Cyber insurance seems to be a popular new buzzword for many businesses. Roughly 70% of companies are now trying to transfer the risk to a third party insurance company. Out of these, roughly 25% were spending $500,000 or more on premiums. When asked in the RIMS cyber security survey why they made this decision, 82% of companies said they were concerned about how having a breach can cause harm to their reputation. 76% were concerned about business interruption and 75% were concerned about data loss.
What Is Cyber Insurance?
The goal of cyber insurance is to transfer some of the risk of having a security breach to insurance. However, insurance cannot automatically recover a damaged reputation as a result of an attack.
The unfortunate truth is that some companies believe that if they spend money on cyber insurance they no longer have to ensure they have adequate security in their company. This may leave some c-level executives uninformed asking “what is cyber insurance?” with the belief that if they have it, then that’s all they need. The reality is, while cyber insurance can be helpful, it’s no substitute for having proper security policies and training in place and making sure they are followed.
Insurance companies are not going to pay out if companies do not provide adequate care to protect their own data networks against cyber security threats. It’s important to make a distinction between what is preventable and what is beyond the control of the business.
“In the case of cyber insurance, however, the insurers do not check for adequate controls and only test controls when a claim is actually made. This is time consuming and expensive to do, not to mention too late,” says Philip Lieberman with Identity Week.
How Do You Address The Risk?
While having cyber insurance can be a great idea, it’s also important to adequately address the risk by implementing proper training, testing, and education. This should include a cyber risk strategy that reviews the value of the data, type of data, and exposure to the data.
Some things you have to protect your business from include:
The average cost of a data breach in the United States is $6 million. 60% of small companies cannot withstand the result of this type of attack, according to The US National Cybersecurity Alliance. A proper security policy and regular intrusion testing can help reduce the risk.
Social engineering targets businesses of all sizes and types. Fortunately, one of the best ways to avoid social engineering is with employee training. This allows employees to make proper decisions and detect when social engineering occurs.
While ransomware used to be almost exclusive to Windows-based machines, it can now be found on Mac, Linux, mobile devices, and more. Ransomware and social engineering continue to be two of the fastest growing cyber threats. Using an endpoint protection software along with proper security policies can help reduce the risk.
Do You Really Need Cyber Insurance?
For most businesses the answer is yes, you really do need cyber insurance. However, it’s important that you take proactive measures to ensure proper security policies are in place and that the tools such as endpoint security software are up-to-date to help minimize risk. In the event that a cyber intrusion does occur and you need to file for insurance, you will need to prove that your company did everything possible to prevent the attack.