Companies are increasingly seeking to transfer risk with cyber insurance. This trend has been influenced by a greater severity in cyber attacks and the resulting skyrocketing costs of incident response, business disruption and recovery.
Companies struggle to afford the high prices of cyber insurance, however. One market index reported the price of cyber insurance increased 79% in the second quarter of 2022. Without it, however, companies risk shouldering the full cost of any resulting harm.
Furthermore, insurance companies that lack traditional decades of actuarial data must consider whether to provide cyber insurance to clients unable or unwilling to show their cybersecurity maturity through independent risk analysis.
This combination of circumstances leaves businesses vulnerable, financially drained and facing potential reputational damage. But does it have to be this way? And is cyber insurance truly necessary?
For the majority of organizations, the answer is that cyber insurance is a worthwhile investment as part of their overall risk treatment plans. There are a number of activities, however, that should be undertaken to optimize the benefits and reduce the costs of cyber-risk insurance.
Assess the business landscape to identify current risk and maturity
A rise in high-profile attacks, in tandem with increased regulation and compliance surrounding cybersecurity and privacy, has shifted conversation around digital safety. No longer is cybersecurity an optional aspect of the business model with a fixed, stagnant cost.
Businesses today have become too digitally dependent to ignore cybersecurity, with classified, internal information stored online; communication largely conducted via email or another platform; and the workforce transitioned to hybrid and remote work environments. Effective cybersecurity and privacy, as well as mitigating financial and operational risks, can be strategic enablers to modern digital business.
In the aftermath of the COVID-19 pandemic, society has become more reliant upon technology. Every organization is adapting to the impact of a digital society, with many implementing digital transformation initiatives. While these investments are made for operational efficiency reasons, they also create a pathway to business growth and survival.
Any digital approach that does not consider cybersecurity at its core of operations and by design will sleepwalk into heightened levels of cyber-risk. The size of an organization is not relevant to determine if risks will exist or not, but is relevant to the liabilities and risk exposures, especially when considering the effect of digital supply chains.
Cyber insurance is not a solution -- it's a piece of the puzzle
Regardless of industry or company size, all businesses should conduct an independent cyber audit prior to committing to cyber insurance. In doing so, organizations can determine the need for cyber insurance and better understand their organizations' risk posture and weak points.
Even if insurance is needed, the audit further adds value as it lets insurance companies support the company specific to its digital landscape and help it become more digitally strong. Additionally, the existence of an independent audit and risk review may indeed enable the insurance company to offer higher levels of coverage without the need for excessive premiums.
Each company is unique, and its digital security needs are different. The key question is how to protect a business from cyber threats in the most cost-effective way, especially if cyber insurance is out of budget and financially unavailable. Businesses must understand that cyber insurance -- while often an effective tool – is one of many ways to effectively fight the risk of a cyber breach.
Businesses are too often focused on seeking alternative ways to become digitally secure and stay within their financial means. Many organizations believe investing in expensive cybersecurity software is the only answer to reduce risk and, therefore, make cyber insurance affordable -- this is simply not the case.
In my 30 years of experience, I have never seen such a narrow-minded strategy succeed. Organizations must instead balance their response to cyber-risk management through people, process and technology aligned to their governance, risk and compliance objectives.
Only once these elements are balanced, fully considered and then proportionally, and pragmatically, implemented will an organization be able to ascertain its cyber-risk baseline and the levels to which it can transfer risk to insurance.
Cyber insurance: A worthy treatment but no panacea
Business leaders must understand that cyber insurance is not a be-all and end-all safeguard against cyber attacks. Instead, think of it more as a security blanket that can aid if the worst-case scenario occurs. With that new perspective, businesses need to determine if the high price of cyber insurance is worth the investment -- or if they'd be better off investing in their overall cybersecurity architecture.
About the author
Mark Brown is global managing director of digital trust consulting at British Standards Institution (BSI). He has almost 30 years of expertise in cybersecurity, data privacy and business resilience. He has previously held global leadership roles across industry organizations and professional services, including tenures as global CISO at SABMiller plc and global CIO/CTO at Spectris plc, as well as leadership roles as a senior partner at Wipro Ltd., and was also a partner at Ernst & Young (EY) LLP.