Is Cyber Insurance all you need?

Author: Gary Hibberd

Date: 15th July 2020

As most of us are aware, there is an ever-increasing risk of Cybercrime and Data breaches happening to, and within our organisations. So what should we be doing about it?

I’ve written many blogs which contain advice and guidance on steps people need to take to improve their security and Data Protection practices; Ranging from the strategic through to the practical steps they need to take. But quite often, when asked about improving Cybersecurity, I am asked: “But why can’t I just buy Cyber Insurance?”

What is Cyber Insurance

If you’ve not come across this form of insurance, allow me to introduce you. Cyber Insurance is a kind of insurance which is designed specifically for our digital age. It is meant to cover you in the event of a data breach or malicious Cyberattack.

To find the right one for you, you will need to do your own market research, but be warned; This is no easy ‘quick fix’ to your Cybersecurity concerns.

How can Cyber Insurance mitigate Cyber risks?

Cyber Insurance is often referred to as ‘Cyber Risk’ or ‘Cyber Liability’ Insurance, leading many people to think that it helps mitigate the risk of Cyberattacks or Data breaches. 

This may sound controversial, but I think it does the exact opposite. Firstly you can’t outsource risk. This statement is so true that it has almost become a cliché. You can’t merely buy Cyber Insurance, dust yourself off and say “Well, that’s all sorted then!”

You could think of Cyber Insurance like buying Car Insurance. Just because you have a policy does not mean you can drive cars that are not road worthy and/or drive irresponsibly. You are required to carry an MOT for your car, and without it your Insurance is invalid. You still have to drive responsibly, or you’ll have an accident. What kind of world would we live in, if everyone simply said “Hey, I have Insurance! The mechanic has made sure the car is roadworthy! So I can drive however I like!”

Of course, if you DO have an accident, the first thing the insurer will need to establish is, who is liable? (insurance language for, “Who is to blame?”)

I believe Cyber Insurance can give organisations an inflated sense of assurance and confidence, that should things go wrong their policy will kick in, and all will be well again. Of course, I’m generalising here, and I know many organisations take Information Security and Data Protection particularly seriously and have Cyber Insurance in place as a ‘last resort’.  But many don’t.

So for their benefit, let’s take a look at the good, the bad and the ugly side of Cyber Insurance.

The Good

An organisation cannot outsource the risk of Cyberattack and data breach, and therefore is always responsible for its own Cybersecurity.  But having the right kind of Cyber Insurance in place means that in the event of a Cyberattack, you will have something (or someone) to turn to, to help you through and provide that all-important support you need.

Dependent upon the kind of Insurance you have it can cover you for loss of income, due to the inability to conduct business and provide services (this may also be covered under traditional Business Interruption Insurance).

You may also be covered for any damages suffered by third parties that interact with your systems.

Costs associated with investigation and restoration, by Cybersecurity and IT professionals may be covered too, along with any legal costs you may incur. 

Finally, some policies may cover you for fines and additional legal expenses (although this has yet to be proven).

This all sounds positive and great, right? I’ll save you the effort, but in the section above, the word ‘may’ appears seven (7) times.  Like many things in life, there are no guarantees with Insurance.

The Bad

Let’s pretend for a moment that you bought the right kind of cover and that your insurer is comfortable that you are covered. Happy days, right?!  Not quite.

What no form of Insurance can do is cover you for the loss of confidence from clients, suppliers, stakeholders, and employees.  The potential reputational harm following a Data breach or Cyberattack cannot be ignored.

In a survey conducted by PCI PAL, in 2018, they discovered that 44% of UK consumers would stop spending with a company if they are involved in a data breach. 

The Ugly (truth)

The damage to relationships between suppliers and clients can be significant, and have a lasting effect, long after the Cyber Insurer has paid out for the restoration of your systems.

The truth is that Cyber Insurance is only useful as a responsive measure. It doesn’t prevent Data breaches. It doesn’t prevent Cyber attacks.  Having Cyber Insurance is a ‘comfort blanket’ when you’re facing a thunderstorm; It’s comforting to know it’s there, but it won’t protect you in the long-run.

Conclusion

I left it to the end to make a declaration, which may surprise you (having read the above); Cyberfort supports a number of Cyber Insurance products and services. We have done this for around five years, and have helped numerous organisations respond to, and recover from Data breaches and Cyberattacks. 

So you might be wondering why I’m dismissing Cyber Insurance as a bad thing. If you are, then you’ve not read the blog carefully enough. I firmly believe Cyber Insurance is a good thing when entered into in the right way. It can only ever be seen as an effective tool to help cover the cost, should a breach or attack happen.

Cyber Insurance should never be seen as the whole story. It can only take you so far.

As the saying goes; Prevention is always better than cure. So rather than waiting for the car crash to happen, why don’t we all become more responsible road users?

After all, we put our most valuable assets in our cars and drive carefully and responsibly with them.

Cyber Insurance or not; Shouldn’t we do the same with our most valuable (business) assets too?