Cyber insurance is getting a lot of press lately. Not all of which is favorable. Many in the information security business continue to view cyber insurance as a sham, suggesting premium costs are better put toward more robust security products and services. In support of this position, we put together this list of reasons NOT to purchase stand-alone cyber insurance, namely:
- Your employees don’t make mistakes. You purchase and employ the latest security solutions, all sporting perfect reviews from Gartner. All of your employees adhere to corporate policies, take monthly training courses, never send valuable information to incorrect recipients via email and never click on suspicious links or attachments.
- Your vendors never get hacked: You established a failsafe list of all your vendors (and your vendors’ vendors) with access to your information or systems. All vendors are perfectly categorized and you carefully conduct exhaustive review and monitoring appropriate for the risk the vendor presents. Plus, all your security software, hardware and all of the training used by your company stop all zero-day and known attacks perfectly 100% of the time.
- You back everything up 100% of the time. We already established that your employees never make mistakes and always follow procedure. Since you also use the best back-up media and hardware, you will never experience back-up failure.
- You already buy other insurance. You can make a claim against your fire, crime or kidnap & ransom insurance policies to pay for breach costs, fines & penalties, loss of income or damaged property. Most notably, you can take your property or crime insurer to court and possibly get a partial recovery. If you win, you may get reimbursed for your legal costs as well.
- You can divert $6,000,000 cash from the parks & public budget to offset any first or third party costs resulting from a security event.
- You only use security vendors that offer unlimited 100% performance guarantees (not simply limited to the value of the contract) so you don’t have to sue them for professional errors or product liability to secure payback for breach expenses due to failure of product performance. You are also named as an insured on their insurance so you can rely on them to pay for breach expenses Plus, you only use vendors with a cash surplus in excess of $2 billion dollars same as an insurer rated as XV per A.M Best Ratings size category.
If these items apply, cyber insurance is probably not for you. Otherwise you may find cyber insurance is a highly cost effective part of your cyber security platform. Despite commentary to the contrary, cyber insurance works but is NOT a replacement for existing security investments.
If you decide to investigate further, make sure to use insurance brokers with specific cyber insurance expertize. Use your broker to review policy coverage parts, conditions and exclusions prior to purchase. Get quotes from multiple insurers. If you want to use one of your vendors for incident response, try to negotiate that into the deal. A good policy includes bespoke coverage for cyberterrorism events (such as NotPetya) and is devoid of any “maintenance” conditions as found in older policy versions.
It is common sense to use all available tools to protect from catastrophic peril. While not the most important part of your cyber security platform, a carefully crafted cyber insurance policy is a great addition to your existing cyber risk management program
About the Author
Jeffrey founded Cyber Risk Underwriters to offer tech-backed cyber insurance and related products distributed by insurance agents and cyber security providers.
Prior to joining Cyber Risk Underwriters, Jeffrey enjoyed over 25 years of success providing complex P&C insurance and risk financing design, brokerage and relationship management expertise for complex risks including technology, healthcare, private equity, and real estate.
Cyber Risk Underwriters maintains offices in Atlanta Georgia, Park City Utah and Huntington Beach California.
Cyber Risk Underwriters