Cyber Insurance Is Great – Except When It’s Not
It would be great if cybersecurity insurance provided an affordable, reliable means of protecting your business from the innumerable cyber threats it faces today.
Unfortunately, it doesn’t. While cyber insurance has its purposes and can be a good investment, it’s hardly a panacea when defending against cybersecurity risks. It’s a type of product that has hit a “plateau,” as Harvard Business Review puts it because cyber insurance has not evolved quickly enough to meet modern security threats.
That’s why, for example, cyber insurance won’t reliably protect you against supply chain security attacks. Even if you find a policy that does address supply chain threats, actually claiming your insurance benefit may take so long that the insurance doesn’t end up doing your business much good following a significant breach.
Please keep reading for an overview of the advantages and drawbacks of cyber insurance and tips on when it does and doesn’t make sense to rely on cyber insurance alone.
What does cyber insurance cover?
Cyber insurance was introduced in the 1990s and was hailed to protect against IT-related risks that are typically not covered by other types of business insurance. The original intent was to give companies a means of protecting against the financial fallout resulting from data breaches and disruptions to critical IT systems.
Several insurance companies offer cyber insurance today, including Hiscox, The Hartford, CNA, and Nationwide.
5 potential disadvantages of cyber insurance
On the surface, cyber insurance probably sounds like a simple way to make sure a cyber attack doesn’t render your business bankrupt. In reality, though, cyber insurance isn’t necessarily so rosy. There are a number of potential pitfalls or drawbacks to purchasing cyber insurance.
The first is the simple cost of cyber insurance. Although cyber insurance premiums were relatively affordable in the past, they have surged in cost in recent years, as this graph of policy costs shows:
Thus, the cost of cyber insurance may be too high for many businesses today.
Cyber insurance is not a set-it-and-forget-it affair. You have to manage your coverage actively by ensuring that your policy is kept up-to-date as your risks change – which they typically will, because you’ll roll out new systems or collect new types of data, for example, your original policy may not have covered that.
Most cyber insurance policies also place strict requirements on the insured to keep detailed records, secure their systems, and manage risks. If you fail to demonstrate that you took the steps required to protect your business against a breach, an insurer may deny your claim.
This isn’t to say that managing cyber insurance is infeasible. But it is to say that businesses shouldn’t underestimate how much effort goes into it.
It’s easy to fall into the trap of assuming that as long as you’ve purchased cyber insurance, you’re covered against any and all cyber-related risks.
The truth, unfortunately, is that cyber insurance policies will always have exclusions or limitations regarding what they cover. “Insurers are demanding great security and are cutting back the amounts of cover they are willing to offer,” ZDNet reports. If you don’t read your policy disclosures very carefully, you may find that a breach you thought was covered is not.
Also, remember that merely interpreting coverage rules can be complicated – so complex that you may need to go to court to prove you are entitled to coverage. That’s what Merck had to do in a recent claim involving $1.4 billion in losses following a cyberattack. Merck, whose insurer said the claim was excluded from its cyber insurance policy because it was an act of war instead of a standard cyberattack, prevailed in that case.
But for smaller companies, in particular, this should be a warning: Going to court to defend your cyber insurance entitlements can be costly and time-consuming. Even if you have a legitimate claim, you may never get a payout if your insurer contests it and you lack the resources to defend it.
Claiming insurance takes time.
Even if you don’t have to go to court to get your insurer to payout, there’s no guarantee that cyber insurance will result in immediate financial assistance following a breach. The claims process could take months or even years, especially if it requires collecting detailed information about the source of a breach to determine whether the breach is covered.
If a cyber event causes significant financial disruption, then your business may not be able to survive it if the insurance claim process takes too long.
The supply chain is not insured.
In general, cyber insurance covers risks that affect your IT resources directly. Software supply chain threats originate in third-party systems and are not usually covered.
This is especially bad news given that advanced supply chain attacks are projected to increase by about 650 percent in the coming years. It means that investing in cyber insurance is not reliable for protecting against supply chain risks. For that, you need different tools – like a software supply chain risk assessment and disclosure platform.
The future of cyber insurance
Cyber insurance may well evolve to close the gaps described above in the future. We may see a reduction in costs, for example, or the creation of new policies that specifically address supply chain risks. Indeed, the U.S. Government Accountability Office has found that more insurers are creating dedicated cyber insurance policies, which could lead to more comprehensive coverage down the line.
Even if that happens, though, it’s impossible to guarantee that any cyber insurance product will fully protect your business against all threats. That’s why it’s critical to invest in other tools that help you detect and respond to risks. The security blanket of a cyber insurance policy doesn’t suffice to keep your business safe.
We agree, by all means, to invest in cyber insurance if it makes sense for your business. But don’t blindly entrust your company’s financial health to insurance alone.
Instead, invest as well in solutions like Findings, which automates cyber risk assessment and management – including not just within your business’s environment but across your supply chain as well.