Is cyber insurance a worthy investment in securing an organization from attacks? This is a question most cybersecurity chiefs grapple with every day. But, frankly, cyber liability insurance is just a single component making up a much wider organizational cybersecurity picture. As such, companies require additional resources to effectively protect themselves from cyber risks and develop realistic risk management practices before resorting to cyber insurance.
Although many experts consider the cyber insurance industry to be in its infancy, the market has registered rapid growth in recent years. Recent estimates forecast that the global cyber liability insurance market will grow from $8 billion in 2020 to more than $25 billion by 2025.
Moreover, insurance firms are creating more policies causing more companies to become insured. Tom Johansmeyer writes in Harvard Business Review that insurers are issuing more policies, and the amounts of protection available are increasing. Unfortunately, with cyber-attacks evolving rapidly and become more severe and frequent, cyber insurance alone is inadequate for modern enterprises.
Role of Cyber Liability Insurance in Cybersecurity
On the one hand, the primary purpose of cybersecurity insurance coverage is to protect insured entities from losses resulting from cybercrime incidents. Therefore, instead of safeguarding against network intrusions, data breaches, or business interruptions, cyber liability insurance assists companies in recovering some of the losses after such incidents have occurred.
On the other hand, companies can enjoy limited protection and reduce cybersecurity threats only if they consider the following conditions:
- Subscribe to more coverage to promote the implementation of protective mechanisms
- Base insurance premiums on an organization's cybersecurity posture to encourage the adoption of recommended security practices.
Essentially, enterprises need to spend more to attain a certain level of protection, which is infeasible to most small- and medium-sized businesses. Subsequently, most forego the offered insurance policies, citing reasons like the high cost of insurance premiums, uncertainty whether the policies can secure against current threats, and confusion regarding what they cover.
That said, organizations can subscribe to cyber insurance to protect themselves from cyber incident financial repercussions. A cybersecurity liability insurance can help companies offset recovery costs following a cyber-attack. For this reason, approximately one-third of US-based companies purchase various cyber insurance covers.
Expenses covered in cyber insurance policies
Some of the direct and indirect expenses covered in most insurance policies include:
Cyber insurance can cover legal expenses resulting from a cyber breach that impacts sensitive information or intellectual property. The expenses include regulatory fines, legal settlements, and extortion from crimes like ransomware.
A cyber-attack can cause unwanted consequences, such as data loss, network unavailability, and reputational damage. The consequences often result in financial losses due to lost business opportunities and interrupted operations. Fortunately, some cyber insurance coverages can cushion against associated monetary losses and resources incurred in cyber crisis management.
A forensic examination is required to establish the cause of an adverse cyber incidence. Also, cyber forensics is essential since it shines a light on measures needed to prevent a similar occurrence in the future and repair the damage. Forensics investigation may require outsourcing to third-party security and cooperation with relevant law enforcement agencies.
Data and privacy breach notification
Regulations like the General Data Protection Regulation (GDPR) require companies to notify customers and third parties if a cyber incident affects their data. Cyber insurance covers the costs incurred when alerting data owners and the relevant authorities.
Do Companies Really Need Cyber Insurance?
Organizations that collect, process, store or transmit sensitive customer information, utilize cloud computing services, and require customers to pay using online payment methods should certainly invest in cyber insurance. Additionally, proliferating Internet of Things (IoT) devices connected to company networks introduce multiple attack surfaces. Due to the expanded cyber threats, enterprises can benefit from cyber insurance coverage should an attack occur.
Prevalence of cyber attacks
Besides, cyber attacks targeting businesses increase daily in sophistication and frequency of occurrence. For instance, 43% of all cyber breaches target SMEs (Small and Mid-size Enterprises), while at least 61% of all businesses reported at least one adverse cyber incidence in 2020. On the same note, a recent benchmark study revealed that 40% of enterprises that experienced a severe cyber incidence experienced more than eight hours of operational and business downtime. Although cyber insurance does not guarantee to protect businesses from the dynamic threat environment, purchasing some policies can reduce the financial strain and challenges associated with a cyber incidence.
Costs of cyber attacks
On a larger scale, US companies should expect to spend more than $2.5 million when recovering from a data breach, whereas cybercrime costs the world over $600 billion annually. Although the costs may vary across industries and based on the magnitude of an attack, each company needs to decide if it can risk footing the cost or if cyber liability insurance coverage is necessary.
But is Cyber Insurance Alone Adequate?
A recent AT&T cybersecurity report found that over a quarter of all organizations surveyed view cyber insurance as a substitute for cyber defense rather than a part of multilayered cybersecurity infrastructure and strategy.
Is cyber insurance a substitute for cyber defense?
While most companies regard cyber insurance to be a critical investment, cyber insurance is insufficient to safeguard against a high-risk and complex digital environment. Characteristically, cyber insurance offers financial protection by meeting costs covered in purchased policies in case of a significant cybersecurity event, but the damage is already done. As a result, companies need to ascertain they have the requisite infrastructure needed to provide the highest security possible. Optimally, a managed security infrastructure can meet high-level security demands and reduce cyber risks significantly.
For instance, within a month, three international organizations were victims of devastating attacks. These included Colonial Pipeline, where hackers used a ransomware attack to disrupt the largest oil pipeline in the US, causing a gasoline shortage in the country. In addition, a different attack forced JBS to shut down operations for several days, resulting in significant impacts on the global meat supply.
Is there enough money in cyber insurance?
