Let’s start by looking at security controls. When you list the requirements of your organisation’s cybersecurity programme, every tool, process, and strategy must be evaluated for its contribution to your overall cyber risk reduction. Yet one control among the plethora available often finds itself at the centre of much debate: cyber insurance. The problem with cyber insurance is that seasoned cybersecurity professionals often dismiss it as an extraneous cost to the business that adds no direct value – you pay all this money to an organisation that might not understand your controls, hoping that if you are attacked, they will pay out. For many, it’s nothing more than a costly checkbox exercise, contributing nothing to the organisation’s security posture. Viewed with a narrow lens, this perspective is not entirely without justification, but in a broader risk management capacity, when you consider all the moving parts during a significant incident, dismissing cyber insurance might be the one security programme omission you live to regret.
The Myth of Insurance
Acknowledging these reservations are real and must be worked through, this discussion should be entered with a balanced view with all the evidence. Let’s start with the obvious one that engages most security professionals’ radar: checklists.
Most insurers use checklists to determine if their prospective client is worthy of insurance. This control list allows them to calculate the risk of a payout during the policy period, typically 12 months. If you’re not honest when you fill in the checklist, you’re risking your policy paying out if you suffer a breach. Right from the start, anyone looking at a list like this gets suspicious. Is this list only here to catch us out?
Honestly, no, it’s not. It’s there simply for the insurer to calculate and manage the risk of issuing a policy. Managing risk is at the heart of everything we do in cyber, so that is how you must view it. You should use it as nothing but a helpful checklist explaining what insurance companies are seeing across all their clients – the controls that clients use to stop breaches. In a situation where no other best practice exists, this can be used as the basis of a nascent security programme.
Generally, insurance transfers some of the risk you are trying to manage to a third party. Providers run a business, so they are not offering this service as a charity. They base the granting of policy decisions on risk, and paying out is based on you following their basic rules. It is no different to how they manage risk with car, house or life insurance. You just need to understand the context and work with it within the boundaries of what it offers. Treat it well and use it wisely; it will always work in your favour. But there may be more to this than just paying you money should you suffer a breach. Let’s look a little more into what happens if you get breached.
Understanding the Holistic Value of Cyber Insurance
In the aftermath of a significant cyber incident, the dynamics within your team can shift drastically. Anyone who has been through managing an incident knows the immediate priority is containment. Beyond that, it’s quickly followed by assessment, recovery, and then the dry legal considerations, maybe with a smattering of PR and client communications. But it’s here, amid all this stuff that cybersecurity people don’t typically do, that cyber insurance truly demonstrates its value.
Navigating the legal implications after a significant cyber breach requires specialised knowledge. Cyber insurance policies often come with access to legal teams adept at understanding the nuances of these situations. Even in-house legal counsels won’t help in these situations, as the most crucial aspect of dealing with the legal implications of a breach is experience. The insurance company will provide expert-level advice and cover during interactions with regulatory bodies such as the OAIC, ensuring compliance and protecting the business from potential legal pitfalls – of which there are many.
Major cyber incidents are not just technical challenges; they can adversely affect the entire organisation. Cyber insurance policies often include drafting expert incident responders and bridging the skills or resource gaps in an organisation’s internal team.
Furthermore, beyond the immediate technical and legal challenges, organisations will be faced with managing external communications. Skilled advisors can assist and guide the narrative, liaising with the press and ensuring the organisation’s reputation remains intact.
Insuring Your Peace of Mind
Ultimately, cyber insurance will not replace robust security controls and proactive defensive technology architectures, as those form the bedrock of your security posture. But we use cyber insurance to manage the gap. It offers additional peace of mind to the whole business, giving you a broader risk mitigation perspective and support beyond what you have local experience to do.
Slipstream Cyber has been working closely with cyber insurers for years to shore up the end-to-end response process, such that the value clients get from cyber insurance policies is worth much more than the paid premiums. If you have not considered integrating a cyber insurance policy into your security programme or ongoing security strategy, at least balance the whole value you get against the annual cost. After all, in a world where continual cyber threats are a clear and present danger, the measure of an organisation’s strength is that of resilience beyond just the narrow cyber viewpoint.
Reach out to us today to navigate the intricacies of cyber insurance and fortify your organisational resilience against the unpredictable.