Skip to main content

Article

Solving the cyber risk financial dilemma

Why a collaborative cybersecurity and insurance strategy is critical

Today’s digital-dependent world consists of unrelenting cyber threats. At the same time, macroeconomic conditions may place senior leaders under enormous pressure to reduce risk while managing constricted budgets. This can lead to senior leaders considering whether to invest in cybersecurity controls or purchase cyber coverage.

Instead of an either-or choice, organisations should strike a balance through a two-pronged approach to financially prudent cyber resiliency. This consists of investing in cybersecurity controls while purchasing insurance that aligns with risk tolerance to cover losses following a potential cyber incident.

The average cost of a data breach globally was US $4.45 million in 2023, increasing by 15% over a three-year period. The average cost of a data breach in the US was more than double, at US $9.48 million.

Source: IBM’s Cost of a Data Breach Report 2023.

Combined cybersecurity measures and insurance provide improved protection

With cyber risks considered among the top challenges as outlined in this year’s Global Risks Report, it is critical for organisations to take actions that can help them mitigate and manage their cyber risk and improve their ability to effectively recover in case they are impacted by a cyber event.

But what steps can organisations take? The needed actions fall into three broad categories that make up the basis of risk management. Please click below to learn more about each principle.

selected option

Cybersecurity programs help organisations by reducing their attack surface, defending against threats, securing and encrypting data, segmenting or isolating critical systems, and limiting privileged access, to name a few. Robust cybersecurity programs — and their governance — are critical, and for public companies no longer optional. However, cybersecurity budgets are often insufficient to cover the considerable non-technology costs needed to respond and recover from a cyber incident. Additionally, putting new or enhanced cyber controls into place may take years, meaning that cybersecurity investments may not yield immediate risk reduction benefits, leaving a gap that insurance could help cover. 

Cyber and technology errors and omissions insurance can provide post-incident financial protection, by transferring myriad costs associated with system failures or security breaches off an organisation’s own balance sheet. Crucially, these insurance programs can cover non-technology costs, including potential legal liability to third parties, regulatory costs, lost income, increased marketing costs to stem customer attrition, and costs to comply with breach notification laws. Transferring these losses helps protect the balance sheet and preserve financial health.

Finally, organisations should evaluate, ideally quantitatively, their material cyber or technology risks. This analysis should assess how existing or expanded controls might decrease that implicit risk, what transfer programs are optimal in coverage and efficiency, and finally quantify the residual risk they can bear on their balance sheets.

A balanced approach is particularly important amidst increased recognition that even the most advanced security controls may not stop all threat actors or mitigate all human error. Simply put, the best controls may not be enough. Strong cybersecurity programs may reduce the likelihood or impact of a cyber event, but are never event proof. When losses do occur, an adequate cyber insurance program provides yet another layer of resiliency to help organisations respond and recover.

Nearly three-quarters of data breaches include a human element. Humans are fallible and some degree of cyber risk is inevitable, underscoring the idea that risk can never be completely mitigated.

Source: Verizon's 2023 Data Breach Investigations Report (DBIR)

Case study: Cyber insurance purchase frees funds for continuous cybersecurity improvement

A healthcare organisation had invested US $7 million to enhance cybersecurity controls and practices, successfully elevating its maturity level, according to National Institute of Standards and Technology (NIST) standards. The achieved risk reduction was calculated to have saved the organisation approximately US $25 million and was necessary to meet the requirements of insurers, which appear to be increasingly evaluating organisations’ cybersecurity measures before providing a quote.

The organisation’s leaders recognized that it was not possible to eliminate all cyber threats and that residual risk would remain, despite investments in cybersecurity. They decided to supplement security efforts by investing US $1.3 million in cyber insurance, which was also required from a compliance perspective.

The decision to purchase a fairly large limit allowed the organisation to transfer US $56 million in potential cyber risk off its balance sheet — a cost reduction that could not be achieved by investing the same amount in cyber controls. Cognisant of the potential benefits of cyber insurance, the chief information security officer (CISO) advocated for a US $10 million limit increase, which provided emergency funds that could be tapped in the event of a cyber incident.

Having a cyber insurance program in place allowed the organisation to continue its multiyear investment strategy to improve its already comprehensive cybersecurity processes.

5 questions to determine the value of cyber coverage

Considering what’s at stake, how can organisations make informed, financially prudent cyber risk management decisions, especially when security experts and risk management professionals may disagree on how to allocate limited budget between security solutions and risk transfer products? To help make objective, informed decisions, senior leaders should consider the following questions.

Organisations may not have the option to forfeit cyber coverage as it is often required by lenders or clients. For instance, when considering the potential implications of a cyber incident on supply chains, many organisations are requiring that their vendors and other critical partners purchase sufficient coverage. Examine your contracts to determine the insurance limits that you are required to purchase.

A cyber event is often an unbudgeted expense for organisations, with financial ramifications as organisations work to identify and stop the threat, and also recover from the event. Consider not only technology costs, but also other remediation expenses, including potential legal costs and third-party liability. Would the organisation be able to fund these costs without material impact to its financial results or the need to secure additional funding?

Work with your risk advisor to clarify any misconceptions about cyber insurance and gain a clear understanding of what is typically covered. Your advisor should be able to clarify the services that cyber insurance typically pays for following a breach, such as costs incurred to notify clients or regulators, and which would need to be absorbed by your organisation in the absence of coverage. It is important to note that most insurers continue to provide robust coverage that should respond well to cyberattacks.

There are often misconceptions associated with the cost of sufficient cyber insurance limits. While insurance can appear expensive, purchasing a program with adequate limits to cover expenses following a breach is often a fraction of the costs associated with recovery. Also note that the cost savings from obtaining less coverage may not be sufficient to allow an organisation to make significant and speedy improvements to its cybersecurity posture.

While cyber insurance applications can be time-consuming to complete, the detailed information that is typically required is often already available. Cyber insurance applications are typically commensurate with other data requests from clients, lenders, or others. Further, although it can be laborious to gather the data the first time around, this typically gets easier in subsequent renewals. Your insurance advisor may be able to guide you in answering the questions and providing insurers with all relevant information to facilitate the application process.

Balance cybersecurity investment and insurance decisions

If you would like Marsh to help your organisation optimise your security controls and evaluate coverage needs, please contact us or reach out to your Marsh representative directly.

Our people

Placeholder Image

Gill Collins

Head of Cyber Incident Management and Cyber Consulting, Pacific

Brylee Jaghbir

Brylee Jaghbir

Head of Cyber, Pacific

Placeholder Image

Hannah Morgans

Growth Leader, Cyber

  • Australia

The information contained in this publication is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Marsh shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Any statements concerning actuarial, tax, accounting, or legal matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, accounting, tax, or legal advice, for which you should consult your own professional advisors. Any modelling, analytics, or projections are subject to inherent uncertainty, and any analysis could be materially affected if any underlying assumptions, conditions, information, or factors are inaccurate or incomplete or should change. Marsh makes no representation or warranty concerning the application of policy wordings or the financial condition or solvency of insurers or re-insurers. Marsh makes no assurances regarding the availability, cost, or terms of insurance coverage.

If this communication contains personal information we expect you to treat that information in accordance with the Australian Privacy Act 1988 (Cth) or equivalent. You must advise us if you cannot comply.

LCPA 24/181