With cyberattacks on the rise, businesses are turning to insurance as a line of defence. But a new study by TELUS reveals that when it comes to this newer form of insurance, expectations arenât meeting reality.
TELUSâ Canadian Cyber Insurance Study, which surveyed over 500 businesses, found that more than 70 percent of respondents that have cyber insurance reported receiving payouts smaller than expected after filing a claim, and nearly one-quarter reported receiving no payout at all.
âThereâs a collaboration that needs to happen between insurers and customers in a way you donât see with other forms of insurance.”
Martin BĂ©langer, Vice President of Technical Sales at TELUS
Martin BĂ©langer, Vice President of Technical Sales at TELUS, explained that this expectation gap stems partly from companies not understanding which incidents or recovery costs their policies should cover. Compounding the issue is the fact that cyber insurance is still a relatively nascent industry, and coverage varies widely between providers.
âHome insurance has been around for decades, so insurers and policy holders know what to protect, but weâre not there yet with cyber insurance,â BĂ©langer said.
One of the biggest challenges for businesses navigating cyber insurance is underestimating the full cost of a data incident, according to BĂ©langer. Whether itâs a data breach, where sensitive information is stolen, or a denial-of-service attack, many organizations lack the experience in handling large-scale events, which often leads to policies with insufficient reimbursement limits or narrow coverage.
TELUSâs study found that major cyber incidentsâthe kind that lead to insurance claimsâcost businesses that file a claim an average of $6.5 million each, but the costs associated with these incidents run well beyond technical fixes.
âThereâs the fact that your business will be out of operation for any number of days or weeks,â BĂ©langer noted. âThereâs an investigating cost, a mitigating cost, and recovery costs you need to add to the breach. And if you donât pay to fix the issue, you can be sure the hackers will be back.â
The myth of âset it and forget itâ
One of the biggest mistakes businesses make, according to BĂ©langer, is treating cyber insurance as a one-stop solution.
Insurance companies typically require businesses to meet rigorous security standards, which can be difficult to maintain as organizations grow. Falling out of step with these standards can result in reduced payoutsâor no payout at all.
This is where many companies stumble. Insurance companies typically require businesses to strengthen their processes and controls before finalizing a policy, according to the study. Failure to meet these requirements could result in the insurer voiding the policy or excluding certain aspects from coverage. Proactive businesses, however, can benefit by starting the insurance conversation early.
TELUSâs research found that insurance payouts, on average, cover only 60 percent of a cyberattackâs costs. To bridge that gap, BĂ©langer recommends outsourcing cybersecurity to a managed services provider that can ensure compliance and help prevent attacks altogether.
âBusinesses want the best price for the level of coverage they need,â says BĂ©langer. âTo do that, you need to have the best posture in cybersecurity as possible, which involves investing in your technology, making sure you have the right processes, the right patch management processes and that your people are getting trained on a regular basis.â
For businesses looking to close the gap between expectations and reality, BĂ©langer recommends starting with three areas: people, processes, and technology. A thorough assessment of these areas can reveal vulnerabilities that need addressing before approaching an insurer.
A managed security provider, such as TELUS, can conduct these assessments, identify risks, build a roadmap to improving security, and continuously monitor systems and servers to block any suspicious activity from breaching the network. According to BĂ©langer, they can also help lower insurance premiums.
âOne of our customers was able to challenge their premium because of the assessment we did,â BĂ©langer says. âThe company showed them the third-party assessment of their posture, which was better than the questionnaire the insurer used, and their premium and deductible went down.â
BĂ©langer said companies that already have a policy and are worried about whether theyâre compliant should consider a managed security services arrangement, where a provider can oversee any security needs and make sure the companyâs cyber practices and insurance policy are aligned.
When preparing to speak with a potential insurer, BĂ©langer suggests clarifying key details, such as confirming whether the policy protects sensitive data, the type of support provided during an incident, your responsibilities after an event, and the maximum coverage available. Itâs also important to ask if the policy includes coverage for multiple incidents within a year.
âThe delineation of whatâs your responsibility and whatâs their responsibility has to be clearly laid out in the contract,â BĂ©langer added. âThatâs often overlooked in insurance policies.â
A two-way street
Once a policy is in place, BĂ©langer said businesses should keep insurers informed about any upgrades to their security systems, adding that proactive measures can lead to better rates during renewal.
âThereâs a collaboration that needs to happen between insurers and customers in a way you donât see with other forms of insurance,â BĂ©langer said. âMake sure they know what youâre doing and where youâre investing. Building that relationship is critical.â
BĂ©langer said cyber insurance is ultimately about balance: businesses need confidence that their coverage will protect them when it counts, while insurers must set realistic boundaries to manage risk.
âAt TELUS, we want to help Canadian organizations have a better posture and be more proactive, so there are fewer incidents and then fewer payouts from insurers,â he said. âIf we can do that, then maybe hackers will focus elsewhere because they know weâre protecting our business better than anywhere else.â
PRESENTED BY
Download the TELUS Canadian Cyber Insurance Study to get more insights on how Canadian companies are using cyber insurance.Â
All images provided by TELUS.