Organizations with limited cybersecurity skills often have difficulty hiring and retaining qualified talent to build and manage a suitable cyber defence. The prevailing feeling seems to be, “I want to be done with this. I don’t fully understand what I have to do to protect my organization. I’m just going to buy insurance to cover my cyber risk exposure.”
Most articles suggest that buying cyber insurance is a good idea as it helps you recover from a cyberattack, remediate deficiencies in your defences and allows you to continue operating your business with minimal disruption.
First, build a solid security foundation
As a cybersecurity consultant in no way compensated by the insurance industry, I do recommend organizations buy cyber insurance but only after they have built a solid foundation of security controls, documented and aligned their processes with accepted standards, and trained their employees to respond appropriately.
All too often, organizations skimp on doing the right things because they are hard. Instead, they purchase cyber insurance to act as a huge band-aid to cover up all their cyber-risk exposures. That’s when the problems start.
The irony of this strategy is that cyber-insurance underwriters often require those policyholders to commit to implementing a set of standards-based security controls to prevent cyberattacks at the time of purchase, or they will deny most claims.
These are usually the same security controls that were never developed or implemented or were under-resourced in favour of purchasing cyber insurance.
Commit to defending your organization’s data assets
Cyber insurance can be worthless if you don’t do the hard work of implementing a standards-based security framework that is adequately staffed, trained and armed with sufficient tools and processes to defend an organization to the full value of its data assets.
Yet, cyber insurance is a valuable tool to protect against easily-valued losses such as regulatory fines and breach notification. Cyber insurance isn’t a stopgap measure, though, to compensate for weaknesses in an IT security program. Blank coverage for a broad array of low-limit loss events doesn’t make sense.
Focus first on building a fundamentally sound cyber defence. Consider this example of the economic tradeoff between investing in improving cyber defences versus investing in cyber insurance: A few years ago, a large healthcare services company with US$60B in annual revenues was paying $7M annually in cyber insurance for $100M in coverage. Then a data breach occurred, exposing the healthcare records of their 23.5M members.
After the company recovered, they hired a top-tier accounting firm to perform a forensic summation of what the breach had actually cost them. The direct losses attributable to the attack were calculated at $59M, including $14M in cybersecurity improvements to prevent the attack from happening again.
However, the indirect losses – lost contract revenue and customer relationships, damage to their brand, increased cost of debt and more totalled a whopping $1.62B. Even if their insurer had paid the entire coverage amount of $100M (which would have been unlikely if any agreed-upon security controls were missing or outdated), they still would have sustained an enormous financial loss. These crippling costs could have been avoided by a single $14M investment in cybersecurity improvements that, in the end, they had to implement anyway.
As cyber threats grow, so do security solutions
Thirty years of history have shown us that cyber risk is difficult to understand, problematic to hedge, only likely to grow and characterized by a continually changing threat environment. Tomorrow’s cyberattacks may not look much like today’s — as evidenced by 2020’s spate of ransomware compared to the breaches of 2015 to 2017.
Security tools and processes have evolved to meet the growing challenges from cyber threats. Similarly, the cyber-insurance industry has evolved to address the growth and diversity of cyber threats. Policies are now offered for specific breach remediations and are available in broad coverage language for incidents both big and small—from network outages to data breaches and financial fraud and ransomware.
To make sure you get the right cyber insurance coverage for your organization, read your policy’s fine print, make sure you understand your security preparedness obligations. Further, map your assets to your coverage, understand your costs, and brief your executive team on your recommendations.