Cyber insurance can’t do it alone
On the surface, cyber insurance seems like the perfect solution for dangerous times. Ransomware attacks surged dramatically in 2022, accounting for a quarter of all breaches. So, if your company does get hit, at least you have a way to recoup some of the losses you incur on your bottom line.
But for those looking for a quick fix to a growing problem, cyber insurance has its shortcomings. For one, it’s getting prohibitively expensive. The protection it offers doesn’t address the issue of how you got hacked in the first place and how you can stop hackers in the future. And it doesn’t secure your data or keep it available.
Companies that do their upmost to insure their data and operations against cyberattacks have their hearts in the right place. But many are focusing more on getting insurance payouts without doing the necessary work to actually protect their mission-critical resources. What they need to do is augment the cyber insurance component with other types of “insurance” that ward off threats and back up data.
What is cyber insurance?
While the concept of insurance itself dates back to the 1300s, cyber insurance is a relatively new phenomenon. Insurance companies rolled out their first comprehensive cyber policies in the 2000s to offer a hedge against malware, ransomware and distributed denials of service (DDOS). Different policies cover liability for things such as the theft of third-party data and the costs of business interruptions and forensic services to investigate a breach.
Cyber insurance can be useful. Sony, for instance, wished it had cyber-focused coverage to blunt the impact of the $171 million it spent to settle suits from the 2011 breach of its PlayStation Network. But a court ruled that Sony’s insurance policy covered damage only to physical property, not cyber-related costs.
Companies that sign on for cyber insurance now are still considered early adopters. A Forrester study showed that 55% of organizations have some kind of cyber insurance and only 19% have coverage for cyber events beyond $600,000. But the number of adopters are growing. The global market for cybersecurity insurance was $7.60 billion in 2021 and is expected to grow to $20.4 billion by 2027.
So, why doesn’t everybody get cyber insurance? Cost is a big issue. Many companies that purchased commercial cyber insurance over the past five years have experienced double-digit cyber premium increases, prompting risk managers to question its overall worth. A customer in western Canada recently saw its annual premium rise to 90% of revenues. As the frequency and severity of cyberattacks increase, the leader of one of Europe’s biggest insurance companies recently said these threats are fast becoming “uninsurable.”
Process is another high hurdle. Insurers paying out cyber claims tend to require prohibitive amounts of documentation – everything from cyber access reports to network traffic logs. These are difficult to collect during normal times; after an incident occurs, IT departments scrambling to restore service will be set back further responding to insurance requests.
Cyber insurance also doesn’t provide any ongoing protection against the threat itself. While hurricanes inflict significant amounts of damage, when they’re over, they’re over. There might be another storm next year, but the immediate threat has ended. Taking out insurance against ransomware doesn’t take away the immediate danger. If you pay off one bad actor, could others still have access to your system? Have you fixed the leak where hackers have found a way in?
Bottom line: Cyber insurance plans can help, but organizations need to vigorously protect against threats and be prepared to solve cyber-related problems on their own.
Here are a few ways they can do so.
• Patching – Creating a comprehensive patch management process is a critical part of maintaining an organization’s IT infrastructure. Repairing vulnerabilities quickly after the release of a new feature can help businesses protect their assets, avoid costly downtime and fend off ransomware attacks.
• Employee training – A study by IBM concluded that human error is the main cause of 95% of cyber security breaches. This underscores the need for employee training. Organizations should consistently review common security mistakes to ensure workers are using strong passwords, avoiding sketchy phishing attempts and protecting important company information.
• Sharpening incident response plans – It’s critical to move quickly when a cyber disaster hits. Many organizations don’t even have a response plan that sets up a chain of command and a set of actions. Those that do have a plan should review it regularly and keep it updated.
• Instituting proper data backup – A secure backup infrastructure forms the last line of defense against ransomware. Integrating data protection within a comprehensive cyber preparedness strategy protects against outside threats and offers the quickest and most strategic way to ensure business continuity if a cyber event occurs.
Cyber insurance is a worthwhile resource that can help organizations respond to a damaging breach. But it’s not enough. Adding in some common-sense cyber preparedness techniques can provide the high level of insurance that’s needed in today’s age of escalating threats.
-- Contact us at [email protected]
-
Does Hong Kong have the right not to enact article 23 laws? Frank Ching
Now that the debate over article 23 is over, with the Safeguarding National Security Ordinance having come into effect on March 23, it may be appropriate to look at some of the less discussed issues
-
Privacy concerns about electronic medical record sharing Dr. Winnie Tang
The government plans to spend $1.4 billion in the next five years to upgrade eHealth to eHealth+, which integrates functions such as unified electronic medical records, governance processes, health
-
Some reflections on teaching Brian YS Wong
I am still in my early days of my academic career. I’d like to think there is much I have yet to learn. In some ways, the best way to learn is to teach. This is not only because teaching is vital in
-
To love one’s country candidly and sincerely Brian YS Wong
I’m a firm believer that the more you love something, the more you must be honest about it. A citizen’s devotion to their country could take many forms. Some are genuinely devoted – they see the
-
La Scala Ballet’s Spectacular Corsaire in HK Arts Festival Kevin Ng
La Scala Ballet, the most prestigious ballet company of Italy, last performed in the Hong Kong Arts Festival exactly ten years ago. So its return to this year’s Festival with “Le Corsaire” (The