Cyber insurance can’t do it alone

March 24, 2023 09:20
Photo: Reuters

On the surface, cyber insurance seems like the perfect solution for dangerous times. Ransomware attacks surged dramatically in 2022, accounting for a quarter of all breaches. So, if your company does get hit, at least you have a way to recoup some of the losses you incur on your bottom line.

But for those looking for a quick fix to a growing problem, cyber insurance has its shortcomings. For one, it’s getting prohibitively expensive. The protection it offers doesn’t address the issue of how you got hacked in the first place and how you can stop hackers in the future. And it doesn’t secure your data or keep it available.

Companies that do their upmost to insure their data and operations against cyberattacks have their hearts in the right place. But many are focusing more on getting insurance payouts without doing the necessary work to actually protect their mission-critical resources. What they need to do is augment the cyber insurance component with other types of “insurance” that ward off threats and back up data.

What is cyber insurance?

While the concept of insurance itself dates back to the 1300s, cyber insurance is a relatively new phenomenon. Insurance companies rolled out their first comprehensive cyber policies in the 2000s to offer a hedge against malware, ransomware and distributed denials of service (DDOS). Different policies cover liability for things such as the theft of third-party data and the costs of business interruptions and forensic services to investigate a breach.

Cyber insurance can be useful. Sony, for instance, wished it had cyber-focused coverage to blunt the impact of the $171 million it spent to settle suits from the 2011 breach of its PlayStation Network. But a court ruled that Sony’s insurance policy covered damage only to physical property, not cyber-related costs.

Companies that sign on for cyber insurance now are still considered early adopters. A Forrester study showed that 55% of organizations have some kind of cyber insurance and only 19% have coverage for cyber events beyond $600,000. But the number of adopters are growing. The global market for cybersecurity insurance was $7.60 billion in 2021 and is expected to grow to $20.4 billion by 2027.

So, why doesn’t everybody get cyber insurance? Cost is a big issue. Many companies that purchased commercial cyber insurance over the past five years have experienced double-digit cyber premium increases, prompting risk managers to question its overall worth. A customer in western Canada recently saw its annual premium rise to 90% of revenues. As the frequency and severity of cyberattacks increase, the leader of one of Europe’s biggest insurance companies recently said these threats are fast becoming “uninsurable.”

Process is another high hurdle. Insurers paying out cyber claims tend to require prohibitive amounts of documentation – everything from cyber access reports to network traffic logs. These are difficult to collect during normal times; after an incident occurs, IT departments scrambling to restore service will be set back further responding to insurance requests.

Cyber insurance also doesn’t provide any ongoing protection against the threat itself. While hurricanes inflict significant amounts of damage, when they’re over, they’re over. There might be another storm next year, but the immediate threat has ended. Taking out insurance against ransomware doesn’t take away the immediate danger. If you pay off one bad actor, could others still have access to your system? Have you fixed the leak where hackers have found a way in?

Bottom line: Cyber insurance plans can help, but organizations need to vigorously protect against threats and be prepared to solve cyber-related problems on their own.

Here are a few ways they can do so.

• Patching – Creating a comprehensive patch management process is a critical part of maintaining an organization’s IT infrastructure. Repairing vulnerabilities quickly after the release of a new feature can help businesses protect their assets, avoid costly downtime and fend off ransomware attacks.

• Employee training – A study by IBM concluded that human error is the main cause of 95% of cyber security breaches. This underscores the need for employee training. Organizations should consistently review common security mistakes to ensure workers are using strong passwords, avoiding sketchy phishing attempts and protecting important company information.

• Sharpening incident response plans – It’s critical to move quickly when a cyber disaster hits. Many organizations don’t even have a response plan that sets up a chain of command and a set of actions. Those that do have a plan should review it regularly and keep it updated.

• Instituting proper data backup – A secure backup infrastructure forms the last line of defense against ransomware. Integrating data protection within a comprehensive cyber preparedness strategy protects against outside threats and offers the quickest and most strategic way to ensure business continuity if a cyber event occurs.

Cyber insurance is a worthwhile resource that can help organizations respond to a damaging breach. But it’s not enough. Adding in some common-sense cyber preparedness techniques can provide the high level of insurance that’s needed in today’s age of escalating threats.

-- Contact us at [email protected]


Dave Russell: vice president of enterprise strategy at Veeam; Rick Vanover: senior director of product strategy at Veeam