Cyber attacks are becoming more frequent and costly for businesses. As a result, cyber insurance has emerged as a way for companies to mitigate risks. However, there is debate around how effective cyber insurance really is at protecting businesses from attacks. In this article, I’ll explore both sides of this issue in-depth.
What is Cyber Insurance?
Cyber insurance policies help protect businesses from costs and liabilities associated with data breaches, hacking incidents, malware infections, and various cyber crimes. Cyber insurance typically covers:
- Response costs – Forensic investigations, legal counsel, crisis management/PR services, notifying customers
- Liability – Lawsuits, regulatory fines, payments to affected individuals
- Loss of income – Business interruption, loss of revenue due to systems being down
- Cyber extortion – Ransomware payments, blackmail demands
Plans vary, but may also include coverage for cyber terrorism, cyber vandalism, telephone hacking, and more.
The Case For Cyber Insurance
There are several arguments in favor of businesses purchasing cyber insurance:
1. Transfers Financial Risk
- Cyber attacks can be very costly. The average cost of a data breach now exceeds $4 million.
- Insurance shifts potential expenses to the insurer. This protects the insured company’s finances.
- Policies cover costs the business may not be able to afford like legal fees and PR.
2. Requires Improved Security
- Insurers often mandate certain security standards be met to qualify for coverage.
- This motivates companies to implement stronger IT security controls and processes.
- Continued coverage may require passing audits or adopting new protocols.
3. Response Support
- Insurers provide guides and assistance responding to incidents. This includes suggesting and coordinating with forensics firms, law firms, PR specialists, credit monitoring services, etc.
4. Helps With Compliance
- Insurance can cover fines and penalties resulting from non-compliance with regulations like HIPAA and the CCPA.
5. Reputation Protection
- Policies pay for PR services to help minimize brand damage after breaches.
The Case Against Cyber Insurance
However, some argue that cyber insurance has some significant shortcomings:
1. Doesn’t Prevent Attacks
- Insurance doesn’t stop data breaches or cyber attacks. It only reduces costs after incidents occur.
- Some say insurance makes companies less proactive about security since risks are transferred.
2. Limited Payouts
- Many policies limit payout amounts for claims. Complex exclusions also exist.
- Total coverage may not be enough for major breaches.
3. Insurers Lack Experience
- The cyber insurance market is relatively new. Insurers have limited historical breach data to draw from.
- This makes it difficult to accurately gauge and price risks. Policies and premiums are largely speculative.
4. Requires Constant Updating
- Cyber risks evolve rapidly. This requires policies to be updated frequently to keep pace.
- However, updating policies is often an arduous process. Gaps in coverage are likely.
5. Promotes Ransomware Payment
- Some argue cyber insurance encourages ransomware payment since it reimburses extortion costs. This further incentivizes attacks.
Assessing When Cyber Insurance Is Worth It
Cyber insurance can provide value, but also has limitations. Here are some key factors to consider when evaluating coverage:
- Your risk level – Insurance makes more sense for higher risk businesses like healthcare providers that handle much sensitive data.
- Coverage gaps – Carefully assess what’s not covered just as much as what is.
- Available capital – The less financial capacity you have to handle a breach, the more useful insurance becomes.
- Security standards – Weigh the benefits of any stricter security controls required by insurers.
- Alternative options – Explore other risk sharing arrangements like partnerships with managed IT security firms.
While cyber insurance can be beneficial, it’s ultimately no replacement for strong cyber security practices. It’s just one strategy to make breaches less financially devastating.
Real World Examples of Cyber Insurance Falling Short
Cyber insurance has helped many businesses recover from data breaches. But there are also real world cases of companies being let down by their policies:
-
Mondelez International – After the NotPetya cyber attack in 2017, Mondelez filed a $100 million insurance claim. Zurich Insurance refused to pay, citing a “hostile or warlike action” exclusion. The case is still being disputed in court.
-
Columbia Casualty Company – When accounting software company Wolters Kluwer was hacked in 2018, Columbia denied their claim citing the “professional services exclusion.” The insurer argued the breach resulted from Wolters Kluwer poorly configuring their systems.
-
Cottage Health – After a 2013 breach, Cottage Health had losses exceeding $25 million. But their $3 million cyber policy paid only $1 million after sublimits for legal fees and PR costs were applied.
As these examples illustrate, cyber insurance doesn’t always deliver when needed most. Exclusions, limitations, and evolving threats make adequate protection difficult to achieve.
Conclusion
Cyber insurance can be a valuable tool for risk mitigation, but has limits in fully protecting businesses from modern day attacks and breaches. Thorough evaluation of policies is required, and coverage should be viewed as just one component of a robust cyber security strategy rather than a catch-all solution. While insurance can certainly help in the aftermath of an incident, investment in proactive measures to prevent attacks in the first place is probably the wiser use of precious budget.
