Maksim Kabakou - Fotolia

Security Think Tank: Cyber insurance – A nice safety blanket, but don’t count on it

In the second instalment of this month’s Security Think Tank, Mike Gillespie argues that cyber insurance should be thought of like car insurance – you don’t start driving recklessly because you’re covered

Cyber insurance is a form of cover designed to help businesses get back on their feet following a cyber incident, such as a cyber attack on a work computer system. And, in recent years, there has been a huge explosion in the range of cyber insurance products in the marketplace.

Almost all of the mainstream insurers, and many non-mainstream ones besides, have leapt to get in on the action, while at the same time the appetite for buying this type of insurance has grown, so there is clearly money to be made and plenty of marketing and selling to be done.

Cyber insurance is a safety blanket, but it will not solve your cyber security issues or prevent a cyber attack or breach. Think of it like car insurance – just because you have it, it doesn’t mean you should start driving recklessly or that another car wont bump into you and cause damage.

Equally, having car insurance does not absolve you of your obligation to keep the car well maintained, pass its MoT, or mean that you no longer need to wear a seatbelt. In the same vein, organisations must put other measures in place to protect their cyber security.

Like technology installation, you cannot assume everything is fine if you have it. It does not take into account any human failings or challenges that could arise. Most businesses might be surprised to find they are in breach of their policy if they demonstrate poor security practices and posture, but buying insurance won’t change that, only doing the work to put it right will.

As stated on the NCSC website, the onus is on you to make sure your organisation’s cyber security procedures are accurate, up to date and effective. This may include a range of technical, physical, procedural and human controls that need to be in place before you look for a cyber insurance policy.

Once you are confident in the effectiveness of your controls and feel sure that they provide you with the right level of cyber resilience, then you can look for a cyber insurance policy. 

Before purchasing a policy, you need to make sure you understand what it covers, just like your car insurance including roadside assistance in the event of a breakdown or legal cover in the event of an accident. You should not limit yourself to meeting the minimum cyber security requirements specified by your insurer – your business is unique, and what you see as important and the most valuable to protect may not be sufficiently protected by the basic insurance plan.

Additionally, unlike many other forms of insurance, cyber insurance is still a relatively immature market. The choice of insurance policies has become vast and complex, and the coverage varies so widely that it is nearly almost impossible to compare policies because insurers are trying to manage their risk so carefully in a market that is not yet fully understood.

The insurers rarely apply any risk weighting in deciding on access to insurance, and there are no discounts for being a careful driver, so you could well be spending money on a policy that is not going to evolve with your organisation’s growth and changing maturity.

In an ideal world, if you have put appropriate and effective controls in place to minimise the potential for a breach, then that would be recognised and your premiums would be discounted – but, sadly, that is not really the way the market works right now. Equally, as the insurers will be working on a worst-case scenario, you may be funding other, less mature, less responsible, less resilient organisations’ insurance.

Cyber attacks are quickly evolving, and the policy you take out may not cover a new type of attack that arises in the future. If your policy is limited and doesn’t cover a new attack, what do you do then? This is why it is vital to cover all bases where possible; cyber insurance is not the golden ticket to safety and recovery.

That is not to say cyber insurance is not worth having – it is, but it is only one piece of the puzzle when it comes to managing risk and ensuring the overall resilience of your business. 

And just like our car insurance policy example, it probably won’t pay out if it turns out that your business was driving recklessly and irresponsibly and, as a result, caused the accident.

Read more from this month’s Security Think Tank

Read more on Business continuity planning