Comment | Understanding Cyber Insurance: How Far Can It Go?
In this comment piece for DIGIT, Manoj Bhatt, Head of Security and Advisory at Telstra Purple, explores the value of cyber insurance.
Manoj Bhatt
,
It’s no secret that the cyber threatscape continues to evolve with a dynamism and unpredictability that can be a challenge to keep up with.
As recent years have shown us, security professionals have a lot on their plate – from insider threats leading to organisation-wide disruption, to ransomware attacks and data breaches costing millions.
It’s understandable that among this they might turn to cyber insurance for some much needed peace of mind, if things do turn sour. Yet, it’s worth looking into this more fully, and questioning how useful cyber insurance really is to businesses.
What is cyber insurance?
Sometimes when industry topics really take off and grab a lot of attention, they can end up being widely spoken about without being widely understood. This is the case with cyber insurance, as it isn’t always known exactly what it covers.
While threat vectors increase and develop, cyber insurance offerings are also subject to a lot of change. As a result, security departments have a host of challenges to consider. Cyber insurance products are becoming increasingly complex, and increasingly expensive as the threat of cyber attacks continues to grow.
This means that, from a business standpoint as well as a security one, it’s important to take the time to fully weigh up the value that a particular cyber insurance policy will bring to your organisation.
Alongside this, it’s crucial that security departments devote serious attention to maintaining compliance, so this adds another layer to consider – does your organisation have the type of insurance that is most appropriate for its needs?
The National Cyber Security Centre provides guidelines on cyber insurance by comparing it to house insurance, which is helpful in emphasising that cyber insurance cannot offer full protection against attacks.
Just like a homeowner cannot leave their front door unlocked safe in the knowledge he or she has home insurance, businesses cannot rely on cyber insurance in place of comprehensive security measures. Cyber insurance is designed to protect against the financial consequences of cyber attacks, which includes the costs of post-breach recovery, and costs associated with the breach itself.
Breaking it down further, there are considerable differences between cover of first-party risks and third-party risks. Some policies cover both, but others focus on one type. For example, first-party cyber insurance will cover business interruption, the cost of communicating the attack to customers, reputational damage, and theft of money or other assets.
Third-party cover will focus on managing the attack’s consequences for your customers – including paying compensation and damages. With this in mind, it’s clear that cyber insurance isn’t a one-size-fits-all product.
Is cyber insurance worth it?
The cost and perceptions of cyber insurance have changed significantly over the years.
The industry tends to see it as a new solution, but it’s been around since the 1990s. It goes without saying that the infosec industry has changed hugely since then, and so has the wider world.
Cyber insurance predated the cyber threatscape as we know it today, so was seen as an inexpensive nice-to-have. As threat vectors increased and became widespread, the cost of cyber insurance skyrocketed, meaning it is no longer a cheap add-on, but requires serious consideration of its business value.
Against today’s socio-political landscape, all businesses are impacted by cyber attacks. Yet, they are not all impacted in the same way, nor do they face the same level of risk. A small business will face its own unique risks and potential consequences, while multinational corporations grapple with different challenges. This means it’s important to think critically. While it’s natural to want to make use of all available security resources, for some organisations cyber insurance is not a necessary expense.
Notably, it’s easy to overlook the fact that your organisation may already have some cover of cyber events through other insurance policies – such as business interruption insurance. For some organisations, this may be sufficient.
For example, a relatively small-scale cyber attack, which leaves a small business’s website offline for a period of time, but does not cause significant reputational damage or customer data loss, likely will find that cyber insurance doesn’t do much more for them in this case than their existing insurance.
Of course, with over 236 million ransomware attacks in the first half of 2022, businesses do suffer significant, large-scale breaches from time to time. More often, it is large businesses that are targeted for these kinds of attacks, because there’s more in it for the attacker – more customer data to be stolen, and more ransom to be extorted. As such, businesses need to assess the level of risk they face, and factor this into their decision.
Is cyber insurance the best use of resources?
Taking out cyber insurance is not a quick or easy process. It’s important to be aware that in the early stages it is a considerable time commitment. A big part of this is down to the fact that there is no standardisation of the application process.
Given the volume of claims (driven of course by ongoing prevalence of attacks), cyber insurance is becoming harder to get. Applicants are required to fill out detailed questionnaires, carry out remedial work, and conduct risk assessments – and because there is no industry standard, each insurer requires this to be done in different ways.
Given that, according to ClubCISO’s most recent annual report, 33% of businesses do not have cyber insurance, it’s clear that it isn’t deemed a worthwhile investment by everyone. Resourcing is often a key factor influencing this, and one which illuminates the challenge of accessing cyber insurance.
When you consider the work that goes into selecting and applying for cyber insurance, sometimes it makes more sense to invest this time into developing the security measures that are currently in place.
Taking proactive action to identify and cover risk areas can significantly reduce the risk of serious attacks, so rather than paying high product premiums for insurance which only covers the financial fallout of an attack, in many cases the best course of action could be pouring your resources into doing more to prevent successful attacks.
What next for cyber insurance?
It needs to be emphasised that there is no right or wrong answer when it comes to the question of whether cyber insurance is worth it. What we’re seeing now, and what this article has explored, is a shift in the market which has led industry professionals to approach cyber insurance more critically. As we look ahead to the next phase of cyber insurance, it’s imperative that the process becomes simplified to widen accessibility to all businesses, not just those who can afford to invest so much time and resources into arranging it.
Our newsletter covers the latest technology and IT news from Scotland and beyond, as well as in-depth features and exclusive interviews with leading figures and rising stars.
To subscribe, click here.
Manoj Bhatt
Head of Security and Advisory at Telstra Purple
Explore 
Subscribe to 
© 2023 DIGIT