Greg Day, Cybereason VP and Global CISO, outlines what businesses need to understand about cyberinsurance, from evaluating coverage to assessing the costs involved.
Cyberinsurance has become a crucial safety net for businesses, particularly in the face of escalating ransomware attacks. This financial safeguard promises protection against the often devastating consequences of cyberattacks. However, as ransomware incidents have surged, so too have the premiums for cyberinsurance.
Fortunately, recent trends suggest that the cost of cyberinsurance may be stabilising. This stabilisation could signal that businesses are maturing in their approach to cybersecurity and that more effective cybersecurity programs are taking hold.
More than just a safety net
For many businesses, cyberinsurance is more than just a financial safety net – it’s an essential component of their broader cybersecurity strategy. Research indicates that companies with cyberinsurance are generally better equipped to handle data breaches and cyberattacks compared to those without coverage.
One significant advantage is the support that insurers provide. Insurers often work closely with their clients to prepare them for potential incidents, offering guidance on best practices and response strategies.
The market for cyberinsurance is changing rapidly, and both insurers and businesses must stay abreast of these changes to ensure adequate protection. One key challenge is evaluating cyberinsurance coverage against emerging threats.
Our recent research, based on a survey of over 1,000 companies across EMEA and the USA, reveals that while nearly all respondents had cyberinsurance, only 40% were confident that a ransomware attack would be covered.
Furthermore, among those who had made claims for ransomware attacks, only half felt they had recovered the full costs. This discrepancy underscores the need for businesses to fully understand their policy details and coverage limits.
Evaluating cyberinsurance coverage
When evaluating cyberinsurance coverage, it’s essential for businesses to have a clear understanding of what their policy covers and excludes. Typically, cyberinsurance can cover first-party and third-party losses, including the costs of responding to an attack.
However, policies generally do not cover legal or regulatory losses. Businesses must consider what level of coverage is necessary based on their specific risks and the potential commercial impact of a breach.
To make informed decisions, businesses should collaborate closely with their cybersecurity team and legal advisors. It’s crucial to scrutinise the fine print of insurance policies, clarify coverage details, and understand the insurer’s expectations regarding cybersecurity measures and incident response capabilities.
Some companies have resorted to taking out multiple policies to mitigate risks, but this approach can lead to more complex and time-consuming claims processes.
Innovations in cyberinsurance
As cyberthreats change, so too must the strategies employed by insurers. Cyberinsurance companies are increasingly collaborating with cybersecurity professionals to gain better insights into emerging threats and targeted industries. This collaboration helps insurers develop more accurate risk assessments and actuarial tables, which are crucial for pricing policies appropriately.
Moreover, insurers are moving beyond traditional paper-based surveys to validate their clients’ cybersecurity capabilities. They are now incorporating more rigorous checks, such as verifying cybersecurity certifications and conducting penetration tests. Some insurers offer discounts based on these validations, incentivising businesses to strengthen their security posture.
Cyberinsurance and operational resilience
Cyberinsurance is a critical component of operational resilience. While it provides financial protection against cyberincidents that traditional security measures may not fully address, it is not a substitute for robust cybersecurity practices. Instead, it should complement existing security controls by offering financial reassurance in the event of a breach.
In addition to financial protection, cyberinsurance can serve as a benchmark for assessing a company’s cybersecurity capabilities relative to industry peers. This benchmarking can provide valuable insights into areas where a company may need to enhance its security measures.
Weighing the cost of cyberinsurance
When considering the cost of cyberinsurance, businesses should evaluate their potential risks and the impact of various types of coverage. Understanding what is covered under the policy and what is not – such as legal or regulatory costs – is crucial. Businesses should also assess the commercial impact they can bear and determine the level of coverage needed to mitigate that impact effectively.
This decision should be made collaboratively, involving both the cybersecurity team and the broader business leadership. Regularly reviewing and updating the insurance policy in light of growing threats and changes in the business environment is also essential.
Cyberinsurance remains a vital tool for businesses seeking to manage the financial risks associated with cyberattacks. As cyberthreats continue to evolve, so too must the strategies employed by both insurers and businesses.
By staying informed about policy details, leveraging innovations in the insurance market, and integrating cyberinsurance with comprehensive security measures, businesses can better explore the complexities of digital risk management.
Click below to share this article