Cyber insurance is a form of coverage designed to help businesses get back on their feet after a cyber incident, such as a cyber attack on a work computer system. And in recent years there has been a huge explosion in the range of cyber insurance products on the market.
Almost all of the mainstream insurers, and many non-mainstream insurers as well, have jumped into the act, while at the same time the appetite for buying this type of insurance has grown, so clearly there is money to be made and plenty to market and sell.
Cyber insurance is a security blanket, but it won’t solve your cybersecurity problems or prevent a cyber attack or breach. Think of it like car insurance – just because you have it doesn’t mean you have to start driving recklessly or that another car won’t hit you and cause damage.
Likewise, having car insurance doesn’t absolve you of your obligation to keep your car well-maintained, pass its MOT or mean you no longer need to wear a seat belt. In the same spirit, organizations must put other measures in place to protect their cyber security.
Like a technological installation, you can’t assume everything is fine if you have it. It doesn’t take into account any human failings or challenges that might arise. Most businesses may be surprised to find themselves in breach of policy if they demonstrate poor security practices and behaviour, but buying insurance won’t change that, only working to correct it.
As stated on the NCSC website, it is your responsibility to ensure that your organisation’s cyber security procedures are accurate, up-to-date and effective. This can include a range of technical, physical, procedural and human controls that must be put in place before seeking a cyber insurance policy.
Once you are confident in the effectiveness of your controls and feel confident that they provide you with the right level of cyber resilience, then you can look for a cyber insurance policy.
Before you buy a policy, you should make sure you understand what it covers, just like your car insurance, including roadside assistance in the event of a breakdown or legal cover in the event of an accident. You shouldn’t limit yourself to meeting the minimum cyber security requirements specified by your insurer – your business is unique and what you consider important and most valuable to protect may not be adequately protected by a basic insurance plan.
Also, unlike many other forms of insurance, cyber insurance is still a relatively immature market. The choice of insurance policies has become vast and complex, and coverage varies so widely that it is almost impossible to compare policies as insurers try to manage their risk so carefully in a market that is not yet fully understood.
Insurers rarely apply any risk weighting when deciding whether to access insurance and there are no attentive driver discounts, so you could be spending money on a policy that won’t evolve with your organization’s growth and changing maturity.
In an ideal world, if you have put in place appropriate and effective controls to minimize the potential for a breakout, then this will be recognized and your premiums will be reduced – but, unfortunately, that’s not really how the market works in the moment. Likewise, because insurers will operate on a worst-case scenario, you may fund insurance to other, less mature, less responsible, less resilient organizations.
Cyber attacks evolve quickly and the policy you take out may not cover a new type of attack that will occur in the future. If your policy is limited and does not cover a new attack, what do you do then? It is therefore vital to cover all bases where possible; cyber insurance is not the golden ticket to safety and recovery.
That’s not to say that cyber insurance isn’t worth having – it is, but it’s only one piece of the puzzle when it comes to managing risk and ensuring the overall resilience of your business.
And just like our car insurance example, it probably won’t pay out if it turns out that your business was driving recklessly and irresponsibly and caused the accident as a result.