With the never-ending series of companies disclosing massive data breaches on what seems like a weekly basis, the topic of cyber insurance is garnering a lot more attention in boardrooms around the world. While some may only be learning about cyber insurance now, it has actually been available for over a decade, however the speed at which the cover is evolving means more work is needed to educate businesses across all sectors on the relative merits.
The fact that breaches are occurring more regularly and getting more media attention has executives curious to learn more about cyber insurance, how it works, what it covers and the role it might be able to play in their cyber security programs.
Cyber insurance is a rapidly growing part of the insurance business and one that is expected to be worth more than US$10 billion in global premiums by 2020.
But what, exactly, does cyber insurance cover and, more importantly, does it represent a legitimate layer of protection against cyber crime? Our view is that while cyber insurance can likely play an important role in many organizations’ holistic approach to cyber security, cyber insurance alone can’t ensure the integrity or your data or the continuity of your operations. There’s also the reputational element to consider. While an insurance policy can compensate for losses under certain circumstances, how effective can it be in helping to protect the brand and reputation of a company that’s being vilified in the news and on social media for not protecting its customers’ private information?
What is encouraging is that more organizations are taking cyber security more seriously and that these discussions are taking place at the highest levels of their companies. It wasn’t that long ago, however, that cyber security was relegated to the IT department. But with the onslaught of media coverage around each massive data breach (and the ensuing collateral damage), executives and directors have had their eyes opened to the fact that this isn’t an IT issue, but rather an ‘entire company’ issue.
While there may very well be a role for cyber insurance, there are some more pressing actions that CEOs should be taking to protect their companies.
First, leaders need to step back and examine all of the data-related threats that exist within their companies, along with potential future threats, negative outcomes, etc. and ensure that those threats are mitigated as effectively as possible. Of course, one of the challenges is that cyber criminals are constantly evolving and devising newer and more sophisticated tactics.
Employee education should be another top priority when it comes to a robust cyber security strategy. While headlines about hacked elections certainly grab our attention, the reality is that when we analyze the causes of most data breaches, we find that they occurred because of the actions of an employee – someone who didn’t install a security update or who clicked on a link they shouldn’t have.
Ultimately, cyber security comes down to each company taking ownership of this issue at the highest levels of leadership, assessing the various risks and developing strategies to manage those risks.
And while cyber insurance can play an important role as one piece in that overall cyber strategy, it is by no means a panacea. In the words of a speaker at one of our recent industry panels on this topic, “Cyber insurance can be a practical, functional tool in your cyber security toolkit. But if you think you’re protected because you have a cyber insurance policy in place, you’re being very naïve.”