Is cyber insurance worth the paper it's written on?
Modern business faces threats that were unheard of just decades ago. Cyber threats, often in the form of ransomware attacks, have grown in prevalence and are a very real concern that all businesses, of whatever size, should protect against.
Within the various tools at one’s disposal for protecting against such threats are preventative and responsive measures. Cyber insurance has emerged as a primary safeguard for businesses. However, as a reactive measure, is it enough? And without preventative actions, is cyber insurance even worth the paper it is written on?
How cyber insurance works
As with any insurance, the purpose of cyber insurance is to protect a business’s financial situation should a cyber attack occur. Taking the ransomware scenario, cyber insurance could pay out for loss of business during downtime as a result of the attack, the cost of payment for the ransom, and any subsequent loss of business.
However, it will rarely be the case that cyber insurance will pay out for all the above. The reality is businesses will need to weigh up what losses they feel they can weather, and at which point they require the insurance to kick in. This may mean the downtime isn’t covered, and certainly, any ransom payment will not be either due to the grey legality of such transactions.
Organisations must, therefore, work with their insurance broker to put together a premium which works for their situation. It may be that immediate cash flow is needed, and so the first £10m, for example, is paid out, or it may be that their reserves are healthy, and instead the first £10m isn’t paid out, but anything after the cap is.
Consider the small print
One such item a company will want to negotiate with its broker is the small print within the policy. Cyber insurance policies often have limited coverage, containing numerous exclusions and conditions. This leaves businesses vulnerable and potentially unable to claim compensation when they experience a cyber-attack.
Additionally, the rapidly evolving nature of cyber threats presents challenges as insurance policies may not adequately address emerging risks. This underscores the need for businesses to first put proactive security measures in place, in order to ensure the criteria cyber insurance policies lay out are met.
However, again, this is another moment for organisations to speak with their broker. Discuss the small print with them and identify the proactive measures that are required to validate the policy. These may be security defences such as firewalls, intrusion detection systems, and regular security assessments. Not only will this vastly improve the chances of pay-out from an attack, but it will greatly reduce the likelihood of one too.
Developing a 360-degree approach to cyber security
Comprehensive risk management is an integral part of an effective cybersecurity strategy. The first step for businesses should always be to conduct thorough risk assessments to identify vulnerabilities and areas of weakness within their digital infrastructure. Only by understanding the specific cyber risks they face will allow organisations to develop tailored risk mitigation strategies.
It is simply prudent to focus on preventative measures first, before considering reactive support such as cyber insurance. However, as mentioned above, it is very much worth working with a cyber insurance broker when considering the preventative measures as to meet their needs from the very beginning. This will save the need to redo work later on, and ensure your strategy is one which ensures pay out from insurance, should the worst happen.
While cyber insurance has limitations, notably the amount it will pay out and the requirements that must be met before it does so, it remains an important component of a comprehensive cybersecurity strategy. Limiting financial losses may be the difference between a business failing or surviving. As such, businesses must recognise that cyber insurance is just one piece of the puzzle in protecting against cyber threats.
Ultimately, prioritising proactive security measures, comprehensive risk management, and employee training are essential foundations for effective cyber threat protection. My advice to any organisation is to always focus on this preventative measure first and foremost, before purchasing cyber insurance. Crucially, this doesn’t mean ignoring it altogether; engage a broker and work with them to lay the security foundations both your business and their policy require. Not only will it save time in the long run, but it will also ensure the cyber insurance you buy is truly worth the paper it’s written on.
About the author
Phil Mason is the Chief Executive Officer of CyberCX UK, Australia’s largest independent cyber security services company. CyberCX has a global workforce of more than 1,200 cyber security professionals, a global footprint of over 23 offices, and offers a full suite of cyber security services.