The insurance market for cyber attacks isn’t growing fast enough to cover losses incurred by businesses. Moreover, general liability or property insurance isn’t designed with cyber attacks in mind.
Fortunately, some insurers have begun to rethink policies, including rewording war exclusions and offering lower premiums or stricter cybersecurity requirements. But is cyber insurance worth it?
Coverage for Damages
As data breaches and ransomware attacks increase, more companies seek cyber insurance to help cover damages. But how does it work, and is it worth the cost? Several companies including experts like Fortinet warn against paying a ransomware settlement due to the target cyber criminals see once you’ve paid it out.
One of the most important things to understand about cyber insurance is that you’re not just transferring risk to the insurance company. It is also a deterrent to cyber criminals, and they may preferentially target insured businesses because they know their ransom payment will be paid.
In addition, insurers often require specific types of security measures as a condition of having insurance. For example, if you’re not following basic security practices or haven’t updated your software, your insurance provider can deny your claim for the breach or even cancel your policy.
Despite these challenges, it is still a buyers’ market for cyber insurance. The premiums can vary depending on your industry, your revenue, and the number of unique records your company maintains. However, it is essential to shop by coverage as opposed to cost.
Regarding the costs of a cyber insurance policy, many are relatively inexpensive compared to what companies might spend on fines and legal fees resulting from a data breach. A discount retail chain, one of the nation’s largest banks, a well-known health insurer, and a major entertainment network have all faced hefty fines and settlements due to their cyberattacks.
Ultimately, whether or not you can afford a cyber insurance policy will come down to the type of data your company stores or maintains, the likelihood of an attack, and how quickly you can recover from an incident. As a bonus, many cyber insurance policies offer resources that can help you design cost-effective and robust security and encryption protocols to reduce the likelihood of a breach in the future.
Coverage for Recovery
In addition to covering the cost of restoring or replacing affected hardware and software, cyber insurance also covers legal fees to defend against claims brought by angry consumers. In the case of ransomware, if an employee clicks on a malicious link and unwittingly pays a criminal, cyber insurance may cover the costs of regaining control over the system.
The need for cyber insurance reflects a massive rise in cyberattacks, which are increasingly common and devastating to businesses. Various factors have made it easier for hackers to attack: the cryptocurrency market allowing for anonymous transactions, the COVID-19 pandemic accelerating remote work and cloud services, and the war fueling state-sponsored attacks. Regardless of the cause, hackers and other attackers are making more money than ever, and companies must invest in robust cybersecurity to limit the damage.
Buying an insurance policy is an easy option for many boards, and it can help reduce their financial risk from data breaches and ransomware settlements. However, it should never be considered a substitute for robust security investment.
As insurers try to balance the competing goals of limiting their exposure and protecting their customers, some policies contain confusing or contradictory language. For example, the decision could force insurers to either exclude coverage of catastrophic cyberattacks or to reassure their customers that most intrusions and breaches will still be covered.
While buying insurance may help mitigate some of the costs of a ransomware attack, it does not protect businesses from the damages associated with other cyberattacks. For example, a breach might damage the company’s reputation and ability to recruit new employees or decrease sales by revealing private information. These kinds of damages are typically excluded from cyber insurance policies.
Some companies see cyber insurance as a way to improve their cybersecurity. After all, if they can buy an insurance policy to pay for the damage, why bother with the hassle and expense of implementing best practices? This is a dangerous mindset that can lead to costly mistakes.
Coverage for Legal Costs
For many years, the threat of cyber extortion kept ransom payments low because of the risk of being tracked by law enforcement. That changed with the rise of cryptocurrency like Bitcoin, which allows criminals to remain anonymous and make transactions virtually impossible to trace.
While cyber insurance may not prevent companies from making unwise decisions, it can help them manage the costs associated with a breach. This includes the cost of notifying affected customers, which can be significant for businesses with large customer bases. It also helps cover regulatory fines, which are common after data breaches. Lastly, it can help with the legal expenses involved in mounting a successful defense against a lawsuit brought by an angry client over the breach.
However, as cyber insurance became more popular, security professionals and insurance-as-governance researchers began to express concern over its effect on incentives. They argued that it normalized extortion by facilitating third-party moral hazard. By paying a ransom, the insured organization enables enterprise in the short term. However, it undermines security in the long run: extortionists meet minimal resistance and are encouraged to continue their attacks.
While limiting third-party moral hazard is a challenge, the benefits of the insurance market outweigh it, particularly given the lack of alternative risk transfer tools. As well as providing financial protection, the insurance underwriting process raises awareness of cyber threats, identifies how to respond, and educates insureds.
Of course, insurance is only part of the solution. Companies must still patch regularly, limit privileges, and practice good cyber hygiene to avoid being an easy target. They still need to encrypt data, and they still have to have backups that are tested regularly. They must still be prepared to negotiate with extortionists and call in the right experts when they get hit.
