Photo by Jandira Sonnendeck on Unsplash
In an era where data breaches, ransomware attacks, and operational disruptions have become all too common, organisations are recognising that cybersecurity is no longer just a technical issue — it’s a business risk. As part of a well-structured security and resilience strategy, cyber insurance has emerged as a key instrument to manage financial fallout when preventive measures fail.
But cyber insurance is not a magic shield. It’s not a substitute for robust controls, nor is it a blank cheque for poor cyber hygiene. Instead, it represents one of the five core risk treatment options: Transfer. This article explores the evolving role of cyber insurance, its intersection with broader security governance, and the mounting challenges faced by both insurers and insured.
Key takeaways:
• Cyber insurance = Risk transfer, not risk reduction
• Insurers are tightening controls, raising premiums, and excluding certain threats
• Effective coverage depends on demonstrable cyber hygiene and maturity
• Insurance should be integrated into broader governance and resilience planning
• Residual risk always remains — The evaluation / control process must be documented and accepted at the board level
Understanding Risk Treatment: The Five Options
Cybersecurity frameworks such as ISO/IEC 27005, CIS Controls v8, and the NIST RMF define five standard strategies to treat identified risks.
Each represents a different way to deal with the impact and likelihood of a given threat.
1. Avoid
Choose not to engage in risky activities. For example, an organisation may decide not to store sensitive personal information at all to avoid the burden of protecting it.
2. Reduce
Implement controls to reduce the likelihood or impact. This includes firewalls, encryption, backup strategies, staff training, and incident response planning.
3. Accept
Tolerate the risk, typically when its impact is low or the cost of mitigation outweighs the benefit. Accepted risks should be documented and periodically reviewed.
4. Transfer
Shift the financial liability to a third party — This is where cyber insurance plays a role. It doesn’t reduce the chance of an incident, but it mitigates the financial consequences.
5. Share
Distribute the risk across partners, vendors, or service providers through contractual agreements or joint operations. For example, cloud service providers may assume partial responsibility for data loss.
The Strategic Role of Cyber Insurance
When implemented wisely, cyber insurance serves as a financial resilience mechanism. It ensures that when things go wrong — and eventually, they will — your organisation is not left financially devastated.
Cyber insurance typically covers:
• Incident response and forensic investigation
• Data breach notification costs
• Legal fees and regulatory fines
• Business interruption
• Ransomware payments (with caveats)
• PR and reputation management
However, coverage is not guaranteed.
Insurers now demand a clear demonstration of cyber maturity, often requiring proof of:
• Multi-Factor Authentication (MFA)
• Endpoint Detection & Response (EDR)
• Patch management and vulnerability scanning
• Data encryption and backup policies
• Employee training programmes
The Growing Challenges for Cyber Insurers
The rapid growth of cyber threats has forced insurers to fundamentally re-evaluate how they underwrite risk. What was once a niche product has ballooned into a global market projected to exceed $30 billion USD by 2027.
Underwriting Uncertainty
Unlike traditional insurance, there are no actuarial tables for cyber risk. New vulnerabilities, nation-state campaigns, and zero-day exploits appear constantly. This unpredictability makes it difficult to price policies accurately.
Increased Claims & Costs
Major incidents such as NotPetya, SolarWinds, and the Colonial Pipeline attack led to massive payouts — sometimes exceeding the total premiums collected in entire regions. This forced many insurers to raise premiums or exit the market entirely.
Policy Complexity and Exclusions
Insurers are becoming more cautious. Many policies now exclude:
• Ransomware-related claims
• Nation-state cyberattacks, citing war exclusion clauses
• Acts of negligence, especially when basic security practices are not followed
The infamous Merck v. ACE case (after NotPetya) triggered legal debate over whether a Russian-linked cyberattack qualified as an “act of war”.
The courts ruled in Merck’s favour — but the incident spurred a wave of tighter policy language globally.
(https://law.justia.com/cases/new-jersey/appellate-division-published/2023/a-1879-21.html)
Greater Oversight and Pre-Audit Requirements
Cyber insurers now act more like security auditors.
Before offering a policy, some providers perform, or require:
• External vulnerability scans
• Security posture questionnaires
• Third-party risk assessments
For some clients, particularly in healthcare, finance, and critical infrastructure, insurance may be contingent on implementing specific controls or obtaining cybersecurity certifications such as ISO/IEC 27001 or SOC 2.
Regional Snapshot: The NZ and AU Context
In New Zealand, the cyber insurance market remains relatively small but is growing fast. Local providers typically act as brokers for international underwriters. Due to our increasing exposure to global cyber threats, many organisations — especially SMEs — are now considering coverage for the first time.
In Australia, the Australian Prudential Regulation Authority (APRA) has begun collecting more data from regulated entities to better understand systemic cyber risk. Insurers across the region are beginning to follow suit, demanding more quantitative data on exposure, risk posture, and third-party dependencies.
A Note on Residual Risk
Even with solid controls and insurance coverage in place, residual risk will always remain. This is the portion of risk that cannot be eliminated or transferred, and must be accepted by the organisation as part of doing business.
Cyber insurance is not a license to be complacent. It is the last line of defence, not the first. A mature security posture prioritises risk identification, appropriate treatment planning, and evidence of due diligence — long before seeking a payout.
Final Thoughts
The cyber insurance industry is maturing — and so must the organisations seeking coverage. As the threat landscape evolves, insurers are demanding higher standards, more transparency, and stronger controls.
If you haven’t reviewed your organisation’s cyber insurance policy recently, now is the time. But more importantly, treat insurance as a complement, not a replacement, to a well-designed cyber risk strategy.