As with all types of risk, organisations often look for ways to minimise their financial exposure should the worst happen. Insurances are commonplace to protect the value of assets or limit liability and, with the rise of cybercrime, a host of “cyber risk insurance” products are now available. However, these policies are still relatively new and this is perhaps reflected in their uptake. Our 2016 Risk:Value report highlights that one in five do not know if their business is covered by a cyber risk insurance policy.
So what does having a cybersecurity policy really mean? A few high profile court cases have helped to establish it certainly isn’t a replacement for a well-rounded approach to cybersecurity and risk management. In much the same way if you insured your home contents against theft and then left the doors unlocked and valuables on display. Your insurer would probably take a fairly dim view if you pursued a claim if your valuables were stolen. The evidence is that senior business decision makers are recognising the limits of a cyber risk policy too. When asked what might invalidate their insurances, almost half cited a lack of compliance, and almost 40% said lack of an incident response plan and poor physical security. This suggests that, whilst there is a growing awareness of the criticality of a robust approach to cybersecurity, there are still gaps in the execution – and businesses no longer expect insurance to save them.
It is also important to remember that cyber risk insurance is only likely to provide financial compensation – and that is probably limited to very specific areas such as legal or remediation costs. It will be far more difficult to insure against the intangible consequences such as future revenue impacts or brand equity as these are harder to quantify. Furthermore, it is almost impossible to put a price on the loss of customer trust, which could be lost forever.
As a result, understanding the limitations of any insurance policy is essential and cyber risk insurance is certainly no exception. An organisation may choose to implement a cyber risk insurance policy, however this should not be at the expense of implementing a comprehensive approach to cybersecurity and risk management. There is a strong relationship between security and trust – and it’s very hard to put a financial value on that once it is broken.