One of the ways business stakeholders attempt to transfer risk (not to be confused with risk mitigation), is by buying cybersecurity breach insurance. Most of our clients have it—some because they want it, others because they're required to carry it by regulation.
In this post, I'll look at what your expectations and outcomes should be for cyber insurance, and how we should view it in the context of other cybersecurity solutions, like managed detection and response. I also talk pitfalls of thrown-together cost/benefit analyses, and the impacts on your business (and state of mind) if you treat insurance as a replacement for security. If you have purchased or are considering purchasing cyber insurance, I urge you to consider carefully A) whether the risk has been sufficiently transferred, and B) how you will mitigate the risk to your business - something that MDR providers like ActZero advocate for, as well as Insurance providers who recognize that proactive steps are integral to a holistic cybersecurity strategy.
Spoiler alert – getting to the right questions requires you to specify (and, possibly reset) your expectations about how cyber insurance should help, especially if you see insurance as “stand alone” or “in lieu of a viable security program.”
What Cyber Insurance Does
Like other kinds of insurance, cybersecurity breach insurance can help the unexpected—in this case, the offsetting some of the costs and potential liability associated with data breaches (aka, risk transfer).
For small to medium-sized enterprises (SMEs) that might be operating on slim budgets and are asking themselves “Should I purchase breach insurance?” These policies can provide some peace of mind in the event of a breach. On average, businesses are down between three to fourteen days following an incident, and all the while there are costs and obligations that you need to attend to—employee salaries, customer service, and even just keeping the lights on. Not to mention that if you lack the resources or staff to build your own enterprise-grade security operations center, you may need outside help to get your systems back up and running again. All of these items cost money, and cyber insurance can be a lifeline in such moments.
Cyber insurance will cover financial losses due to data breaches and other cyber events, such as loss or damage to electronic data, loss of income, recovery costs, and notification costs (voluntary or as required by law) of parties affected by a data breach. Cyber insurance can also provide liability coverage for claims against your firm by anyone injured as a result of the breach. Provisions like these can be especially relevant for healthcare organizations, or those verticals with OT that could be impacted by breach and put employees at risk of injury.
Proactive Posture Improvement
A more recent development from certain cyber insurance providers is the focus on improving defenses before a breach, as well as disclosure and reporting processes after. Smart insurers have realized that they can reduce the likelihood of breaches happening, and their impact when they do happen, by encouraging proactive defenses with lower premiums for better-defended organizations. Some also offer their own guidance, training, and policy advice to further their clients’ defenses.
What Cyber Insurance Doesn't Do
So, what will cyber insurance not do for you? Well, we all need to be clear that cyber insurance does not equal cybersecurity. They are two different things:
Cyber insurance does not make your company or its data more secure and having cyber insurance should not help you sleep better at night. In fact, I would argue that having cyber insurance can provide a false sense of security, leading to lax controls and taking some of the pressure off the constant vigilance needed to protect your systems. The obvious exceptions are providers discussed previously, who enable to improve your defenses.
While cyber insurance will pay for remediation and recovery, that's all it pays for. It doesn't address damage to your brand, loss of trust, client churn, lost contracts… In short, it can't protect you against many of the consequences that will impact your business moving forward of attacks (where possible).
Offsetting Consequences vs Reducing Risk
Why limit your pursuit of cyber insurance to specific use cases like offsetting the consequences of a breach? I propose that if you're considering insurance without considering how to actually improve system security, then buying insurance may not solve the problem you want it to. It comes down to whether you want to just offset consequences or reduce risk entirely. These are separate problems, and you need to know which one you're aiming to solve. ActZero advocates for a holistic approach, with a combination of MDR and cyber insurance - improving defenses to reduce the likelihood of a breach before it happens, having the detection and response capabilities to react when it happens, and support and recovery options after it happens.
Many insurance policies mandate that the company holding the policy must have specific security protocols in place. You must have a firewall, for example, you must have up-to-date antivirus, you must have processes and RACI personnel (person responsible, accountable, consulted, and informed) on cyber policy.
Many SMEs don't have the dedicated cybersecurity staff or the specialized cybersecurity technology and expertise to meet the requirements that a cyber insurance provider may have. That's where working with a managed detection and response (MDR) service like ActZero's can make your business cyber insurance-ready, even reducing your premiums.
ActZero's MDR reduces your organizational risk, providing the readiness component that cyber insurance providers want to see. Our technology and people detect and respond to indicators of compromise and stop them before they become breaches. If a breach occurs, we work with your cyber insurance provider to provide the appropriate documentation so that your company can get reimbursed fast. Having an MDR provider means you have advanced cybersecurity capabilities, which may enable you to pay smaller premiums in the same way that having a home alarm can reduce your home insurance rate. Be sure to ask your provider about options.
All this comes down to cyber insurance being considered as 'just another layer' in the control system of an organization. It's not a cure-all, and it's not the same as having the robust protection of an MDR.
So contact ActZero today to learn more about our MDR and understand how we can augment, complement, even replace many of your cybersecurity controls and processes, which in turn could reduce your premiums.