By Kristine Salgado ,
Head of Corporate – Cyber, Marsh Specialty, Australia
08/16/2022 · 2-minute read
Cyber insurance forms an important part of an organisation’s overall cyber risk management strategies1. To understand how and why incidents occur, analysis of cyber policy claims data has also been instrumental in encouraging the adoption of best practice security controls to prevent cyber-attacks. Though it has undergone some challenging times recently, the Cyber insurance market has positively begun to stabilise and interest in the comprehensive protection it can provide continues to be strong.
Unfortunately, there remains a misleading perception that Cyber insurance does ‘not pay’ or ‘does not respond as required’ to key cyber events, such as ransomware. Recently an article was published2 reporting that an Australian court found in favour of an insurer not being responsible for indemnifying a policyholder for ransomware clean-up costs, specifically “the costs of investigating the ransomware attack and preventing further effects of the attack” and “hardware replacement” costs. In this case, the claimant sought cover under a Crime insurance policy, not a specific stand-alone Cyber insurance policy3. This example demonstrates the importance of buying standalone Cyber insurance to ensure the broadest range of coverage for ransomware and other cyber incidents, rather than relying on non-Cyber insurances to respond.
Like any other insurance policy, Cyber insurance wordings represent a legal contract between the purchaser and the insurer offering the coverage. It clearly outlines what is or isn’t covered, and defines the parameters of an insured cyber event that will trigger insurance policy coverage. More broadly speaking, a Cyber insurance policy triggers as soon as there is a reasonably suspected insured cyber event, including ransomware, allowing a policyholder to access specialists to investigate what has happened without requiring absolute proof that an event has occurred before benefiting from incident response services.
Furthermore, Cyber insurance was never intended to provide cover for property damage; its focus has always been on intangible assets (data, software, systems). There is scope to extend the policy to cover specifically defined physical assets or devices if they become unusable. Still, in most instances, this needs to be negotiated on a case by case basis.
Ransomware is one of the top cyber threats facing companies. Continually building cyber resilience is key, and Cyber insurance continues to play an important role in this process. Should the transfer of cyber risk to the insurance market be part of the organisation’s goals in managing this key exposure, a stand-alone Cyber policy provides clear and dedicated protection.
This publication is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Marsh shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Marsh makes no representation or warranty concerning the application of policy wordings or the financial condition or solvency of insurers or re-insurers. Marsh makes no assurances regarding the availability, cost, or terms of insurance coverage. LCPA: 22/368