Is cyber insurance really worth the investment? asks Manoj Bhatt, Head of Cybersecurity and Networks at the tech consultancy Telstra Purple.
With the cost of ransomware attacks averaging $4.62 million according to IBM, it can be more than tempting for businesses to rely on cyber insurance to foot the bill. But taking out cyber insurance cover is by no means cheap, or easy, and with some fearing the precedent payouts set for hackers, it’s no surprise that many in the industry are now looking critically at the value of insurance cover versus having a pot of money for those rainy days. In an increasingly challenging financial climate where every tech dollar needs to be justified, organisations must ensure they’re looking at cyber insurance for the value it provides, rather than as part of any tick-box exercise. Although it is recognised in some verticals that cyber insurance is an assurance mechanism to enable the business to bid or sell its services to other companies.
A question fuelled by ever-evolving complexity
As the technology landscape has rapidly evolved, the number of cyberthreat vectors has multiplied. AI tools such as ChatGPT have made it increasingly difficult to spot phishing attempts. For example, the increase in remote working following the pandemic has opened new vulnerabilities in work networks from multiple entry points. The complexities of the cyber threat landscape have led to a significant rise in the price of premiums, and the cost of cyber insurance does not stop there.
The process by which an organisation identifies and secures insurance requires significant resources, including the process of filling out detailed questionnaires, undertaking extensive risk assessments, and carrying out huge amounts of remedial work. It is therefore essential that businesses take the time to evaluate what type of insurance, if any, is most appropriate for its needs to prevent the unnecessary waste of resources.
But the more complex the technological environment becomes, the more complicated it can be to take out cyber insurance cover that meets a business’s specific needs. Some premiums cover first-party risks, such as business interruption and/or the theft of money, whilst others cover only third-party risks, such as the cost of compensation to customers. What’s clear is that cover has to be bespoke, so a thorough understanding, and ranking, of risks associated with an individual business is crucial to ensuring that an organisation is sufficiently protected.
The nuanced impact of cyber insurance
It is also important to consider the wider impact of taking out insurance cover. A major benefit is that cyber insurance encourages businesses to keep their own security up to date. Typically, insurance companies require strict security defence measures to be put in place when cover is taken out, which means that as a consequence, the cyber insurance industry is driving a much-needed standardisation in cybersecurity. This can also highlight areas of weakness in a business’ security that may have otherwise gone unnoticed.
On the other hand, having the support of insurance might encourage businesses to pay ransomware demands in an attempt to avoid severe reputational damage, a response which is heavily discouraged. Paying millions of dollars to criminal groups funds their activity, allowing them to launch increasingly advanced attacks. It might be worth considering whether businesses have a moral responsibility to play their part in preventing the development of cyber threats, rather than funding illicit activity.
During Telstra Purple’s recent roundtable, it was determined that you could have cyber insurance and if your networks are attacked and a ransom is due, the cyber insurer may not have the facility or willingness to pay the ransom. Therefore, is cyber insurance really worth it?
Furthermore, it is estimated that 80pc of organisations that give in to such demands are attacked for a second time, so paying a demand, whether covered by insurance or not, opens an organisation up to the risk of further attacks.
Preparedness is the first step
In 2022, nearly three-quarters of organisations globally fell victim to some sort of ransomware attack. Although insurance can relieve the financial burden and support recovery efforts, the reputational damage following a data breach is significant, as is the stress associated with an incident. It is not unheard of for business leaders to become less than pleasant when their organisation is under duress, and this can lead to rash decisions being made which could severely impact the future of the business. These are ‘costs’ not covered by insurance which can only be avoided through extensive preparation. It is therefore worth viewing attacks as inevitable, and ensuring that your business is prepared accordingly.
No insurance cover is one size fits all, and cyber insurance is certainly not an exception. Businesses of varying sizes, working across industries with differing degrees of reliance on cyberspaces will all, of course, face unique threats that will impact their business operation differently. Investing the time into being sufficiently prepared to rapidly recover from an attack empowers businesses to make a considered decision about which cover, if any, best fits their needs.
