Hey Linus, Lose the Security Blanket
Cybersecurity insurance continues to be an increasingly popular investment for businesses of all types and sizes. Seen as a catch-all for the unpredictable, unreasonable or undesirable, cybersecurity insurance has become an attractive option for businesses who don’t have or don’t take the time to understand their alternatives.
But cybersecurity insurance policies, like other insurance vehicles can be tricky and expensive. They’re not a cloak of invincibility. Heck, they’re not even a security blanket. Here are just a few of the issues.
- First, cybersecurity insurance is a moving target and you may find yourself underinsured or not insured at all. The less you understand about security, your assets and your risks, the less you will understand your insurance policy. One of the most painful lessons of Hurricane Irene was in the area of insurance. We heard countless stories of homeowners who thought that their expensive flood insurance policy would cover their losses, only to find out that they weren’t covered due to some esoteric loophole. Little did these policyholders know that there are many types of flood insurance, each covering a specific condition. The same is true of cybersecurity insurance.
- Insurance can be more expensive than prevention. Insurance premiums for flood, fire and other policies are based on endless mountains of actuarial data that have been analyzed, sliced and diced such that the carrier knows exactly how much to charge for coverage. This premium ensures that the carrier will continue to make money even when its policyholders have claims. These calculations are based on statistical certainties. Because cybercrime is both immature and ever-changing, these piles of actuarial data do not exist, causing carriers to conservatively over-charge. The money you’re spending on insurance could have been better spent on avoiding the problem in the first place.
- Insurance won’t replace all assets. If insurance is your primary security mechanism for assets that are irreplaceable, you’re putting yourself and your business in jeopardy. Things like backups, historical data, documents and other sensitive or confidential assets cannot be recovered by insurance. There’s a reason that 25% of businesses that are victimized by cybercrime never recover.
- Insurance won’t protect your reputation. When your business experiences a databreach, a malware outbreak or other security incident that results in a public relations issue, no amount of insurance coverage is going to repair the damage. Understanding your risks will help you avoid an incident, paying for insurance that doesn’t help only adds salt to the wound.
Cybersecurity insurance can be a valuable defensive mechanism for businesses when applied properly. When properly understood and selected, it can address areas of risk that are difficult to manage with other controls. When misunderstood, it can compound a security incident with confusion, frustration and expenses.
If you’re considering cybersecurity, give the policy a close read. If you already have a policy, give it a closer read. The last thing you want to hear from your insurance carrier after a security incident is, “sorry Charlie”.