Data breaches are rampant in the world of business today. Hardly a week goes by without a reported breach or fines that range into the millions of dollars. This new age of security has brought about a change in the way that organisations structure their risk, and their insurance. Unfortunately for many, their over-reliance on cyber insurance to bail them out when they suffer a breach leaves them with a “customer last” security policy.
Insurance has always been an important part of peace of mind and ensuring that we can go about our lives or operating businesses in relative security, but the buck should not stop with insurance.
To put it into context, just because you have vehicle insurance, it does not (or should not) mean that you become reckless whilst driving. So why are we hearing more and more business leaders opt for the bare minimum in terms of cybersecurity measures because of cyber insurance?
While claiming on insurance does help recoup financial losses, undergoing a breach usually has the following effects:
- It raises your insurance premium and you may only be able to recoup some of the financial losses (depending on insurance cover)
- Breaches increase the stress levels of your employees (especially on the security and IT teams)
- Cyber insurance does not cover an organisation from a reputation point of view
What is often overlooked is the reputational damage that inevitably follows a data breach that is revealed to have happened due to security policy negligence. By choosing to rely on cyber insurance as opposed to mitigation and response methods, the organisation is essentially saying that it doesn’t care about the data that it is supposed to be protecting and therefore it does not care about the customers, employees and partners to which the data relates to.
Who would want to do business with an entity like that? When an organisation is breached and the main mitigation strategy was insurance, how likely would you be to do business with them again? At the end of the day, insurance protects the one who was breached and not the hundreds, thousands or millions of others affected.
It’s important to realise that beyond the financial fallout from a breach, the reputational fallout could result in a reduction in future revenue and partnership opportunities.
It goes without saying that cyber insurance is still an important part of protecting the organisation financially, especially as breaches are accepted as an inevitability, ‘it’s not a matter of if but when’. However, organisations must not rely solely on cyber insurance as the answer to potential breaches.
It’s also important to understand the frameworks and standards around risk and how they relate to your cyber insurance. If you’d like more information on this, Privasec recently ran a webinar (click here to view the recording) which covered the complexity of insurance and how organisations can apply a structured approach to accurately quantify the potential loss, based on international standards such as the Open Group FAIR framework and the new standard ISO27102:2019 for cyber insurance. This enables your organisation to better understand its financial exposure to cyber risk and be able to negotiate a more tailored cyber insurance coverage.