What is cyber insurance? Is it worth the investment? Your questions answered
Just like any other form of business insurance, cyber insurance provides protection for businesses when faced with an event that could severely damage their financial position and potentially lead to bankruptcy.
However, given the growing volume of increasingly sophisticated cyber-attacks facing businesses, buying cyber insurance today is significantly more complex than it was just a few years ago. Once a mere line item that businesses could add to their policy without a second thought, securing cyber insurance now involves a rigorous due diligence process. And rightly so, given what’s at stake for businesses and insurers alike.
With this in mind, let’s explore some of the most common cyber insurance questions we hear from our customers.
How much cyber insurance do you need?
When procuring cyber insurance, businesses must first ascertain exactly which data, systems and services they need to protect. Or in other words, which systems and services are crucial to maintaining day-to-day operations and where sensitive data is stored.
Based on this, businesses can then start to calculate the potential cost fallout of an attack. This might include:
- The cost of responding to the attack itself – including internal and external service providers, media and reputation management etc.
- Legal and regulatory costs – such as the cost of notifying authorities and affected third parties
- The cost of lost access to systems and data
- Third party compensation – in the aftermath of an attack, businesses will often face claims for loss of personal data, third party financial losses, damages for late deliveries, inability to deliver services and more
This should give businesses an estimate of the level of cover they require, and a clear understanding of their policy needs.
Next comes the long and arduous process of comparing policy offers from various insurers. Doing this effectively requires close collaboration between legal and technical cyber security teams. Working together, these experts must identify:
- Specific protection and certification requirements
- The status of cover for new and emerging attacks
- Any exclusions and limitations
- What – if any – advice, guidance or consultancy services are available from the insurer
What constitutes a ‘reasonable level of protection’? Why is cyber insurance not a panacea?
These days, all cyber insurance requires the policyholder to have a reasonable level of protection in place. Just how home insurance won’t pay out if you’re burgled after leaving your front door open, cyber insurance isn’t valid if businesses don’t take steps to protect their systems and data.
However, what constitutes ‘reasonable’ varies, and there’s no doubt that insurers’ requirements are becoming increasingly stringent. This means that businesses should aim to go above and beyond the minimum standards set out by their insurer to avoid being caught out.
What’s more, implementing additional recognised protection measures above the bare minimum has the added benefit of lowering premiums for businesses. Additional steps they can take to boost their overall cyber maturity include:
- Certification under the Cyber Essentials scheme and ISO27000
- Using certified service providers
- Integrating relevant services into a comprehensive incident response plan
While cyber insurance can be a vital lifeline for businesses as they recover from a cyber-attack, it shouldn’t be seen as a substitute for comprehensive cyber protection. After all, as well as protecting customers, insurance companies are there to make a profit, and it’s common for payouts to be restricted or denied for any one of a huge number of reasons.
Ransomware insurance – an ethical conundrum?
For the most part, procuring cyber insurance is a non-controversial decision. After all, cyber-attackers present a very real and growing threat to businesses, and it makes sense to try and defend against this threat using any means possible – right? Not so fast. So-called ransomware insurance, which often has provision for the payment of ransoms to cyber-attackers, continues to cause much controversy.
When faced with a successful ransomware attack, businesses often pay significant sums to regain control of their systems and data. For instance, last year’s Colonial Pipeline hack resulted in a $4.4 million payment, while the record-breaking CNA Financial hack led to a record $40 million ransom payment. In turbulent times, paying a ransom to quickly steady the ship might seem like a good solution, but businesses should think twice before doing so for several reasons:
- If a business pays a ransom once, it signals that they’d be willing to do so again – in this way, ransomware insurance encourages further attacks
- There’s no guarantee that full access to systems and data will be restored – cyber criminals aren’t the most trustworthy business partners!
- Ransom payments ultimately fund more attacks and enable bad actors to develop sophisticated capabilities, which help them avoid detection for longer
What is the bottom line of having cyber insurance?
In the current fast-moving cyber threat landscape, cyber insurance can be a useful tool for businesses looking for an additional layer of protection. However, businesses must be willing to put in the groundwork to select the right policy and – above all – remember that cyber insurance should be just one tool in a much larger cyber-security toolset.
Looking for ways to improve your business’ cyber maturity? Get in touch with our experienced consultants.