The Insurance Misconception
We've heard it many times: "We have cyber insurance, so we're covered." This mindset is not only wrong—it's dangerous.
What Cyber Insurance Actually Covers
Cyber insurance typically covers:
- Incident response costs
- Legal fees and regulatory fines
- Business interruption losses
- Data recovery expenses
- Notification costs
What it doesn't cover:
- Reputation damage
- Lost customer trust
- Operational disruption during recovery
- Future premium increases
The Growing Problem of Claim Denials
Insurers are increasingly denying claims when organisations can't demonstrate basic security controls were in place. Common reasons for denial:
- Lack of MFA - If you didn't have MFA enabled, your claim may be denied
- Unpatched systems - Known vulnerabilities that weren't addressed
- No security training - Staff fell for a phishing attack with no training program
- Inadequate backups - No recoverable backups available
Rising Premiums and Stricter Requirements
Cyber insurance premiums have increased 50-100% annually. Insurers now require:
- Completed security questionnaires
- Evidence of security controls
- Regular vulnerability assessments
- Incident response plans
The Right Approach
Cyber insurance should be one layer of your defence strategy, not your entire strategy. Think of it like car insurance—you still need to drive safely.
Recommended approach:
- Implement robust security controls (Essential Eight is a great start)
- Train your staff regularly
- Have tested incident response procedures
- Then get appropriate insurance coverage
Conclusion
Invest in prevention first, insurance second. The cost of good cybersecurity is always less than the cost of a breach.