C'mon Cyber Insurance - Be Fair Dinkum

C'mon Cyber Insurance - Be Fair Dinkum

I’ll let you into a well-known secret about cyber insurance claims. They usually happen because a security control in the business fails due to human error. Nothing fraudulent, malicious or sinister — just everyday people being fallible and cyber-criminals taking advantage of the situation.

Several examples of how cyber claims can happen:

1) An employee opens a phishing e-mail and unwittingly provides a criminal with log-in details. A few days later the business has the forensic experts in, trying to investigate how their network has been encrypted by bad actors;

2) A company’s IT service provider switches off Multi-Factor Authentication due to a troubleshooting issue, but then forgets to enable it again. A Microsoft 365 e-mail account is then compromised, and phishing e-mails are sent out to hundreds of contacts;

3) The Financial Controller is away on leave. Their assistant receives a change of bank account e-mail request from a supplier advising the payment is urgent and must be made by close of business. The Financial Controller is uncontactable. The assistant phones the supplier to verbally authenticate the change request, as per the Financial Controller’s normal process, however there is no answer. It’s Friday afternoon and the inexperienced assistant is anxious ‘to do the right thing’ and makes the payment. Unfortunately, the change request emanated from a criminal and not the genuine supplier. The payment has been stolen.

A call for greater transparency

Cyber insurance should respond to each of the above, and the good thing is, most policies do. However, exclusions, conditions precedent, write-backs and claims conditions in some wordings, may rear their head and indemnity may be questioned.

A couple I’ve come across recently:

1) Social engineering fraud cover that will only pay 10% of the sub-limit if the identity of a person requesting the change of bank account is not authenticated.

In practice, if the identity of third parties requesting change of bank account was always properly authenticated, social engineering fraud claims would disappear. No more need for that insurance cover.

2) Claims Conditions that state that Insureds must require service providers to maintain security of the Insured’s systems and maintain backups.

The question is, how do SME’s police this? With great difficulty, as they are reliant on what they are being told by their service providers.

I wonder if these vital sections of the policy are being highlighted to the broker and therefore onto the Insured?

Also, I’m no expert on the Unfair Contracts Act, but I wonder………..?

Insurance can be a grudge purpose, so brokers do sometimes face scepticism from clients in respect of this new type of policy that they suddenly need. The IT security industry has slowly moved from a cynical view of cyber insurance a few years ago to now understanding its benefits. It would be a great shame if that cynicism returns.

So, c’mon Cyber Insurance. At the exact time the Insured needs the support of their broker and the Insurer, they don’t want to be discovering these clauses.

Let’s be fair dinkum.

Written By:

Richard Smith, Chief Executive Officer, Sync Underwriting
  • Home
  • Team
  • Product
  • Exposure Explorer
  • Incident Response
  • Insights
  • Contact
  • Terms & Conditions
  • Privacy Policy
  • Cookie Settings

    • Complaints & Disputes: PDF
    Family Violence & Supporting Vulnerable Customers Policy: PDF
    Financial Hardship: PDF

    © Sync Underwriting Pty Ltd, All rights reserved 2025.

    Sync Underwriting Pty Ltd, ABN 17 678 294 712
    distributes and administers cyber insurance
    on behalf of insurer
    Tokio Marine & Nichido Fire Insurance Co., Ltd.,
    ABN 80 000 438 291, AFS Licence No. 246548.
    Sync Underwriting is a Corporate Authorised Representative,
    CAR No. 1312389 of Halo Underwriting Pty Ltd,
    ABN 48 008 497 318, AFS Licence No. 237267.

    Platform by: www.shapeable.com

    Powered ByRhodian Logo