Is Cyber Insurance Enough to Stop Worrying About Ransomware? (Hint: No)

Businesses and organizations of all sizes can suffer significant revenue losses as a result of cyberattacks. As a result, cybersecurity insurance is becoming increasingly popular. After an attack, the prospect of getting money back becomes increasingly appealing. However, it raises lots of questions, the most appealing of them is if it’s enough to stop worrying about ransomware and its consequences.

Not only that, but many organizations ask themselves if cyber insurance is appropriate for them, or what are the advantages and disadvantages, and if they are worth the cost. Let’s go through some of these questions.

What Is Cybersecurity Insurance?

Cybersecurity insurance, also known as cyber liability insurance or cyber insurance, is a contract that an organization can buy to help mitigate the financial risks of doing business online. The insurance policy transfers some risk to the insurer in exchange for a monthly or quarterly fee.

Why Is Cybersecurity Insurance Important?

Cyber-liability insurance is another name for this service. According to a Sophos survey, 84 percent of the 5,000 people polled have a cybersecurity insurance policy. According to Zurich North America and Advisen Ltd., 55% of the companies have purchased cybersecurity insurance as a stand-alone policy, while 13% purchased it as part of a more significant policy. The following are the specific risks that managers want to insure against:

• Bricking attacks – 72%
• Funds transfer fraud – 66%
• Contingent business interruption – 72%
• Social engineering – 66%
• System failure – 70%
• Reputational harm – 60%
• Internet media liability – 63%

Electronic data loss, compromise, or theft can harm a company, including losing customers and revenue. In addition, businesses may be held liable for losses caused by the theft of third-party information. Therefore, cyber liability insurance is essential for companies to protect themselves from the risk of cyber events, including those linked to terrorism. In addition, cyber-risk insurance can help with the quick recovery from cyber-attacks and incidents.

A Real-Life Example

Hackers broke into Sony’s PlayStation Network in 2011, exposing personally identifiable information (PII) from 77 million PlayStation accounts. Users of PlayStation consoles were unable to access the service for 23 days due to the security breach. As a result, Sony had to pay over $171 million in costs due to the hack. A cyber insurance policy could have covered some of this cost, but Sony didn’t have one in place. In addition, Sony’s insurance policy only covered damage to physical property, according to a court ruling, leaving Sony to bear the total cost of cyber damages.

How Does Cybersecurity Insurance Work?

Many companies that sell related business insurance, such as E&O insurance, business liability insurance, and commercial property insurance, also sell cyber insurance. Most policies provide first-party coverage for losses that directly affect a company, as well as third-party coverage for losses incurred by others as a result of a cyber event or incident, based on their business relationship with that company.

What Is Covered by Cybersecurity Insurance?

Customers can purchase cybersecurity insurance from most major insurance companies. Customers can expect to be covered for additional expenses resulting from the physical destruction or theft of information technology (IT) assets, depending on the price and type of policy. Costs associated with the following are typical examples of such expenditures:

1. Responding to ransomware-related extortion demands
2. Notifying customers when there has been a security breach
3. Expenses incurred as a result of privacy violations
4. Using computer forensics experts to recover compromised data 
5. Restoring the identities of customers whose personally identifiable information (PII) has been compromised
6. Recovering data that has been tampered with or stolen, and
7. Repairing or replacing damaged or compromised computer systems

Many basic cybersecurity insurance policies only cover first-party losses, but some insurers also offer third-party liability coverage. In addition, many cybersecurity policies ignore human-caused security issues, such as poor configuration management and careless digital asset mishandling. Other problems not covered by cybersecurity policies are:

1. Prior breaches or cyber events, such as those that occurred before policy purchase 
2. Employees or insiders initiate and cause cyber events
3. Infrastructure failures that aren’t the result of a malicious cyberattack
4. Failure to address a known vulnerability, such as when a company is aware of a vulnerability but fails to address it, resulting in vulnerability exploitation; and
5. The cost of improving technology systems, such as hardening systems or applications for security

Who Needs Cybersecurity Insurance?

Cyber insurance can help businesses create, store, and manage electronic data online, such as customer contacts, sales, PII, and credit card numbers. Cyber insurance can also benefit e-commerce businesses, as downtime caused by cyber incidents can result in a loss of sales and customers. Similarly, any company that stores customer information on a website can benefit from cyber insurance policies’ liability coverage.

Cons

Cybersecurity Insurance may have some disadvantages. Let’s discuss the primary disadvantages in the section below:

Inadequate coverage: Most companies only have insurance covering ransomware, one of the most important reasons for cybersecurity insurance. Nevertheless, it accounts for inadequate cybersecurity coverage.

It may stimulate Ransomware-as-a-Service: Many organizations have been victims of ransomware attacks in the last year. Furthermore, the total cost of these attacks increased. In most cases involving insurance policyholders, the cybersecurity insurance company pays the ransom. However, there are also some compelling arguments against paying ransoms, such as the possibility that doing so will incentivize future attacks by demonstrating that victims will pay.

Cyber insurance can be expensive: According to Reuters, the increasing severity of ransomware attacks has driven up premiums by as much as 25% in recent years.

Trust issues: It may make it difficult to enlist the support of business leaders because of the lack of trust and complete understanding of the necessity for cyber insurance. One of the top reasons for not buying it is the cost or a lack of buy-in from business leaders.

Pros

There are benefits to having an insurance policy beyond the obvious one of being able to recover financial losses, such as:

Data Breach Insurance: Cyber insurance policies cover the additional costs of security fixes, identity theft protection, and legal action for those affected by a data breach.

Business interruption reimbursement: Cyber liability policies can assist in reimbursing lost income due to attacks.

Cyber extortion defense: Cyber liability insurance can assist in the recovery of any losses caused by cyber extortion.

Legal assistance: Following a costly cyber-attack, businesses frequently seek legal aid. After a cyber-attack, cyber insurance can help companies to afford proper legal representation.

Should you go for it?

Those who do have cybersecurity insurance find ways to put it to good use. Data breaches are becoming more common and have a more significant impact. According to Willis Towers Watson, claim frequency increased by about 18% in 2020. According to a report released this summer, data breaches are now costing businesses close to $4 million (an average of $3.86 million per attack).

Good cybersecurity practices have a high and growing business value, especially in finance, health care, and other industries where attack risks and costs are high. Additionally, the shift to working from home in 2020 and now 2021 has altered the landscape unexpectedly. Therefore, it’s critical to strike a balance between cost and need, as well as benefits. 

At the same time, as with any insurance, a well-balanced mix between good habits and a “last case” policy goes a long way. Think of a car insurance policy: the better you drive, the more you engage in defensive safe, defensive driving, the less you need to activate your insurance, having a positive impact on your premiums and reducing the cost associated with them.

The same thinking applies to cyber insurance: a small investment in good cyber habits goes a long way towards avoiding data breaches and ransomware attacks, avoiding either financial losses in paying out of pocket or in increasing premium policy costs on your insurance renewal. 

So, as much as cyber insurance becomes more and more of a necessity, it doesn’t replace the need for continuous human risk management.