How can cyber insurance cover businesses who fall victim to cybercrime?
Data breaches resulting in the exposure of regulated information often result in lawsuits, hence the growing popularity of cyber insurance. But is it enough?
The global cyber insurance market is expected to grow into a $20 billion industry by 2025, making it one of the fastest growing specialty insurance verticals. The vast majority of cyber insurance clients are businesses seeking to protect themselves against the costs of potential lawsuits following a data breach or leak. This shouldn’t come as any surprise either, given that the average total cost of a data breach has now reached $4.35 million.
As cyberattacks become evermore frequent and complex, targeting companies of all sizes in every industry, more business leaders are asking whether cyber insurance is worth it. A short answer would be yes, particularly for any business that accepts payments online or uses the cloud to store personal or payment information. That said, business leaders should not allow themselves to be led into a false sense of security.
What exactly is cyber insurance?
In the last few years, taking out a cyber insurance policy has become a standard practice for businesses seeking to mitigate the financial risks associated with a data breach. It’s especially popular among smaller businesses that simply don’t have the funds to remediate following an attack.
The term cyber insurance is often used interchangeably with cyber liability insurance. A typical plan might cover costs associated with ransoms, lost income, data recovery expenses, legal fees, regulatory fines, and customer notification expenses. Other policies, such as data breach insurance, might only cover costs that are directly related to lost or stolen data.
Does cyber insurance cover phishing?
Almost all cyber incidents involve a phishing element, such as an attacker exploiting your team communications software to encourage victims to divulge sensitive information like usernames and passwords. However, successful phishing attacks are often a result of negligence, which your cyber insurance policy might not cover – in much the same way that a homeowner might not receive a pay out after a robbery resulting from the front door being left unlocked.
Perhaps the biggest shortcoming of cyber insurance is how it can lull policy holders into a false sense of security. There have been instances in which businesses thought they were covered for phishing incidents only to find out that their insurer’s definition of phishing was far narrower than they thought. While this shouldn’t discourage business leaders from taking out a policy, it should serve as a reminder that prevention is always the best cure.
Understanding first and third-party risk
Cyber insurance policies broadly fall into two main categories – first-party and third-party. First-party insurance covers you for incidents that happen in your own network or systems, while third-party insurance extends to data breaches caused by third parties like technology vendors and suppliers. In most cases, you’re going to need both.
Today, practically all businesses rely on third party vendors. Many businesses rely entirely on the cloud in the era of hybrid work, which means that someone else is partly responsible for protecting your data. For example, if your Microsoft Teams deployment is compromised by an attacker in a situation that you have no control over, you would only be covered if you have a third-party cyber liability insurance policy.
While this might sound obvious, it’s actually much more complicated than many assume. The typical business now uses dozens, if not hundreds, of cloud-based apps provided by multiple vendors, thus making it difficult to maintain visibility over your environment. It’s essential that you have a comprehensive and up-to-date list of all your vendors, including fourth parties, and anyone else who has access to your systems and data. Just as a home insurance provider is unlikely to pay out for a highly valuable item stolen in a burglary if it wasn’t inventoried, so too might a cyber insurance provider deny a claim involving an unlisted third party.
It should also be said that accurately quantifying and qualifying third-party risk is difficult due to the dynamic nature of the cloud. Businesses rarely have complete visibility and control over their environments, hence the need to protect data on a first-party basis. Ideally, data shouldn’t leave its own network or devices unless it is fully encrypted with the encryption keys being managed on your end for the sake of compliance with record-keeping laws.
Cyber insurance is only a last line of defense
Like most insurance policies, cyber insurance provides a last line of protection in a worst-case scenario. As such, it should never be considered a substitute for good cybersecurity hygiene, no matter how comprehensive the policy. After all, there are many costs associated with data breaches that range from hard to practically impossible to quantify. For example, an insurance provider isn’t going to be able to pay for things like unquantifiable reputational damage or any reduction in productivity. The fact is that the true costs of most data breaches remain unknown, and reports like IBM’s Cost of a Data Breach can only serve as a rough guideline.
No business should ever rely on cyber insurance ahead of improving their own security stance. The same, of course, applies to any insurance policy – no one should drive dangerously just because they have a premium car insurance policy! And as is the case with other insurance policies, there are always going to be exclusion clauses. In the case of cyber insurance, these might include the failure to ensure that networks and systems are adequately protected in line with industry-standard frameworks like NIST. In other words, you need to have good security to get comprehensive cyber coverage in the first place.
Cyber insurance is ultimately reactive, and it should only ever serve as part of a broader risk-management strategy. It should never come at the cost of proactively protecting your assets and business communications with an optimal combination of technical, administrative, and physical security controls.
Worldr brings a new layer of proactive security to Microsoft Teams, Slack, and WhatsApp. Our solutions ensure you can continue using the apps you love without compromising on privacy, security, or compliance. Book your demo today to see how it works.