With the rampant rise in ransomware incidents, the likelihood of an organisation being successfully breached is now extremely high. As a result, many businesses have explored the option of cyber insurance in an effort to mitigate the risk.
By Simeon Tassev, MD and QSA at Galix Networking
However, can cyber insurance replace cybersecurity? The short answer for that is no. The longer answer is that cyber insurance underwriters require that certain controls are in place before they will even cover you, so you cannot have cyber insurance without cybersecurity.
In addition, while cyber insurance is a compliance requirement for some businesses, and it will pay out in certain circumstances, it will however not get the stolen data back, which means that from a business continuity perspective, cybersecurity remains absolutely essential.
An expensive risk
Cyberattacks, data breaches, and other forms of cyber incidents all carry with them a significant cost, and cyber insurance is a type of insurance coverage that helps protect individuals and businesses from these financial losses and liabilities.
A cyber insurance policy may cover the costs associated with responding to a data breach, legal costs resulting from a cyber incident, financial losses due to business interruption from a cyber event, and the costs associated with data recovery and restoration, including expenses for data replication, restoration from backups, and data loss prevention measures.
It may also cover the ransom payments, negotiation fees, and expenses related to dealing with extortion attempts, as well as the costs of any liability arising from a breach of sensitive information.
Cyber insurance will not, however, restore the data, which means that while it can assist with the costs, it cannot actively help you to get back to business. It is critical to have the right backup and controls in place to do this.
One, but not the other
Cyber insurance is, in effect, a way of mitigating risk when potential incidents cannot be prevented. However, while it is possible to have cybersecurity without having cyber insurance, a cyber insurance policy cannot replace effective cybersecurity. For a start, the prerequisite for the majority of cyber insurance policies is to have certain measures and controls in place, which means that in order to take out cyber insurance, you need cybersecurity.
In addition, cyber insurance is becoming increasingly expensive, to the point where Chief Information Security Officers (CISOs) are starting to use the cost of cyber insurance as a way of justifying the budget they require for security.
Cyber insurance does not reduce the risk of a cyberattack, but rather transfers this risk with the promise of financial coverage in case of an incident. However, this is becoming increasingly unfeasible for many businesses. The reality is that the larger the organisation, the more difficult it is to obtain cyber insurance coverage because the risk and potential exposure is higher, and the more expensive this cover becomes.
For most businesses, the cost of cyber insurance does not substantiate the risk mitigation, and a lot of the time it is only for compliance purposes that the cost of cyber insurance can be justified.
So, do you need it?
Over and above the compliance angle, ransomware is the most popular reason companies explore the potential of cyber insurance. But is it really necessary? Cyber insurance is about managing risk, and how a business chooses to do this is typically directly related to cost versus benefit. If you can mitigate the risk for a lower cost by preventing a breach, then this would be the better solution for you.
However, if cyber insurance is a required part of risk mitigation strategy, then it is necessary to have in place.
Organisations need to understand their risk and risk appetite and find the best mix of solutions, which may or may not include cyber insurance. Engaging with the right cybersecurity expert partner can help you to find the best approach, assess potential risk versus potential value and understand the specific risks for your business and industry. It is essential to always weigh up the costs versus risk versus benefits to determine whether cyber insurance is for you.