Cyber Insurance Can’t Do it Alone
By Dave Russell and Rick VanoverAttention to Fundamental Security Practices Provides the Necessary Protection Against Disasters.
On the surface, cyber insurance seems like the perfect solution for dangerous times. Especially during this time when cyberattacks have become more prevalent; cyber insurance can help organizations recoup some of the losses incurred on the bottom line.
But for those looking for a quick fix to a growing problem, cyber insurance has its shortcomings. For one, it’s getting prohibitively expensive. The protection it offers doesn’t address the issue of how you got hacked in the first place and how you can stop hackers in the future. And it doesn’t secure your data or keep it available.
Companies that do their utmost to insure their data and operations against cyberattacks have their hearts in the right place. But many are focusing more on getting insurance payouts without doing the necessary work to actually protect their mission-critical resources. What they need to do is augment the cyber insurance component with other types of “insurance” that ward off threats and back up data.
What is cyber insurance?
While the concept of insurance itself dates back to the 1300s, cyber insurance is a relatively new phenomenon. Insurance companies rolled out their first comprehensive cyber policies in the 2000s to offer a hedge against malware, ransomware and distributed denials of service (DDOS). Different policies cover liability for things such as the theft of third-party data as well as the costs of business interruptions and forensic services to investigate a breach.
Cyber insurance can be useful. Sony, for instance, wished it had cyber-focused coverage to blunt the impact of the $171 million it spent to settle suits from the 2011 breach of its PlayStation Network. But a court ruled that Sony’s insurance policy covered damage only to physical property, not cyber-related costs.
Companies that sign on for cyber insurance now are still considered early adopters. According to research, 82 per cent of organizations in the Asia Pacific region experienced at least one attack in 2022 and 23 percent suffered more than four attacks. Despite this, companies in APAC are slower in buying cyber insurance compared to those in more mature markets like the US. A Forrester study showed that 55% of organizations globally have some kind of cyber insurance and only 19% have coverage for cyber events beyond $600,000. That said, the number of adopters is steadily growing. In the Asia Pacific region, the market for cyber insurance is forecasted to grow by 20.7% CAGR from 2022 to 2028.
So, why doesn’t everybody get cyber insurance?
Cost is a big issue. Many companies that purchased commercial cyber insurance over the past five years have experienced double-digit cyber premium increases, prompting risk managers to question its overall worth.
Process is another high hurdle. Insurers paying out cyber claims tend to require prohibitive amounts of documentation – everything from cyber access reports to network traffic logs. These are difficult to retrieve even on a daily basis; after an incident occurs, IT departments scrambling to restore service will be set back further responding to insurance requests.
Cyber insurance also doesn’t provide any ongoing protection against the threat itself. While hurricanes inflict significant amounts of damage, when they’re over, they’re over. There might be another storm next year, but the immediate threat has ended. Taking out insurance against ransomware doesn’t take away the immediate danger. If you pay off one bad actor, could others still have access to your system? Have you fixed the leak where hackers have found a way in
The bottom line here is that cyber insurance plans can help, but organizations need to vigorously protect against threats and be prepared to solve cyber-related problems on their own.
Here are a few ways they can do so:
- Patching – Creating a comprehensive patch management process is a critical part of maintaining an organization’s IT infrastructure. Repairing vulnerabilities quickly after the release of a new feature can help businesses protect their assets, avoid costly downtime and fend off ransomware attacks.
- Employee training – A study by IBM concluded that human error is the main cause of 95% of cyber security breaches. This underscores the need for employee training. Organizations should consistently review common security mistakes to ensure workers are using strong passwords, avoiding sketchy phishing attempts and protecting important company information.
- Sharpening incident response plans – It’s critical to move quickly when a cyber disaster hits. Many organizations don’t even have a response plan that sets up a chain of command and a set of actions. Those that do have a plan should review it regularly and keep it updated.
- Instituting proper data backup – A secure backup infrastructure forms the last line of defense against ransomware. Integrating data protection within a comprehensive cyber preparedness strategy protects against outside threats and offers the quickest and most strategic way to ensure business continuity if a cyber event occurs.
Cyber insurance is a worthwhile resource that can help organizations respond to a damaging breach. But it’s not enough. Adding in some common-sense cyber preparedness techniques can provide the high level of insurance that’s needed in today’s age of escalating threats.