Cyber insurance is a significant part of companies' cyber resilience strategies. Although it has faced a “rocky road” recently, the cyber insurance market has started stabilising, and interest in the comprehensive protection it provides remains strong, according to Marsh.
However, misconceptions still surround cyber insurance, including claims that it does “not pay” or “does not respond as required” to key cyber events, such as ransomware – a concerning misconception as cyber resilience concerns intensify in Australia.
In its latest report, Marsh delved into an Australian court's ruling that the insurer involved in the case is not responsible for indemnifying a policyholder for ransomware clean-up costs, specifically “the costs of investigating the ransomware attack and preventing further effects of the attack” and “hardware replacement” costs. In this case, the claimant sought cover under a crime insurance policy, not a specific standalone cyber insurance policy.
Marsh highlighted that the dispute demonstrates the significance of buying standalone cyber insurance to ensure the broadest range of cover for ransomware and other cyber incidents rather than relying on non-cyber insurance products.
Marsh reminded insurers and their clients that cyber insurance wordings represent a legal contract between the purchaser/policyholder and the insurer offering the coverage.
“It clearly outlines what is or isn't covered and defines the parameters of an insured cyber event that will trigger insurance policy coverage,” Marsh said in the report. “More broadly speaking, a cyber insurance policy triggers as soon as there is a reasonably suspected insured cyber event, including ransomware, allowing a policyholder to access specialists to investigate what has happened without requiring absolute proof that an event has occurred before benefiting from incident response services.”
Marsh further clarified that cyber insurance was not designed to cover property damage because it focuses on intangible assets, such as data, software, and systems.
“There is scope to extend the policy to cover specifically defined physical assets or devices if they become unusable. Still, in most instances, this needs to be negotiated on a case-by-case basis,” the report said.
Currently, ransomware is one of the top cyber threats facing companies. Therefore, Marsh advised insurers and their clients to continually build cyber resilience, with cyber insurance a key role in this process.
“Should the transfer of cyber risk to the insurance market be part of the organisation's goals in managing this key exposure, a standalone cyber policy provides clear and dedicated protection,” Marsh said.