The Truth About Cyber Insurance
I get asked on an almost constant basis from business leaders who inquire about cyber insurance:
“Should we look into cyber insurance?”
“What’s the cost?”
“What value can insurance bring to my organization?”
“Is there any point in having a cyber insurance policy?”
“Will cyber insurance protect my business from a cyber-attack?”
Typically speaking these are loaded questions that I typically cannot fully answer as I am not an insurance agent, nor do I hold any kind of insurance certification. However, I do know this:
Cyber insurance policies are designed to cover the costs of security incidents.
This includes breaches, forensics, data recovery, legal, and customer reparations costs. The typical incident types are fraud, ransomware recovery, and insider threats.
From the very start, it is important that your organization understands where their critical digital assets and risk are located since adopting a cyber insurance policy is very important for managing premium costs and to obtain the right coverage. For example, it is much like telling the insurance company you need to insure a Bentley when you really drive a Toyota – The reverse is also the same. The costs will differ between each organization, its assets, and risk tolerance. While cyber insurance has a holistic approach to security, it’s place is greatly misunderstood.
Understanding critical digital assets and risk
What a lot of business leaders fail to understand is that cyber insurance is a post-fail offset and should NEVER replace a proper security program within an organization. Businesses over-invest in cyber insurance and under-invest in proper security controls – which translates that they expect to be breached and have the insurer solve their headaches, even when they won’t spend the time or money on adequate cybersecurity controls. Many organizations fall under government regulated data privacy laws, which fines are being issued more frequently due to the failure of understanding of said privacy laws and lack of cyber control.
Cyber insurance is a new and rapidly growing industry
A recent report by Adroit Market Research claims that the cyber insurance market will exponentially increase from $4 billion in premiums around the globe in 2019 to a value of $23 billion by 2025. This prediction is fueled to recently enacted data privacy regulations around the world, especially the European union’s General Data Protection Regulation (GDPR) in 2018.
Organizations do fear the major fines that suffering a breach can cause, and they look to their insurers for plans to help offset the costs associated with the breach and other recovery expenses. Although this will help during a loss, overreliance on cyber insurance without investing in proper cybersecurity controls demonstrate that the organization is ready to suffer a breach without really doing much to protect itself against threats. Which insurance companies can offset the costs after a breach, they cannot fully repair a companies reputation or to regain lost intellectual property (IP).
The almighty cloud
The rapid adoption of the cloud is another reason for the increase in cyber insurance. Organizations use cyber insurance to cover their cloud migration and configuration mistakes, as opposed to developing a proactive security program that benchmarks and continuously tests the efficiency of its controls.
Remember, cyber insurance providers, are for-profit businesses that do not want to pay premiums for breaches that could have been avoided with a proper proactive security program. I will not be surprised that insurers become more restrictive about claims or deny coverage to organizations that lack the proper cybersecurity countermeasures. For instance, an insurer may choose not to pay or reduce the payment on a premium for a business that suffers a breach that could have been mitigated by multifactor authentication (MFA).
The changing data privacy landscape
This changing landscape means that the jargon, misunderstanding, and fear will continue to evolve. Insurer’s policies and claims classifications will evolve with the global cyber landscape.
In conclusion, cyber insurance cannot and should not be seen as a replacement for a properly designed cybersecurity program and cyber countermeasures. Cyber insurance can help offset post-breached costs, but it will not cover the costs of losing IP and will give no comfort to the organization if it does not have a properly designed cybersecurity program. What organizations do not realize is that having a properly designed cybersecurity strategy controls will help them identify holes before an attacker does. This will assist with a better return on investment of their cybersecurity budgets by identifying and tossing overlapping controls. Even in doing so could possibly reduce cyber insurance premiums while giving your organization full coverage across the board which will help mitigate overall unnecessary risk.