Top Cybersecurity Myths: We Can Just Get Cyber Insurance
MYTH: Cyber insurance will give us enough protection.
With the continued headlines about cyber breaches and incidents, cyber insurance has become a buzzed-about topic. Debates about whether organizations should invest in this type of insurance continue to occur in management and board meetings. And if you have not had these discussions yet, you should!
However, it’s a myth that cyber insurance (also called cyber risk insurance or cyber liability insurance coverage) is a cure-all. Organizations should not think that insurance is the answer to their problems, negating the need to invest in security controls.
Let’s evaluate the biggest pitfalls with believing cyber insurance is the panacea to the threats that continue to plague our cyber world.
Sometimes insurance doesn’t cover what you think it does.
The biggest issue is that organizations often don’t have a handle on what their insurance policies do and do not cover. Cyber insurance is a vague term and there are many layers and facets.
It’s imperative to take the extra time to delve into the coverage and gain a comprehensive understanding of the policy. Ask the following questions:
- What types of incidents are covered? There are so many types of cyber incidents (e.g., distributed denial-of-service (DDoS) attacks, ransomware and other forms of malware, electronic theft, deletion or corruption of data) and policies may stipulate what types of incidents are covered.
- What type of coverage is included? Consider coverage of legal fees and penalties, notification to affected parties, forensics or incident investigation services, incident response coverage, and loss of income due to disruption of operations.
- How is a claim made? What minimum requirements must you meet to make a claim? What documentation is required to make a claim? Some policies may require certain data and evidence to submit a claim. If you can’t provide this, you may not be able to make a claim.
You often need to meet baseline controls to make a claim.
To obtain insurance, organizations are often required to complete an extensive questionnaire that asks about controls and policies. Many cyber insurance policies have stipulations for baseline controls that need to be met. Your policy may require a documented risk analysis of controls and firewall and other perimeter security protections, or an annual IT/IS audit.
If your organization doesn’t have the stipulated baseline controls in place, you run the risk of your claims being denied. Many organizations get cyber insurance without reading the fine print or attesting to controls they either don’t understand or don’t have in place. When the time comes to make a claim, if they can’t prove they had these controls, they may be out of luck.
An adequate policy one year may be insufficient the next.
If you do purchase cyber insurance, you need to revisit the policy annually. First, threats and risks are constantly evolving and changing. Does your policy still cover the areas that are applicable to you? If not, you may need to work with your broker to make adjustments.
Secondly, are you still meeting the stipulations within the policy? As noted above, many policies require baseline controls in order to file a claim. Many organizations make enhancements to their control framework throughout the year as new technology and enhancements become available. This is great — unless you forget to come back to the policy stipulations.
If you decommission an existing layer of control for another more robust option, check to see whether you have invalidated your ability to make a claim by doing away with a required control as defined by the policy.
Cyber insurance doesn’t cover a loss of trust in your organization.
Keep in mind that while a cyber insurance policy may help you recoup financial losses related to penalties, fines, and disruptions of operations, no insurance policy can cover monetary contributions that donors haven’t made yet.
If you have a cyber issue that results in a breach of sensitive donor information or loss of funds, donors may lose confidence that your organization can protect their information or use their dollars for the intended cause. These donors may take their donations elsewhere, affecting future revenue streams as a result of lost donations and additional expenses related to marketing or donation campaigns.
The goal of this post is not to discourage you from getting cyber insurance. It is a great tool to have and can be a critical component of your information security strategy. However, it should not be the only layer of control you implement. Instead, combine cyber insurance with regular cybersecurity assessments, a designated information security officer to oversee this critical area, a layered control framework, and a partnership with legal counsel that can aid you in defending cyber claims.
Please contact us at firstname.lastname@example.org with questions or to learn how CapinTech can help your organization assess and reduce your cybersecurity risk.
Also in This Series:
Allison Davis Ward
Allison Davis Ward is a Partner at CapinTech. Throughout her time as an information systems auditor and senior manager, Allison has provided information security assessment and consulting services primarily for nonprofit organizations, financial institutions, and health facilities. In addition to these services, she has provided clients with consulting services in risk assessment and policy development engagements.