With cyberattacks on the rise, businesses are turning to insurance as a line of defence. But a new study by TELUS reveals that when it comes to this newer form of insurance, expectations aren’t meeting reality.
TELUS’ Canadian Cyber Insurance Study, which surveyed over 500 businesses, found that more than 70 percent of respondents that have cyber insurance reported receiving payouts smaller than expected after filing a claim, and nearly one-quarter reported receiving no payout at all.
“There’s a collaboration that needs to happen between insurers and customers in a way you don’t see with other forms of insurance.”
Martin Bélanger, Vice President of Technical Sales at TELUS
Martin Bélanger, Vice President of Technical Sales at TELUS, explained that this expectation gap stems partly from companies not understanding which incidents or recovery costs their policies should cover. Compounding the issue is the fact that cyber insurance is still a relatively nascent industry, and coverage varies widely between providers.
“Home insurance has been around for decades, so insurers and policy holders know what to protect, but we’re not there yet with cyber insurance,” Bélanger said.
One of the biggest challenges for businesses navigating cyber insurance is underestimating the full cost of a data incident, according to Bélanger. Whether it’s a data breach, where sensitive information is stolen, or a denial-of-service attack, many organizations lack the experience in handling large-scale events, which often leads to policies with insufficient reimbursement limits or narrow coverage.
TELUS’s study found that major cyber incidents—the kind that lead to insurance claims—cost businesses that file a claim an average of $6.5 million each, but the costs associated with these incidents run well beyond technical fixes.
“There’s the fact that your business will be out of operation for any number of days or weeks,” Bélanger noted. “There’s an investigating cost, a mitigating cost, and recovery costs you need to add to the breach. And if you don’t pay to fix the issue, you can be sure the hackers will be back.”
The myth of ‘set it and forget it’
One of the biggest mistakes businesses make, according to Bélanger, is treating cyber insurance as a one-stop solution.
Insurance companies typically require businesses to meet rigorous security standards, which can be difficult to maintain as organizations grow. Falling out of step with these standards can result in reduced payouts—or no payout at all.
This is where many companies stumble. Insurance companies typically require businesses to strengthen their processes and controls before finalizing a policy, according to the study. Failure to meet these requirements could result in the insurer voiding the policy or excluding certain aspects from coverage. Proactive businesses, however, can benefit by starting the insurance conversation early.
TELUS’s research found that insurance payouts, on average, cover only 60 percent of a cyberattack’s costs. To bridge that gap, Bélanger recommends outsourcing cybersecurity to a managed services provider that can ensure compliance and help prevent attacks altogether.
“Businesses want the best price for the level of coverage they need,” says Bélanger. “To do that, you need to have the best posture in cybersecurity as possible, which involves investing in your technology, making sure you have the right processes, the right patch management processes and that your people are getting trained on a regular basis.”
For businesses looking to close the gap between expectations and reality, Bélanger recommends starting with three areas: people, processes, and technology. A thorough assessment of these areas can reveal vulnerabilities that need addressing before approaching an insurer.
A managed security provider, such as TELUS, can conduct these assessments, identify risks, build a roadmap to improving security, and continuously monitor systems and servers to block any suspicious activity from breaching the network. According to Bélanger, they can also help lower insurance premiums.
“One of our customers was able to challenge their premium because of the assessment we did,” Bélanger says. “The company showed them the third-party assessment of their posture, which was better than the questionnaire the insurer used, and their premium and deductible went down.”
Bélanger said companies that already have a policy and are worried about whether they’re compliant should consider a managed security services arrangement, where a provider can oversee any security needs and make sure the company’s cyber practices and insurance policy are aligned.
When preparing to speak with a potential insurer, Bélanger suggests clarifying key details, such as confirming whether the policy protects sensitive data, the type of support provided during an incident, your responsibilities after an event, and the maximum coverage available. It’s also important to ask if the policy includes coverage for multiple incidents within a year.
“The delineation of what’s your responsibility and what’s their responsibility has to be clearly laid out in the contract,” Bélanger added. “That’s often overlooked in insurance policies.”
A two-way street
Once a policy is in place, Bélanger said businesses should keep insurers informed about any upgrades to their security systems, adding that proactive measures can lead to better rates during renewal.
“There’s a collaboration that needs to happen between insurers and customers in a way you don’t see with other forms of insurance,” Bélanger said. “Make sure they know what you’re doing and where you’re investing. Building that relationship is critical.”
Bélanger said cyber insurance is ultimately about balance: businesses need confidence that their coverage will protect them when it counts, while insurers must set realistic boundaries to manage risk.
“At TELUS, we want to help Canadian organizations have a better posture and be more proactive, so there are fewer incidents and then fewer payouts from insurers,” he said. “If we can do that, then maybe hackers will focus elsewhere because they know we’re protecting our business better than anywhere else.”
PRESENTED BY
Download the TELUS Canadian Cyber Insurance Study to get more insights on how Canadian companies are using cyber insurance.
All images provided by TELUS.