Cyber insurers are getting craftier to avoid data-breach payouts

Credit: Illustration 140154390 © WhataWin –

With volumes of cybersecurity insurance claims surging, businesses need to be more careful than ever about what their policies do and don’t cover, according to an academic who warned that insurers are becoming more mercenary in their interpretations of cyber events.

“Claims officers have to balance multiple competing interests,” Dr John Selby, a lecturer in business within Macquarie University’s Department of Accounting and Corporate Governance and an active member of the Optus-Macquarie Cybersecurity Hub, told attendees at this month’s Australian Cyber Conference in Melbourne.

“If they don’t deliver on the promise the insurance company made to policyholders, nobody will buy insurance from the company in the future – but if they pay out too much money to you, there won’t be enough left over to pay out other claims that come along later in the year.”

The increasing climate of cybersecurity incidents was driving many companies to lodge claims with cybersecurity insurers – who are becoming more careful in finding ways to minimise or deny their obligation to pay up.

Disparities between conventional insurance concepts and IT concepts were creating discord, Selby said: some policies, for example, are designed around first-party losses only and don’t cover them for third-party losses – leaving businesses without the basis for a claim if they have outsourced business functions to cloud-based service providers.