Cyberinsurance is increasing in popularity, but it’s no substitute for a strong set of cybersecurity protocols.
“Cyber is uncharted territory,” warned Berkshire Hathaway Chairman and CEO Warren Buffett at the his company’s 2018 Annual Shareholders Meeting. “There’s a very material risk which didn’t exist ten or fifteen years ago and will be much more intense as the years go along.”
Hiscox Cyber CEO Gareth Wharton agrees, writing in the foreword to his company’s 2018 Cyber Readiness Report, “If an organization was spared a serious [cyber]attack in 2017, there is a good chance it will be targeted in the future.”
And while the direct financial costs of a cyberattack are significant — more than $150 per compromised record, according to the Ponemon Institute — that expense is just the tip of the iceberg. According to the Hiscox report, 7% of companies have lost customers as a direct result of a breach, 5% have found it harder to attract new customers, and 6% have been forced to lay off workers.
In short, cyberattacks can have devastating long-term consequences, a reality that has inspired a number of companies to turn to perhaps the most basic approach to risk mitigation: insurance.
Why Cyberinsurance Is Catching On
As with any other insurance policy, you only get out what you’re willing to pay into a cyberinsurance policy. That being said, these policies can cover the costs of everything from cyber-extortion (i.e., providing reimbursements for ransoms paid), to crisis/reputation management, to data restoration in the wake of an attack. The Ponemon Institute has found that measures like these lower the per-record cost of a cyberattack by roughly $4.40, or nearly 3%.
According to the Hiscox report, companies with robust cybersecurity protocols are actually the most likely to invest in cyberinsurance. Whereas over 60% of “cyber experts” are already covered with another 31% are planning to take out coverage by the end of the year, only 50% of “cyber novices” either have coverage now or plan to take out coverage by the end of the year.
Where Policies Come up Short
Its growing popularity among cybersecurity leaders notwithstanding, cyberinsurance does have its limitations. For instance, AIG’s cyberinsurance policies do not protect clients from damages caused by errors in computer programming or instructions to a computer. This is a massive exclusion in light of the fact that many breaches are the direct result of cybercriminals exploiting flaws in corporate IT systems.
What’s more, AIG’s clients “have the duty to maintain security systems for the use of passwords, firewalls, and antivirus software and the proper disposal of used hard drives or other storage media.” Clients are also expected to “take actions to avoid future losses, including securing any computer systems or data,” in order to receive coverage.
Even with such conditions in place, Buffett still views cyberinsurance with a healthy dose of skepticism. Insurers know how to assess the likelihood of an earthquake in California or a hurricane in Florida, he says, but few are capable of accurately assessing cybersecurity risk. “I think anybody that tells you now they think they know in some actuarial way either what the general experience [of cybersecurity] is like in the future, or what the worst case can be, is kidding themselves,” he adds.
Taking the Right Approach to Cyberinsurance
Regardless of whether or not you take out a cyberinsurance policy, what’s clear is that preventative action is critical to any company’s security. Just as one shouldn’t drive recklessly because they have automotive insurance or go BASE jumping because they have health insurance, companies shouldn’t forego robust cybersecurity protocols because they have cyberinsurance.
Indeed, according to the Ponemon Institute, providing employees with extensive cybersecurity training reduces the per-record cost of a cyberattack by $8, and extensive use of encryption reduces it by $12 — nearly double and triple the cost-reduction of cyberinsurance, respectively!
As the old adage goes, “An ounce of prevention is worth a pound of cure,” and partnering with a cybersecurity expert like Turn-key Technologies is often the best way for a company to prevent a devastating data breach. Whether you’re interested in a comprehensive network assessment to diagnose cybersecurity weak spots or a managed IT services relationship that leaves cybersecurity to a group of seasoned professionals, we’ll work with you to craft a solution perfectly tailored to your unique needs.
As the industry matures, cyberinsurance may very well become an increasingly common sight, but it’s no alternative to a well-planned, well-executed cybersecurity strategy.