A data breach here, a data breach there, a data breach everywhere. Hardly a day goes by that we don’t hear about large-scale security incidents and breaches in the headlines. This constant exposure has created so-called “breach fatigue,” where people are no longer surprised by the security gaffes they hear about in the news and end up taking it all in stride. Many organizations feel that they simply can’t keep up with today’s threats and vulnerabilities — the business risks are known and hope is the strategy. Other organizations are doing all the right things with security. Still, both types of organizations experience incidents and breaches. One thing that can mitigate this risk is cyber insurance.
Benefits of Cyber Insurance
Cyber insurance can protect your business from security incidents and data breaches in the same way that auto insurance might protect you from an inattentive driver who runs a red light and smashes into your car, or the way homeowners insurance might protect you if a tree falls on your house. A cyber insurance policy is a great line of defense that can minimize or defray the costs associated with negative IT-related security events, such as:
- Incident response activities
- Forensics investigations
- Breach notifications
If you don’t already have cyber insurance, you should certainly consider it. Don’t buy it from just anyone, though. You need a salesperson who understands both the cyber insurance market and your business. I often see people buying cyber insurance policies from salespeople who don’t have the organization’s best interests in mind and are simply looking to make a sale. That can be a mistake. You might end up with not enough coverage or too much coverage. In other words, you could wind up under-protected or paying extra for coverage you don’t need.
If you do have cyber insurance, you need to go through your policy with a fine-toothed comb. Executive leadership must be involved to ensure that the policy is adequate for their risk tolerance. At a minimum, you need to have legal counsel as well as someone from finance and operations to review and provide feedback on the policy. It’s not uncommon to see IT and security professionals procure cyber insurance policies without guidance from executives, which sets the business up for failure once an incident or breach arises and coverage is deemed inadequate.
Get Your House in Order First
On any given enterprise network, there’s more to protect and more things can go wrong than what’s assumed. Common sense security oversights lead to most security incidents and breaches. Ignoring security basics is rampant at many organizations and cyber insurance can help with that — at least for the time being. That said, this security approach is not recommended, as it won’t be sustainable in the long term. Eventually, the insurance carriers will realize that underwriting policies for organizations with sloppy security practices is not good for business. As time progresses, we’ll see more situations where a defensible approach to security was not taken, and more and more insurance claims will be denied.
Security incidents and data breaches are a predictable reality that business owners and executives should not take lightly. It’s important to acknowledge the challenges associated with information security and take reasonable steps to minimize the risks. So much can be done to prevent most incidents and breaches. Much of it starts by addressing the low-hanging fruit by:
- Creating and enforcing strong security standards and policies.
- Properly maintaining network systems and applications through periodic and consistent patching and vulnerability/penetration testing.
- Continually educating users on what to do (and not do) on their computer systems.
The safety net for information security oversights is a cyber insurance policy. Just make sure you go about doing it in the right order. Don’t buy a cyber insurance policy to cover up your known blind spots. Fix the blind spots first, and then let insurance be the final piece for the rare instance when you need it.