Debunking the misconceptions of cyber insurance: Marsh

Continually building cyber resilience is key.
Continually building cyber resilience is key.

Cyber insurance forms an important part of an organisation’s overall cyber risk management strategy. “To understand how and why incidents occur, analysis of cyber policy claims data has also been instrumental in encouraging the adoption of best practice security controls to prevent cyber attacks,” says Spiros Fatouros, CEO of Marsh McLennan Africa. Though it has undergone some challenging times recently, the cyber insurance market has positively begun to stabilise and interest in the comprehensive protection it can provide continues to be strong.

Unfortunately, there remains a misleading perception that cyber insurance does ‘not pay’ or ‘does not respond as required’ to key cyber events, such as ransomware. Recently, an article was published reporting that an Australian court found in favour of an insurer not being responsible for indemnifying a policyholder for ransomware clean-up costs, specifically “the costs of investigating the ransomware attack and preventing further effects of the attack” and “hardware replacement” costs. In this case, the claimant sought cover under a crime insurance policy, not a specific standalone cyber insurance policy. This example demonstrates the importance of buying standalone cyber insurance to ensure the broadest range of coverage for ransomware and other cyber incidents, rather than relying on non-cyber insurances to respond.

Like any other insurance policy, cyber insurance wordings represent a legal contract between the purchaser and the insurer offering the coverage. It clearly outlines what is or is not covered, and defines the parameters of an insured cyber event that will trigger insurance policy coverage. More broadly speaking, a cyber insurance policy triggers as soon as there is a reasonably suspected insured cyber event, including ransomware, allowing a policyholder to access specialists to investigate what has happened without requiring absolute proof that an event has occurred before benefiting from incident response services.

Furthermore, cyber insurance was never intended to provide cover for property damage; its focus has always been on intangible assets (data, software and systems). There is scope to extend the policy to cover specifically defined physical assets or devices if they become unusable. Still, in most instances, this needs to be negotiated on a case-by-case basis.

“Ransomware is one of the top cyber threats facing companies. Continually building cyber resilience is key, and cyber insurance continues to play an important role in this process. Should the transfer of cyber risk to the insurance market be part of the organisation’s goals in managing this key exposure, a standalone cyber policy provides clear and dedicated protection,” concludes Fatouros.

Share

Editorial contacts