Cyber insurance coverage: How much does your business need?

According to Guy Carpenter, the CrowdStrike tech outage cost businesses globally between US$300 million and US$1 billion in insured losses. In the immediate aftermath, many companies asked this literal million-dollar question: “Is my cyber insurance policy sufficient to cover losses, settlements, and damages from a similar incident?”

Asia has undergone a rapid digital transformation in recent years, corresponding to increased exposure to cyber outages and threats, with the average weekly cyber attacks per organisation in the region rising 23% year-on-year in Q2 2024.¹ While cyber insurance can help companies mitigate losses from business interruption, breach response costs, ransomware, and more, what would be the appropriate cyber insurance coverage required for your business?

Determining the right amount of cyber insurance coverage for your business

There are two approaches you can consider in determining the optimal amount of cyber insurance needed to meet your specific business needs:

#1: Benchmark your risk profile against industry peers

You can gain an indication of how much cyber insurance you should be purchasing by comparing your cyber risk profile against industry peers. Digital tools such as Marsh’s Blue[i] cyber risk analytics can provide you with tailored insights into cyber threats, enabling you to make decisions about cybersecurity investments by:

Measuring cyber threats specific to your organisation, business impact, and cybersecurity controls, covering more than 800 security controls and 110 unique cyber event scenarios.
Calculating the potential losses of cyber incidents based on standard metrics such as the number of employees, revenue, and past incidents.

#2: Quantify your cyber risk exposures

The lack of quantitative assessment of cyber risk can result in underinsurance and impact the cost and terms of a cyber insurance policy, leading to a protection gap when a cyber incident occurs. Quantifying cyber risk exposures requires specialised skills, and Marsh Asia’s Cyber Risk Quantification can help you with the following capabilities:

A six-step qualitative and quantitative consultant-led approach that analyses your existing cyber coverage and gaps. The approach also evaluates the total cost of risk of your cyber insurance programs.
Conduct a comprehensive analysis of threats by identifying vulnerabilities based on your business’s digital footprint and cyberattack scenarios.
Provide expert advisory capabilities including forensic accounting, claims, and actuarial analytics to define losses and identify the optimal insurance structure.
Tailor the foreseeable loss amount based on your organisation’s vulnerabilities and the maximum potential financial impact from a cyber incident offset against your current cybersecurity risk profile.

How do you decide which is the best approach

Cyber Benchmarking and Cyber Risk Quantification are practical approaches to support you in making informed decisions about your cyber security coverage.

Cyber Benchmarking is beneficial for your companies if you are in the early stages of your cybersecurity journey, providing a quick and direct solution to quantify cyber risk exposures generally.

On the other hand, if you have a large business that already has cyber insurance, and you want to enhance and optimise the coverage, Cyber Risk Quantification is for you. It also caters to companies seeking tailored, in-depth insights into their cybersecurity posture and quantitative measurements of risks for further improvements.

Case Study: Quantifying cyber risks for a large multinational’s first cyber insurance purchase

A major manufacturer in Asia sought to purchase cyber insurance for the first time and needed assistance in understanding its cyber risk exposure and determining the appropriate amount of coverage in a challenging insurance market.

Marsh Asia’s Cyber Risk Quantification team provided support by:

Quantifying the financial exposure of cyber events, such as ransomware, business interruption and data breaches.
Assessing the effectiveness of existing cyber controls by benchmarking the client against industry and peer organisations.

Marsh Asia also assisted in presenting the business’s cyber risk profile to the insurance market, ultimately helping the company improve its cyber risk resilience by obtaining coverage for key identified loss scenarios.

Case Study: Strategic assessment of cyber risks in operational technology (OT) and IT systems to validate coverage

A global automotive company in Asia providing a variety of services to different retailers and suppliers wanted to quantify its risk exposures to a major cyberattack that could result in a business interruption and/or the loss of sensitive data. The company also wanted to verify if its existing coverage was sufficient.

Quantifying the risks of the company’s complex ecosystem, which encompasses both physical operations like their manufacturing plant and digital systems such as the cloud environment proved to be challenging. However, Marsh Asia was able to:

Define the impact of hypothetical cyber risk scenarios on the client’s critical OT and IT applications.
Inform the management of the potential risk gaps and scenarios and quantify these risk exposures.
Validate the coverage of any insurance the client may choose for mitigating the risks.

The insights from Marsh Asia enabled the company to strategically assess its risks and validate the effectiveness of their existing coverage.

Do you know which cyber events are covered in your cyber insurance program and if your coverage is sufficient?

Get in touch with a Marsh Asia specialist to discover how our tailored cyber risk quantification services can empower your organisation to make informed decisions and optimise your cybersecurity investments.

¹ Check Point (2024), Check Point Research Reports Highest Increase of Global Cyber Attacks seen in last two years – a 30% Increase in Q2 2024 Global Cyber Attacks. https://blog.checkpoint.com/research/check-point-research-reports-highest-increase-of-global-cyber-attacks-seen-in-last-two-years-a-30-increase-in-q2-2024-global-cyber-attacks