Cyber Insurance Can’t Do it Alone


On the surface, cyber insurance seems like the perfect solution for dangerous times. However, for smarter protection and recovery from cyber attacks, attention to other fundamental security practices is equally important. Dave Russell, vice president of enterprise strategy and Rick Vanover, senior director of product strategy at Veeam, discuss how cyber insurance could be augmented.

Ransomware attacks surged dramatically in 2022Opens a new window , accounting for a quarter of all breaches. So, if your company does get hit, at least you have a way to recoup some of the losses you incur on your bottom line. 

But for those looking for a quick fix to a growing problem, cyber insurance has its shortcomings. For one, it’s getting prohibitively expensive. The protection it offers doesn’t address the issue of how you got hacked in the first place and how you can stop hackers in the future. And it doesn’t secure your data or keep it available.

Companies that do their utmost to insure their data and operations against cyberattacks have their hearts in the right place. But many are focusing more on getting insurance payouts without doing the necessary work to actually protect their mission-critical resources. What they need to do is augment the cyber insurance component with other types of “insurance” that ward off threats and back up data.

What Is Cyber Insurance?

While the concept of insurance itself dates back to the 1300s, cyber insurance is a relatively new phenomenon. Insurance companies rolled out their first comprehensive cyber policies in the 2000s to offer a hedge against malware, ransomware and distributed denials of service (DDOS). Different policies cover liability for things such as the theft of third-party data and the costs of business interruptions and forensic services to investigate a breach.

Cyber insurance can be useful. Sony, for instance, wished it had cyber-focused coverage to blunt the impact of the $171 million it spent to settle suits from the 2011 breach of its PlayStation Network. But a court ruled that Sony’s insurance policy covered damage only to physical property, not cyber-related costs.

Companies that sign on for cyber insurance now are still considered early adopters. A 2022 studyOpens a new window in the U.S. and Canada by Blackberry and Corvus Insurance showed that 55% of organizations have some kind of cyber insurance, and only 19% have coverage for cyber events beyond $600,000 – the median ransomware amount in 2021. The same survey showed 59% expect their governments to bail them out of attacks initiated by nation-states. 

But the number of adopters is growing. The global marketOpens a new window for cybersecurity insurance was $7.60 billion in 2021 and is expected to grow to $20.4 billion by 2027.

The Hurdles on the Cyber Insurance Track

So, why doesn’t everybody get cyber insurance? Cost is a big issue. Many companies that purchased commercial cyber insurance over the past five years have experienced double-digit cyber premium increases, prompting risk managers to question its overall worth. A customer in western Canada recently saw its annual premium rise to 90% of revenues. As the frequency and severity of cyberattacks increase, the leader of one of Europe’s biggest insurance companies recently said these threats are fast becoming “uninsurable.” 

See More: Why Are Small Businesses Suffering for Steep Cyber Insurance Premiums?

The process is another high hurdle. Insurers paying out cyber claims tend to require prohibitive amounts of documentation – everything from cyber access reports to network traffic logs. These are difficult to collect during normal times; after an incident occurs, IT departments scrambling to restore service will be set back further responding to insurance requests. 

Cyber insurance also doesn’t provide any ongoing protection against the threat itself. While hurricanes inflict significant amounts of damage, when they’re over, they’re over. There might be another storm next year, but the immediate threat has ended. Taking out insurance against ransomware doesn’t remove the immediate danger. If you pay off one bad actor, others could still have access to your system. And if you don’t plug the leak, insurance settlements won’t stop other hackers from entering the same way.

Above and Beyond Cyber Insurance

So, if you have insurance and you pay off an attacker, will you get your data back? And will you be made whole? Not always.

One of the more notable statistics in Veeam’s 2022 Ransomware Trends ReportOpens a new window survey is that half (52%) of those with encrypted data paid the ransom and were successful in recovery. Still, one in four organizations paid the ransom but were unable to recover their data. When ransoms were paid, nearly three-quarters of all organizations had some form of insurance, according to the report. But while 57% of the insured had cyber insurance policies that included ransomware coverage, 30% had cyber insurance with ransomware excluded from the coverage.

Bottom line: Cyber insurance plans can help, but organizations need to vigorously protect against threats and be prepared to solve cyber-related problems on their own.

Here are a few ways they can do so. 

  • Patching: Creating a comprehensive patch management process is a critical part of maintaining an organization’s IT infrastructure. Repairing vulnerabilities quickly after the release of a new feature can help businesses protect their assets, avoid costly downtime and fend off ransomware attacks. 
  • Employee training: A study by IBMOpens a new window concluded that human error is the main cause of 95% of cyber security breaches. This underscores the need for employee training. Organizations should consistently review common security mistakes to ensure workers are using strong passwords, avoiding sketchy phishing attempts and protecting important company information.  
  • Sharpening incident response plans: It’s critical to move quickly when a cyber disaster hits. Many organizations don’t even have a response plan that sets up a chain of command and a set of actions. Those that do have a plan should review it regularly and keep it updated. 
  • Instituting proper data backup: A secure backup infrastructure forms the last line of defense against ransomware. Integrating data protection within a comprehensive cyber preparedness strategy protects against outside threats and offers the quickest and most strategic way to ensure business continuity if a cyber event occurs. 

Cyber insurance is a worthwhile resource that can help organizations respond to a damaging breach. But it’s not enough. Adding in some common-sense cyber preparedness techniques can provide the high level of insurance that’s needed in today’s age of escalating threats. 

How are you enhancing your cyber preparedness? Share with us on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window . We’d love to hear from you!

Image Source: Shutterstock