One of the ways business stakeholders attempt to reduce risk (or, at least, offset the potential impact of consequences), is by buying cybersecurity breach insurance. Most of our clients have it—some because they want it, others because they're required to carry it by regulation.
In this post, I'll look at what your expectations and outcomes should be for cyber insurance, and how we should view it in the context of other cybersecurity solutions, like managed detection and response. I also talk pitfalls of thrown-together cost/benefit analyses, and the impacts on your business (and state of mind) if you treat this as a replacement for security. If you have purchased or are considering purchasing cyber insurance, I urge you to follow the path to the Nth degree and assess whether having an insurance policy that pays out will actually benefit your business.
Spoiler alert – getting to the right questions require you to specify (and, possibly reset) your expectations about how cyber insurance should help.
What Cyber Insurance Does
Like other kinds of insurance, cybersecurity breach insurance can help the unexpected—in this case, the offsetting some of the costs and potential liability associated with data breaches.
For small to medium-sized enterprises (SMEs) that might be operating on slim budgets and are asking themselves “Should I purchase breach insurance?” these policies can provide some peace of mind in the event of a breach. On average, businesses are down between three to five days following an incident, and all the while there are costs and obligations that you need to attend to—employee salaries, customer service, and even just keeping the lights on. Not to mention that if you lack the resources or staff to build your own enterprise-grade security operations center, you may need outside help to get your systems back up and running again. All of these items cost money, and cyber insurance can be a lifeline in such moments.
Cyber insurance will cover financial losses due to data breaches and other cyber events, such as loss or damage to electronic data, loss of income, recovery costs, and notification costs (voluntary or as required by law) of parties affected by a data breach. Cyber insurance can also provide liability coverage for claims against your firm by anyone injured as a result of the breach. Provisions like these can be especially relevant for healthcare organizations, or those verticals with OT that could be impacted by breach and put employees at risk of injury.
What Cyber Insurance Doesn't Do
So, what will cyber insurance not do for you? Well, we all need to be clear that cyber insurance does not equal cybersecurity. They are two different things
Cyber insurance does not make your company or its data more secure and having cyber insurance should not help you sleep better at night. In fact, I would argue that having cyber insurance can provide a false sense of security, leading to lax controls and taking some of the pressure off the constant vigilance needed to protect your systems.
While cyber insurance will pay for remediation and recovery, that's all it pays for. It doesn't address damage to your brand, loss of trust, client churn, lost contracts… In short, it can't protect you against many of the consequences that will impact your business moving forward of attacks (where possible) and detecting and responding to them quickly can do that.
Offsetting Consequences vs Reducing Risk
I'm not saying you shouldn't get cybersecurity breach insurance—it definitely has specific use cases in terms of offsetting the consequences of a breach, if it comes to that. What I'm saying is that if you're considering insurance without considering how to actually improve system security, then buying insurance may not solve the problem you want it to. It comes down to whether you want to just offset consequences or reduce risk entirely. These are separate problems, and you need to know which one you're aiming to solve.
The truth is that organizations that don't also take steps to protect themselves are susceptible to breaches regardless of whether they have cyber insurance or not. Here's a fun fact about cyber insurance: most policies mandate that the company holding the policy must have specific security protocols in place. You must have a firewall, for example, you must have up-to-date antivirus, you must have processes and RACI personnel (person responsible, accountable, consulted, and informed) on cyber policy.
Many SMEs don't have the dedicated cybersecurity staff or the specialized cybersecurity technology and expertise to meet the requirements that a cyber insurance provider may have. That's where working with a managed detection and response (MDR) service like IntelliGO's can make your business cyber insurance-ready
IntelliGO's MDR reduces your organizational risk, providing the readiness component that cyber insurance providers want to see. Our technology and people detect and respond to indicators of compromise and stop them before they become breaches. If a breach occurs, we work with your cyber insurance provider to provide the appropriate documentation so that your company can get reimbursed fast. Having an MDR provider means you have advanced cybersecurity capabilities, which may enable you to pay smaller premiums in the same way that having a home alarm can reduce your home insurance rate. Be sure to ask your provider about options.
All this comes down to cyber insurance being considered as 'just another layer' in the control system of an organization. It's not a cure-all, and it's not the same as having the robust protection of an MDR.
So contact IntelliGO today to learn more about our MDR and understand how we can augment, complement, even replace many of your cybersecurity controls and processes, which in turn could reduce your premiums. At worst, you will be significantly more secure tomorrow than you are today.