical priorities for wholesale distribution businesses in FY23. Are you worried about how supply chain issues may affect your business in 2023?
Link image
Story image
Four factors to consider when choosing the right job accounting solution
Progressive job-based businesses can achieve success by strengthening their ability to quantify every cost attributable to the delivery of an outcome for a customer.
Story image
How the metaverse will change the future of the supply chain
The metaverse is set to significantly change the way we live and work, so what problems can it solve in supply chain management?
Project management
Discover the 4 crucial factors for choosing the right job-costing solution. Is your team struggling to cost jobs and keep projects running on budget?
Link image
Story image
Monitors are an excellent incentive for getting employees back
The pandemic has taught us that hybrid working is a lot easier than we would’ve thought, so how can the office be made to feel as comfortable as home? The answer could be staring you in the face right now.
Digital Transformation
Discover the 5 signs your business is ready for a cloud-based ERP. Is your business being left behind as more of your competitors switch to the cloud?
Link image
Story image
Rubber Monkey gears up for Aussie market with latest capital raise
Rubber Monkey is seeking to raise up to NZ$2.5 million of new capital through online investment platform, Snowball Effect.
Story image
Without trust, your security team is dead in the water
The rise of cyberattacks has increased the need for sound security that works across any type of business, but with any change, buy-in is essential. Airwallex explains why.
Story image
Document Management
Regaining digital trust and enhancing digitisation in Australian Government agencies
Having a digitised ecosystem of documents, tools and data can help bolster security, improve workflow and ultimately create better services.
Story image
Tech and data’s role in the changing face of compliance
Accenture's study found that 93% of respondents agree or strongly agree new technologies such as AI and cloud make compliance easier.
Story image
Thales on recruitment hunt for next disruptive innovations
"Recruiting new talent is part of Thales's belief in the power of innovation and technological progress to build a safer, greener and more inclusive world."
Story image
Artificial Intelligence
Dynatrace extends automatic release validation capabilities
Dynatrace has extended its platform release validation capabilities to improve user experience at every stage of the software development lifecycle.
WSLHD and PwC’s Consulting Business came together to solve through the challenges of COVID-19. A model of care was developed to the NSW Health Agency for Clinical Innovation guidelines with new technology platforms and an entirely new workforce.
Link image
Story image
Artificial Intelligence
Accenture shares the benefits of supply chain visibility
It's clear that gaining better visibility into the supply chain will help organisations avoid excess costs, inefficiencies, and complexity to ultimately improve their bottom line.
Story image
Registrations for the W.Media Sydney Cloud and Datacenter Convention 2022 now open
Are you a C-Level executive looking to enhance your knowledge in the cloud and data center space in order to get the best results for your company?
Story image
Security Information and Event Management (SIEM)
LogRhythm updates SIEM Platform with latest innovations
LogRhythm has announced the launch of version 7.9 of the LogRhythm SIEM Platform and updates to LogRhythm NDR and LogRhythm UEBA.
Story image
Supply chain
Supply chains continue to be disrupted, enterprises embrace circular economy
“Businesses urgently need to find a solution that can help them to manage this disruption, and transition to a circular economy."
Story image
Appian unveils low-code certification program in Australia
Appian has announced a program to provide the next generation of low-code developers with access to education on the subject and certification to foster career opportunities.
Discover the 5 ways your ERP may be letting you down. Is your current system outdated, difficult to manage, and costing you a fortune?
Link image
Story image
How Airwallex helps businesses achieve globalisation success
As markets continue to shift, businesses need to be able to provide the same quality of service for customers regardless of where they are located around the world.
Story image
Enterprise service management: the importance of a one-stop shop
In an online world, employees and end-users want one place to go for all their questions and requests. Intranet technology and self-service portals are useful tools that help serve this purpose.
Story image
Delinea’s Joseph Carson recognised with OnCon Icon Award
Delinea chief security scientist and advisory CISO Joseph Carson has been recognised as a Top 50 Information Security Professional in the 2022 OnCon Icon Awards.