Cyber insurance – is going without worth the risk?

The cyber insurance landscape has changed significantly over the past couple of years. Of course, cyber insurance has always been different as historical data is limited in relevance, while the number of threats (potential risks for insurers) continues to rise at an accelerated pace.

Insurance companies’ purpose, as a business, is to make a profit; hence they pay out less than they receive in premiums. With regard to cyber, this means becoming more prescriptive and focused, implementing caps and being more frugal and discerning in their pay-outs by applying tight caveats and exclusions.

Businesses, therefore, need to be incredibly cautious when purchasing a cyber insurance policy. With the cyber insurance market nearing saturation, insurers can no longer afford to offset specific losses across a broader customer base.  If you fail to choose the right policy, you might end up with coverage which is woefully inadequate, or nigh on impossible to claim against.

According to research conducted by info-security specialist and author Joseph Carson,

Given the volume of claims being made, a business needs to understand what is (and what is not) covered under the policy or policies it has in place.

Always read the small print

Carson’s researchers asked their subjects what would cause their cyber insurance to be invalid with 43% citing a lack of security protocols in place. This was followed by internal bad actors and people losing kit, both at 38%. Acts of war voided 33% of policies and terrorism 32%.

What’s more, there are plenty of examples of situations, especially with self-assessment, where controls are not uniformly applied – which will often result in a policy being void.

A good example of this is multi-factor authentication. An organisation may state that MFA is in place, whereas it could be on only 60% of devices across the organisation – voiding the policy as the insurer would expect it to be implemented on all devices.

How to Make Cyber Insurance work for you

There is a wide variety of cyber insurance policies available, covering specific areas of risk. Therefore, companies have to decide which policy or policies are best suited to them.

Remember that insurance will not (in itself) reduce the risk that a cyber event will occur, and neither will it help to protect a company’s reputation in the event of a breach (and particularly those that incur regulatory consequences). What insurance can do is reduce the resulting business impact in operational and financial terms.

Carson’s research also looked into what cyber insurance policies cover and found that only half of policies (54% and 53% respectively) would pay out for data recovery or adding security controls, while only 45% would cover incident response services. Paying for fines and lost revenue would be covered by 45%. For businesses subject to a ransomware attack, just 40% of policies would cover the negotiation of the ransom and/or the ransom payment itself.

All this means that taking a planned, and risk-based approach to cyber insurance is key. To do this an organisation needs to understand the specific risks it faces and what actions need to be put in place to address these risks. Insurance is just one of many potential options.

A focused risk assessment that takes into account different types of organisational harm (financial, operational, reputational, compliance-related and so on) is vital in this process. The aim should be to understand what would happen to the business in the event of a cyber attack – as it is the business that is ultimately being insured.

Remember – cyber insurance is not cyber security

Even with the right insurance policies in place, it is important to remember that cyber insurance is not cyber security. It is just part of a wider business strategy.