No company is immune to cyber incidents, so insuring against these events sounds like a good idea.
The whole point behind any insurance is risk mitigation by transferring the risk to an underwriter so that the initial financial costs from a major cyber-incident should be covered - but you need to read the small print.
From a short-term financial perspective, this can be quantitatively measured against other risk management alternatives using risk formulae. The results show that insurance can be very cost effective, particularly where the policy covers the majority of technical, forensic and legal costs.
However, as with other types of insurance you need to ensure that you are compliant with security controls or standards outlined in your policy documents. To use a house insurance analogy, you are unlikely to be covered if you leave the front door open.
In line with this, we are seeing insurance providers requesting pre-insurance questionnaires to be completed around security controls, to understand the underwriting risk. In theory, the better and more robust your controls, the cheaper your insurance premiums will be.
Whilst insurance has some positive aspects, the longer term and intangible impacts of a major cyber-incident simply cannot be insured against. Reputational damage, disruption to business outputs, loss of data or intellectual property can all have a considerable impact on share price, credibility and customer confidence. And these impacts are not typically covered by cyber-insurance.
Secondly, any regulatory fines for data loss under GDPR, are very unlikely to be covered and these can be considerable. Furthermore and probably the biggest argument against cyber-insurance is that the cost of the policy could and should be better spent on IT security instead.
Security controls vs insurance
Controls and technology solutions can be very good at mitigating risks, but nothing and no-one is infallible. Regardless of the controls in place, some residual risk will always remain. Understanding where you have gaps in your defences is not always straight-forward, so getting expert help can pay dividends.
Regardless of whether you opt for insurance or not, it is well worth understanding how secure your business is and improving security controls. And if you do go for insurance, it should be cheaper.
Fundamentally, at the heart of this issue is the need to understand what threats your organisation faces and the effectiveness of the controls you have in place to make informed decisions.
Proactive planning and preparation will stand you in good stead should your organisation have a serious incident. You can’t expect a plan that has been gathering dust to be of much use. Or maybe that plan has not yet been conceived?
If you go down the road of buying insurance, here are a few considerations:
With insurance companies asking for questionnaires to be completed in advance, you will need to ensure you answer these absolutely honestly. If you are not sure, then get technical help or say you don’t know – failure to do so could invalidate your insurance.
Secondly, read the small print and understand what you are buying. Not all policies are the same and do not all cover the same things at the same levels.
Finally, understand the notification and claims procedure. Most insurers want to know as early as possible of any incident and they may well have preferred and accredited Incident Response suppliers, who will be able to assist. Failure to follow set procedures may mean you incur some or all the costs.
Cyber insurance can take the sting out of potentially huge initial financial costs resulting from a major cyber-incident. However, it is not possible to transfer all the risks and insure against the complex, intangible and longer-term impacts.
Regardless of whether your organisation opts for cyber insurance, there are significant benefits in understanding the effectiveness of your controls and there is absolutely no substitute for being prepared and able to respond quickly and effectively. Whilst you hope to never need an incident response plan, it’s reassuring to know it’s there and fit for purpose. If you are thinking about cyber insurance, certainly make sure you dig into the weeds of the exclusions.
John Higginson is principal consultant at Context Information Security.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.