How cybersecurity and insurance can reduce risk and enhance security

Data breaches, ransomware attacks and social engineering scams are becoming an everyday affair. Cyber incidents are also becoming more financially damaging with each passing year, making it harder for organizations to recover. The average cost of a data breach (at $4.45 million) has risen by 15% over the past three years, while the median recovery cost of a ransomware attack stands at about $1.82 million, excluding the cost of the ransom.

To counterbalance these risks proactively and to reduce financial exposure, more organizations are opting for cyber insurance to partially cover losses from a range of information risks. That being, insurance should not be a substitute for cybersecurity. Here are five reasons why:

1. Cyber insurance will only compensate a portion of financial losses

When an attack or breach happens, there is a lot more at stake than just money. A cyberattack can result in loss of intellectual property, loss of customer trust and confidence, loss of reputation, loss of competitive edge and productivity. It can be difficult to quantify these losses and insurance claims will not recoup all that is lost.

2. Paying the ransom does not always guarantee outcomes
Insurance money might help pay the ransom, but paying the ransom does not always guarantee that threat actors will release the encryption key or return the hijacked data. Most victims (92%) fail to receive their data after paying the ransom. There is also no guarantee that threat actors will not repeat the offense. On the contrary, paying the ransom only encourages malign actors to perpetuate their attacks.

3. Cyber insurance policies too have exclusions
As cyberattacks increase, insurance claims are also rising, introducing more risk to insurers. To offset these losses, insurers have begun tightening policy guidelines and introducing exclusions that allow them to reject or deny claims under specific conditions. For example, 21% of cyber policy holders have a clear ransomware exclusion. While a standard clause among insurers, the language around war exclusions is murky at best. Defining whether a hacktivist is operating solo or in concert with a nation-state is a big unknown; geopolitical adversaries typically deny affiliation with ransomware gangs.

4. New disclosure rules raises insurance risk                         
The Security and Exchange Commission (SEC) has mandated that publicly traded companies report cyber incidents within four days of determining whether an incident will have a material or substantial impact on shareholders. These new rules enable insurers to scrutinize their client's cybersecurity and governance practices more closely. It is also worth noting that the U.S. government is already mulling over an outright ban on ransomware payments. 

5. Cyber insurance is not a replacement for security obligations
Every business has an obligation to protect its information assets as well as its customers, employees, business partners and their data against cyberattacks and data breaches. Simply transferring this risk to a third-party insurance provider does not absolve them of these responsibilities or obligations. 

What can organizations do to reduce their risk exposure?
Cyber insurance is certainly beneficial for businesses; however, it must only be seen as a contingent strategy to cover sudden or unexpected risks. Cyberattacks are more inevitable than they are a probability. It is critical that organizations focus on real mitigations involving technology, people, policies and processes, and not depend solely on insurance policies. Here are some recommended best practices:

1. Have a robust cybersecurity program in place: Deploy multi-layered cybersecurity defenses (multi-factor authentication, firewalls, email security, web security, et. al.) along with clear cybersecurity policies and processes. Organizations seeking insurance coverage may need to undergo security audits to verify they meet minimum security standards.

2. Train employees well: 74% of cyberattacks and breaches are caused by human error. Organizations can significantly reduce exposure to security incidents by providing employees with in-person training and regular phishing and social engineering simulation exercises to help identify and report these malign attacks. Some cyber insurance providers offer security table-top exercises, training videos and breach response scenarios for insureds. Take advantage of those materials, services and content to train your people. 

3. Adhere strictly to compliance and regulatory mandates: Be sure to implement industry-leading guidelines, frameworks and compliance standards to ensure that all required and recommended protections and practices are followed. Insurers are known to deny claims if they discover that a company has misstated its adherence to certain privacy laws or regulation. 

Final thoughts
A strong partnership between cybersecurity and cyber insurance can foster a robust security culture and reduce risks. Organizations understand that having insurance alone does not mean they can forego implementing necessary security measures. Relying solely on insurance coverage undermines both the insurance carrier and policyholder. Both stakeholders are genuinely more satisfied when strong security protocols are in place, as this lowers the overall risk profile.

When cybersecurity and insurance work in tandem, organizations can build a more resilient security culture. Both policyholder and carrier benefit since the coordination of efforts can narrow the likelihood of filing claims. Cybersecurity plays a pivotal role in mitigating cyber threats. It involves strong access controls, continuous cybersecurity training and simulated phishing exercises, incident response plans, regular risk assessments, and monitoring systems for any signs of compromise. Proactive cybersecurity measures can greatly reduce the likelihood and impact of cyber incidents and potentially lower premiums.

Cyber insurance providers can support the security mission by offering risk assessments, security consulting, and resources to help organizations improve their security posture. Acting as a safety net to ensure organizations have capacity to bounce back from incidents, cyber insurance provides coverage for costs associated with incident response, recovery, legal fees, regulatory fines, and potential lawsuits.

By collaborating closely, cybersecurity professionals and insurance providers can share insights, best practices, and trends in cyber threats, leading to a more stable and secure environment for all parties involved.

Editor's Note: Cybersecurity and insurance fraud will be part of the discussion at Digital Insurance's DIGIN Conference in Boca Raton, Florida, on June 27-28. Join us to hear the latest on this topic.