Tom Johansmeyer's post on Harvard Business Review states that even if companies might look to cyber insurance to protect themselves from rising and sophisticated attacks, there might just not be enough money in the still-emerging sector to cover their needs. Therefore, companies should invest in ways to cover their potential exposures on top of having insurance cover.
"The momentum that has propelled the sector this far may be running out," writes Tom. "The cyber insurance sector may be in its infancy, but there are signs that it's hit a (hopefully temporary) plateau."
Moreover, while more attacks could stimulate demand, such incidents also create a supply problem that makes insurers warier in providing covers and reinsurers less interested in backing cyber liabilities.
Could cyber insurance be making the ransomware crisis even worse?
Similarly, a post on ZDNet warns that prioritizing cyber insurance instead of investing in fitting cyber defenses isn't helping with cybersecurity, and it might be making the ransomware crisis worse. According to the post, cyber insurance encourages ransomware victims to simply pay the ransom demand that will then be covered by the insurers rather than have adequate security measures to deter hackers in the first place. Obviously, it isn't illegal to pay cyber criminals a ransom demand, but law enforcement agencies warn that doing so gives the attackers funds and resources to launch more complex attacks.
A research paper examining cyber insurance and the cybersecurity challenge by Royal United Services Institute (RUSI) adds, "to date, cyber insurance has failed to live up to expectations that it may act as a tool for improving organizations' cybersecurity practices." RUSI also warns that "cyber insurers may be unintentionally facilitating the behavior of cybercriminals by contributing to the growth of targeted ransomware operations."
Cyber threats are constantly evolving
It is also essential to remember that an adequate policy one year may be insufficient the next. That means, if you purchase cyber insurance, you need to revisit the policy annually. Principally, threats and risks constantly evolve and change. Therefore, you need to ensure that your security controls and the policy still cover emerging threats affecting your organizations. In most cases, adjustments are necessary for full coverage.
Fortunately, many insurance companies offering cyber insurance covers require customers to complete an extensive questionnaire that asks about controls and policies. In particular, the insurers have stipulations for baseline controls that your business needs to meet. In fact, the insurance company may require a documented risk analysis of controls, firewall, and other perimeter security protections or an annual information security audit. Subsequently, if your organization does not have the stipulated baseline controls in place, you run the risk of your claims being denied. These requirements show that cybersecurity measures should be the first defense, while insurance comes as the backup.
Reputation is on the line
Finally, cyber insurance will not cover loss of trust in case you suffer an attack. It is crucial to keep in mind that while an insurance policy may help recoup financial losses related to disruptions of operations, fines, and penalties, no policy will cover damages to your brand's reputation, and loss of customer and shareholder trust.
Prevention is the First Defense; Insurance is the Backup
Do not get us wrong that cyber insurance is unnecessary, and the goal of this post is not to discourage you from getting cyber insurance. Instead, we uphold that as cyber-attacks evolve rapidly and become more severe and frequent, cyber insurance alone is inadequate for modern enterprises.
That being the case, organizations need cyber defense measures, like timely patching of critical vulnerabilities in external-facing IT infrastructures, enabling multi-factor authentication on online accounts and remote access services, limiting lateral movement by adopting network segmentation and zero-trust architecture, and implementing procedures to ensure regular backups.
Over and above purchasing a cyber insurance cover, putting in place fitting cybersecurity defenses effectively prevents frequent and sophisticated attacks like ransomware, phishing, and DDoS. Apart from preventing the attacks from happening in the first place, this strategy mitigates the damage a data breach could do, meaning that, in the event of falling victim to a cyberattack, seeking reimbursement from the insurer would be an absolute last resort, rather than being signed off as the simplest thing to do.
Besides adding high-tech security systems, businesses should invest in skilled cybersecurity professionals specializing in complex and fast-evolving cyber threats and controls. Therefore, before purchasing a cyber insurance cover, you need the right team comprising IT personnel, risk management experts, and cybersecurity specialists. Additionally, the leadership team should ultimately devise what level of risk to accept and what insurance cover is appropriate to purchase.
Protecting Your Crown Jewels with Pulsar Security
Even as some IT leaders and C-suite executives take the view that purchasing cyber insurance is a cost-effective and easy way to address cyber threats, the strategy should not be a substitute for cyber defense.
We are acutely aware that all a cyber insurance policy will do is cover some financial losses after an attack occurs. However, it will not help your business deal with the disruption an attack leaves in its wake. In that case, Pulsar Security provides solutions that enhance your cybersecurity defensive strategy and ensures your business complies with regulations.
Unquestionably, implementing a proper cybersecurity strategy may seem like a daunting task, particularly for small and medium businesses. But it doesn't have to be. Pulsar Security offers cost-effective and fitting offensive security solutions to defend your crown jewels. Some of our solutions include:
- Penetration tests to prove that vulnerabilities are present and can be exploited by attackers
- Vulnerability assessments to identify vulnerabilities that can be used to compromise your network
- Dark web assessments to discover sensitive, confidential, and damaging organizational information from the hidden corners of the internet
- Phishing simulations to measure the likelihood of successful attacks and their potential damage
- Red teaming to provide directed attacks to test an organization's detection and response
- Wireless network assessments to uncover vulnerabilities in wireless environments
Besides the bespoke security solutions, a look into the Pulsar Security team's industry experience and certifications reveals that our engineers have the industry's most esteemed and advanced on the ground experience and cybersecurity credentials. Having the credentials denotes a mastery of a global standard for effective and reliable cybersecurity.