Cyber Insurance

September 18, 2023

As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the Australian Information Commissioner, for the 6-month period from January to June 2023, a significant 70% of sources of data breaches were from malicious or criminal attacks.

Cyber incident breaches from external threats, and human error sources, combine to present a daunting prospect for organisations when it comes to cyber risk mitigation efforts. That’s why the ability to automatically measure your controls is vital to internal assessment of cyber risks – a key part of your operational resilience.

The quantitative v qualitative debate

The reality of malicious attacks is one part of the reason why quantitative — rather than self-assessment-based reporting — is so important for organisations reporting on the health of their cyber security posture. Cyber security controls will obviously assist in pre-emptively limiting the likelihood of a breach; but how will you know when gaps in those controls appear, exposing your systems to risk of attack? That’s where quantitative, data-driven scoring assists, by providing an objective and relative measure of the scale of the risk. Changes in qualitative measurement, particularly small ones, can sometimes be difficult to discern but objective measurement, when based on verifiable data, reflects any relative change in performance over time. It’s no different measuring the cyber security and the cyber maturity of your organisation.

As we support our clients to manage their risks and controls, we also improve the quality of the information necessary for insurance underwriters to more accurately price risk. This means the best possible insurance renewal terms for an organisation, with underwriters increasingly equipped with a simple report that verifies client statements about their cyber controls and posture.

The reality is that human-nature influences qualitative assessments, making them subjective and often unreliable. Alternately, security controls that are systematically measured against a relevant benchmark, enable your SOC or ICT team to know where to start their mitigation efforts; and your prospective insurer to be more informed about the risk they are being asked to take on.

An established measure that’s ready for you to access

The Australian Government’s Australian Cyber Security Centre (ACSC), established a framework of mitigation strategies to make it harder for attackers to gain access to your IT assets and systems  – the Essential Eight – that incorporates a quantitative benchmark for measurement. The key to mitigation of cyber risks – whether from human error or external breaches – still lies in the detection of the correct implementation of your cyber risk controls and the demonstrable measurement that shows your current posture, on an ongoing basis.

The UK Government’s National Cyber Security Centre provides similar guidance for both public and private sector organisations looking to protect themselves from malware and ransomware attack. The Mitigating malware and ransomware attacks guidance provides advice on the appropriate security controls to limit the:

  • likelihood of infection
  • its spread across the organisation
  • the impact of the infection

Prevention, containment and recovery mitigation strategies are universal themes.

As ransomware and cyber risk increase, organisations are encountering the longer lifecycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness. The upside, is that by better managing your security controls, you can better influence the price of risk and the cost of your premiums, as well as increasing the operational resilience of your business.

The insurance industry is looking closely at ways to improve the quality of the security risk information they receive. Improved risk information means the better pricing of risk and proven applications, like Huntsman Security’s Essential 8 Auditor or SmartCheck to measure and verify an organisation’s cyber security posture, and:

What attestations and metrics should UK & Australian Executives, Directors, Risk and Security teams be looking at?

1. On-demand cyber security maturity rating, measured against the ACSC Essential Eight framework or NCSC & NIST guidance for malware and ransomware mitigation – Whether you review your cyber risk weekly, monthly, or quarterly, you should have access to a quantitative number that gives you a score and maturity rating – across each of the prevention, containment and recovery safeguards.

Essential 8 Auditor – Patch Operating System Maturity Summary

2. Data-driven reporting and analysis – Quantitative-based analysis and reporting is the most accurate way of measuring compliance. Data-driven reports provide certainty and allow your organisation to confidently use the results as a measure of performance in your official attestation of your cyber security assessment.

SmartCheck – Staff Awareness Score Summary

3. Benchmarks for security improvement and a roadmap to remediate gaps – Automatic identification and classification of each security issue found should be something your SOC or ICT teams have access to. An actionable report will support the remediation and the re-run of your maturity assessment as part of any uplift effort. These reports then form the basis of your own cyber maturity journey, and are a useful aide memoire for attestation to your internal cyber risk management activities.

Essential 8 Auditor – Reports & Summaries

The World Economic Forum published recommendations and considerations for boards to follow, in their publication: Principles for Board Governance of Cyber Risk.

Principle 2.2 encourages boards and leadership to continually examine comparative measurements and metrics for cyber risk. The paper states: “Industry-accepted frameworks and reporting can guide data-driven decisions, aligning risk appetite with organizational goals and strategy.” 

Cyber risks can change overnight, with new external threats emerging or simply through new connections, devices, staff and systems. Organisations need to have visibility of those changes for ongoing risk awareness and mitigation, and at insurance renewal time – they are an important validation of their cyber risk management efforts.

Talk to your Broker today, about starting the Preliminary Stage of your Cyber Insurance Renewal process, and build more confidence in your cyber risk management by using risk-based measurement to improve the process now and into the future.

Your risk profile is the single most important factor in informing re-insurance success. Huntsman Security’s Essential 8 Auditor or SmartCheck software applications strengthen your internal capacity to address these emerging cyber risk areas, support renewal of your cyber insurance, and manage your broader cyber security needs.

Contact us to start the Preliminary Stage of your Cyber Insurance Renewal process by activating the Insurance Renewal Initial Report.

Top 10 Questions about Cyber Security Management for Executives & Directors (AU)


Related Cybersecurity Content


Read by directors, executives, and security professionals globally, operating in the most complex of security environments.