Skip to main content
Marsh logo

Article

Debunking the Misconceptions of Cyber Insurance

Cyber insurance forms an important part of an organisation’s overall cyber risk management strategies, encouraging the adoption of best practice security controls.

Man installing software in laptop in dark at night. Hacker loading illegal program or guy downloading files. Cyber security, piracy or virus concept.
Person's name and title

By Kristine Salgado

Head of Corporate – Cyber, Marsh Specialty, Australia

16/08/2022 · 2-minute read

Cyber insurance forms an important part of an organisation’s overall cyber risk management strategies1. To understand how and why incidents occur, analysis of cyber policy claims data has also been instrumental in encouraging the adoption of best practice security controls to prevent cyber-attacks. Though it has undergone some challenging times recently, the Cyber insurance market has positively begun to stabilise and interest in the comprehensive protection it can provide continues to be strong.

Unfortunately, there remains a misleading perception that Cyber insurance does ‘not pay’ or ‘does not respond as required’ to key cyber events, such as ransomware. Recently an article was published2 reporting that an Australian court found in favour of an insurer not being responsible for indemnifying a policyholder for ransomware clean-up costs, specifically “the costs of investigating the ransomware attack and preventing further effects of the attack” and “hardware replacement” costs. In this case, the claimant sought cover under a Crime insurance policy, not a specific stand-alone Cyber insurance policy3. This example demonstrates the importance of buying standalone Cyber insurance to ensure the broadest range of coverage for ransomware and other cyber incidents, rather than relying on non-Cyber insurances to respond.

Like any other insurance policy, Cyber insurance wordings represent a legal contract between the purchaser and the insurer offering the coverage. It clearly outlines what is or isn’t covered, and defines the parameters of an insured cyber event that will trigger insurance policy coverage. More broadly speaking, a Cyber insurance policy triggers as soon as there is a reasonably suspected insured cyber event, including ransomware, allowing a policyholder to access specialists to investigate what has happened without requiring absolute proof that an event has occurred before benefiting from incident response services.

Furthermore, Cyber insurance was never intended to provide cover for property damage; its focus has always been on intangible assets (data, software, systems). There is scope to extend the policy to cover specifically defined physical assets or devices if they become unusable. Still, in most instances, this needs to be negotiated on a case by case basis.

Ransomware is one of the top cyber threats facing companies. Continually building cyber resilience is key, and Cyber insurance continues to play an important role in this process. Should the transfer of cyber risk to the insurance market be part of the organisation’s goals in managing this key exposure, a stand-alone Cyber policy provides clear and dedicated protection.

1The State of Cyber Resilience

2Australian court finds insurer not liable for ransomware clean-up costs - Security - iTnews

3Chubb’s Financial Institutions Electronic and Computer Crime Policy

Related insights

Aerial view of crowd connected by lines

Article

Solving the cyber risk financial dilemma

18/04/2024
Estuary at Bair Island Marine Park in Redwood City, CA

Article

Uncovering first- and third-party cyber risks

25/10/2023
Placeholder Image

Webcast

Generative AI risks and insurance considerations

26/07/2023
Aerial image in summertime Finland showing a road with automobiles between a green forest and a turquoise lake.

Article

Generative AI: Understanding the risks and opportunities

26/07/2023
View more

This publication is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Marsh shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Marsh makes no representation or warranty concerning the application of policy wordings or the financial condition or solvency of insurers or re-insurers. Marsh makes no assurances regarding the availability, cost, or terms of insurance coverage. LCPA: 22/368