How to keep your cyber security insurance premium down

Cyber security is expensive and getting more expensive. We spoke to an expert to share what systems and policies you need in place to keep premiums down.

Cyber attacks are the fastest-growing risk to Australian businesses. This is a particularly striking fact when considering each attack already costs, on average, $276,323 and takes an average of 23 days to resolve. Worse, insurance premiums are increasingly difficult to meet.

In 2022, global insurance broker Marsh said the cost of taking out cyber cover had, on average, doubled every year for three years in a row. Since then, premiums have stabilised, but many are projecting rises on the horizon, hand in hand with increasing frequency and costs of cyberattacks.

Recently, on The HR Leader, we spoke with Simon Cohen, founder and managing director of Cohesis, to help contextualise the rising costs of cyber security.

The stickybeak insurer

Rising costs mean that cyber security insurance is increasingly difficult to secure. But it’s not only the costs; insurance companies want to know who they are indemnifying and what they’re doing to protect their IT.

Mr Cohen explained: “So many companies have been struck down by [cyber attacks] that insurance companies are taking it very seriously and asking businesses: ‘what have you done, and what are you doing from a cyber perspective?”

What they are looking for are not just cyber security frameworks, but comprehensive and effective cyber governance within a business. Let’s consider both in turn.

Firstly, in terms of frameworks, there are many out there, and knowing which will work best for any given business function will come down to the particulars: “Different organisations will have different risk profiles,” said Mr Cohen, and an effective framework is one that matches the unique risk profile of a given organisation.

That said, the most obvious approach is known as the “Essential Eight”. Effectively, it’s an eight-stage mitigation strategy developed by the Australian Signals Directorate.

“The Essential Eight can be quite hard for many organisations to implement, but it’s a good guiding post because insurance companies look to the basics and these kinds of standardised frameworks,” said Mr Cohen.

Secondly, insurance companies will often consider internal governance and policy around cyber security when calculating a premium.

“Sometimes, it’s not about the systems. What it really comes down to is the governance,” said Mr Cohen. “How is technology managed within an organisation? What are the rules that people need to work by? Where do you get help? Where’s the information, the training? It’s all about how they fit together.”

If the rules aren’t clear, then an insurer will consider how the ad hoc security decisions are made. Typically, this responsibility resides with management, said Mr Cohen. However, other times, it can be anyone from the “chief executive to the managing director, operations”, and beyond.

“If an insurance company comes in and is asking these questions, it’s really asking, ‘How’s your business governed from a technology perspective?’” he said.

‘You don’t know what you don’t know’

Insurance companies want to know that organisations are proactively monitoring and correcting for cyber security threats, said Mr Cohen. It’s about having frameworks and policies in place so that issues can be avoided before they arise.

As noted by Mr Cohen, proactivity comes from awareness: “It’s very hard to be proactive about something you’re not even aware of. When leaders come from, say, a sales background, an HR background, a finance background, [cyber security] is sometimes placed in the ‘too hard’ box.”

“You don’t know what you don’t know. That’s where coming back to frameworks, health checks, and audits … that’s what can give you the awareness you need to be proactive,” concluded Mr Cohen.

This point was made by Kolide, which said: “The truth is, cyber liability insurance – like any other kind of insurance – is pretty boring, right up until the point that the people who need it can’t get it. Then it becomes not only interesting, but vital.”

The transcript of this podcast episode was slightly edited for publishing purposes. To listen to the full conversation with Simon Cohen, click below: