Today, we’re exploring a question many business leaders have been working to navigate: “Is cybersecurity insurance worth the investment?”
The first cyber insurance policy came into existence in 1997.
It was pretty humble, designed to help retailers insulate themselves against the risk of customer credit card numbers being stolen. For a mere $2,500 per year, the company could receive up to $250,000 of coverage in legal costs and settlement fees. If they passed a third-party security audit, they could knock that price down to under $2,000 per year.
By 2017, cyber insurance had become the fastest-growing sector in the insurance industry. But it was still pretty easy to get, albeit with increased limitations and exclusions, until the pandemic. A huge, global push to digital business meant more cyber attacks, which meant more payouts for insurance companies.
Insurance companies are now requiring more rigorous security controls and strategies before granting coverage, and they’re examining claims with greater scrutiny. The skyrocketing costs of both coverage and incident response have enterprises scrambling to navigate the benefits and tradeoffs of insurance.
What does insurance cover and what do insurance companies want?
Cyber insurance hasn’t changed much in principle. It helps cover the costs of investigating and resolving breaches and attacks like ransomware. This includes recovering lost data, notifying affected parties, legal fees, regulatory fines, and lawsuits.
The basis of most insurance policies is having taken reasonable care to mitigate the risk in the first place. Regarding cybersecurity, it is very reasonable to assume that organizations are expected to use common industry practices to secure devices, applications, and access.
However, the standards for gaining coverage are becoming more stringent. Here’s what they’re looking for:
1. Active measures to proactively prevent cybersecurity incidents
You may have heard the rumor that car insurance won’t cover theft if you left your doors unlocked or the key in the car. Businesses seeking a cyber insurance policy must comply with a host of security measures and precautions, such as:
- Basic cyber hygiene like multi-factor authentication
- SOC2 compliance, which specifies how organizations should manage customer data
- Proper security vetting of software and cloud solution providers
- High-governance industries like finance and healthcare have their own standards to comply with, like HIPPA and PCI DSS
2. Plans for minimizing damage if the company falls victim to an attack
These days, cyber incidents aren’t a question of “if” but of “when.” Insurance providers want assurance that in the wake of an attack, the company isn’t making up its response as it goes.
- Detailed response and recovery plans
- Procedures for which forensics will be performed and by whom
- Which legal parties the company will engage to deal with the incident’s aftereffects
3. Up-to-date security tools and architecture
The fragility of the software supply chain and the cascading risks that come with it have been the topic of much conversation in the past few years. Best practices in isolating an intruder have come a long way — the network perimeter can no longer function as a single point of failure.
- Tools are generally secure. They don’t have a high number of vulnerabilities or zero-day flaws.
- Tools are provided by vendors with a good track record of security, that have not recently been compromised or breached.
- The company can show it patches vulnerabilities quickly.
- Networks are designed, configured, and segmented in a way that promotes security, especially in the cloud.
How should businesses think about cyber insurance risks?
With good reason, cyber insurance has popped onto the radar of enterprise leadership, finance, and risk management. The likelihood, potential damage, and associated costs of a breach or disruption are higher than ever. At the same time, cyber insurance providers are making it harder to obtain coverage and cover less while charging more.
Leadership must be involved in cyber insurance decisions. The stakes are simply too high for anything less. Cyber insurance sits at the intersection of budget, risk, and security strategy. It must be approached in a way that serves all three.
Be realistic about the organization’s cybersecurity posture. Cyber insurance requirements are a moving target. Attack methods are constantly evolving, while many environments and systems may run on legacy controls that can’t be stopped for modernization. Taking stock of the features of your security landscape is vital to making any decisions around insurance.
Assess whether cyber insurance is even worth it. As costs go up and coverage becomes more porous, cyber insurance may cost as much as it would to address the fallout of an incident. The choice to pay for cyber insurance or invest in the organization’s security is thorny – but worth considering.
The future of cyber insurance
Cyber insurance will continue to adapt to the changing threat landscape of today and tomorrow. There are plenty of matters that insurance providers have yet to set guidance around.
For example, attacks against industrial environments may result in physical, heavy-duty consequences far beyond the theft of confidential data. Providers haven’t figured out how to properly underwrite this sort of fallout.
For another, the cascading risk that comes with third-party vendors and contractors is murky from an underwriting perspective.
Then there are the laws of unintended consequences. For example, an insured company may be more willing to pay ransomware demands because it knows it will be reimbursed.
Regardless of whether an organization opts for cyber insurance, every organization must understand that security is a business enabler. Proper security allows organizations to trust their digital infrastructure, which serves as a platform for innovation and agility. This doesn’t happen if security is treated as a box-checking measure that primarily aims at lowering insurance costs.