The news: Cyber attacks are on the rise across all industries, and conversations around cyber insurance have taken off. But cyber attacks are constantly evolving and becoming more sophisticated, making cyber insurance coverage a tricky business. The complexity involved means that organizations should conduct due diligence to determine whether cyber insurance is the best fit.
Here we review seven considerations to take into account before investing in cyber insurance, per CSO online.
Insurance premiums may cost more than incident remediation.
- The rapid escalation in ransomware attacks is increasing demand for ransomware coverage. Consequently, premium costs are skyrocketing. Premiums can range from £100,000 ($118,000) to over £1.5 million ($1.76 million).
- Operational resiliency functions are expanding in quantity and quality, making remediation less costly. Many company executives are starting to believe it’s more cost effective to bypass cyber insurance and cover remediation costs if an incident occurs.
Insurers are scaling back on ransomware coverage.
- The rising demand for ransomware coverage is also changing how insurers approach policies for these types of attacks. Ransomware attacks are highly variable, making it tough to dictate what a policy should include before an attack occurs.
- Because it’s actuarially hard to quantify the risk associated with a ransomware attack, insurers are providing minimum coverage. Many are even beginning to remove coverage of the ransom payment.
Fewer insurers will cover state-nation cyber attacks.
- As cyber attack strategies mature, insurers are defining strict requirements for what they will and won’t cover, and state- and nation-backed cyber attacks are often excluded from policy coverage.
- As an added challenge, organizations often have difficulties accurately attributing the source of the attack, and insurers will unilaterally decide what they consider to be a state-nation attack.
A business may already be self-insured against cyber attacks.
- Some organizations and even small government agencies pool together funds from which they can pull from in the event of a catastrophic event, like a cyberattack.
- Involvement in a consortium like this can also create additional remediation efficiencies if affected businesses work together.
Many insurers base their premiums on a standard questionnaire.
- When providing a quote for cyber insurance, insurers will most times complete a point-in-time standard questionnaire to determine coverage—without conducting any further examination of an organization’s cybersecurity position.
- The resulting premium may not cover all areas that could be affected by a cyber attack, or it could result in paying for coverage of areas that aren’t at risk. It also doesn’t account for an organization’s enhancements to its cybersecurity defenses over time.
Many insurance policy requirements are tough to comply with.
- It’s vital to be aware of all of the requirements that must be met for a cyber insurance policy to be valid. If even a single requirement isn’t met, the policy could be deemed useless.
- Organizations that have thinly staffed cybersecurity divisions or don’t consistently ensure all protections are up to date and implemented in a timely manner might be better off avoiding cyber insurance.
The investment in cyber insurance could be better used for investing in cybersecurity improvements.
- Cyber insurance isn’t a substitute for cybersecurity. Before choosing to spend large sums of money on an insurance policy that might be deemed ineffective in the event of a cybersecurity breach, determine if those funds could be better spent on upgrading cybersecurity controls.
The bottom line: Cyberattacks are a major threat to nearly every business, and it’s easy to get caught up in the widespread belief that cyber insurance is necessary to protect an organization. But attaining an effective cyber insurance policy starts with developing a successful cybersecurity posture within the organization. Otherwise, cyber insurance could just add to the woes and expenses of a cyber attack.