More and more companies are investing in cyber insurance, seeing it as the last line of defence against the effects of digital attacks. The problem is that even a well-constructed policy does not guarantee full protection – and it is not a matter of ill-will on the part of insurers. The key challenge is that the sums insured are too low, which are nowhere near the real cost of incidents. And these are increasing year on year.
The real cost of the incident is not just the ransom
Figures from the latest WTW report show that the average cost of a cyber incident worldwide was $3.9 million in the past year. The most expensive recorded incident cost a company as much as $331 million. In total, insurers paid out more than $655 million in claims.
These are not fringe market incidents – they are everyday occurrences in an increasingly digital operational landscape. To make matters worse, many companies still do not realise how big their real exposure can be. They only find out when, after an attack, the insurer pays out only part of the claim and the rest has to be covered from their own resources.
Security gap – a costly mistake for companies
WTW estimates that as many as 15 per cent of claims made are excluded from cover precisely because the sum insured is underestimated. In practice, this means that the company – despite having a valid policy – covers a significant proportion of the losses itself. Such a scenario can shake the company’s liquidity and, in the case of smaller companies, even threaten business continuity.
The most common mistake? Companies buy insurance “on the spur of the moment”, without linking the amount of cover to the actual risk profile. Many organisations rely on quotes adopted years ago or are guided by the lowest premium, disregarding the limitations in the T&Cs. And meanwhile, IT infrastructure, cloud dependency and digital service supply chains are growing exponentially.
The pitfalls of thinking about cyber insurance
Many IT and finance managers still see cyber insurance as a substitute for effective security. This approach is not only wrong, but also risky. Firstly – insurance does not protect against an incident, it only mitigates the impact. Second – the insurer requires the company to demonstrate a sound security policy before it will accept a claim. A lack of a business continuity plan, out-of-date software or a lack of employee training could result in a denial of payment or a reduction in the amount.
It is equally dangerous to underestimate indirect losses – such as downtime, PR costs, reputation restoration or regulatory penalties. These elements are sometimes difficult to accurately capture in a policy, yet they can account for a significant proportion of losses.
When does the policy work and when does it fail?
Situations such as the 2024 incident involving a faulty CrowdStrike update demonstrate how one supplier error can spill over to thousands of customers. The scale of the problem is further compounded by the fact that many policies exclude system damage resulting from third-party service failures unless they are separately covered.
Insurers are only just learning to deal with so-called risk aggregation, i.e. situations in which one incident affects many entities at once. As a result, their risk pricing models do not always keep up with the pace of digital change – which in turn makes it difficult for customers to select the right cover.
How to build an effective protection strategy?
An effective strategy is a combination of several elements: technology, processes, organisational culture – and insurance as a layer of financial security. The policy should be treated as a complementary component, not the main pillar of defence. It is crucial that its coverage is based on a real risk analysis.
In this context, it is worth noting the development of insurtech tools such as CyberQuantified. This is a solution that – based on data from actual claims and the profile of a specific organisation – allows the potential cost of an incident to be estimated and the sum insured to be tailored to the company’s needs. This type of approach can significantly reduce the protection gap if a company chooses to use it.
An opportunity for technology consultants and the IT channel
In an era of growing cyber-insurance, IT integrators and technology partners are gaining a new role – not only as implementers, but also as advisors. Collaborations with insurance brokers or insurtech platform providers can open up new sources of value for customers.
CIOs and CSOs today expect not only technical competence, but also the ability to assess and evaluate risk. Partners who can help match the scope of protection to the client’s infrastructure can be counted on for long-term relationships.
Insurance is only the beginning
The increase in the number of policies being purchased and the growth of the cyber insurance sector is a good sign – it shows that companies are starting to take this risk seriously. But as long as the cover does not match the real cost of an incident, there can be no talk of full security.
