Cyberinsurance is not new to the scene, and an increasing number of organizations are accepting its critical role in safeguarding them against costly cybersecurity incidents. Yet recently, we’ve seen ongoing discussion of its overall value to organizations, as well its net impact to the state of cybersecurity.
As pundits discuss, debate, and ponder, crippling cyber incidents continue. According to recent reports, the annual costs of worldwide data breaches are expected to surpass $5 trillion by 2024, with North American businesses taking the brunt of the force. Who is footing these exorbitant bills? Of the many smaller, cash-strapped organizations within this statistic that chose to opt out of cyberinsurance, how many weathered the storm?
Cybersecurity services providers, particularly those involved in incident response, often have a very full picture of breaches and their aftermath. We work with companies that have insurance and those that do not; we see companies that recover and continue to do business, and those that do not. There are many shades of grey (and Tylenol and Tums) in between. All philosophical debate aside, at the end of the day, many companies must focus on their own businesses, employees, customers, and shareholders. The costs of cyber incidents are real and tangible, and they go beyond the here and now – the damage to brand and customer confidence can linger in revenue-tangible ways for years to come. In the case of ransomware, business or municipal operational downtime can have severe and occasionally life-threatening outcomes on customers and citizens.
Cyberinsurance’s Role in Risk Transfer
Among many things that keep business leaders up at night, cybersecurity continues to hit the top of the list of business-related concerns. According to Travelers’ 2019 Risk Index survey published in late September, cyber risks are the top concern across all businesses for the first time since the survey began in 2014, ahead of medical cost inflation, employee benefit costs, the ability to attract and retain talent, and legal liability. Since its early days in the Lloyd’s Coffee House during the 17th and 18th centuries, insurance has continuously proven to be a vital mechanism for transferring risks that can’t otherwise be managed or avoided by an individual or organization. Cyberinsurance is being increasingly relied upon to offset the acceptable levels of cyber risk organizations assume. It is also being used to safeguard against the risk that can never be fully mitigated despite any level of effort—because the sad reality is, no amount of CapEx or OpEx can completely address cybersecurity risk.
No industry vertical is exempt from risk and thus potential value from the safety net cyberinsurance provides. Early on, financial services and healthcare were the largest consumers of cyberinsurance. However, other verticals are catching up. We support this trend; malicious actors target every sector for the intellectual property or data they control, and in certain critical infrastructure sectors, such as manufacturing, any interruption in operations can send waves of destruction through the supply chain.
Cyberinsurance, Viewed from an Incident Response Lens
We have worked with many companies that would have been unlikely to regain operational efficiency without the assistance of their cyberinsurance carrier. Many lack experienced staff, incident response processes, and preparedness to act quickly following a business-impacting event. Cyberinsurance companies assist their policyholders by bringing the right team of experts to the table quickly to help resolve the incident, including legal and technical aspects. Companies without cyberinsurance experience far greater financial and logistical stress, which can challenge clear decision making.
Organizations with more mature staff and processes can often field a number of cyber incidents on their own on a regular basis. However, catastrophic events that dominate media headlines are often outside of any organization’s capability to handle financially and logistically. Many companies purchase coverage to provide them with peace of mind in such catastrophic scenarios. In this way, cyberinsurance is no different than other line of traditional property or casualty insurance coverage.
There can be hard decisions to make. In the case of ransomware, one particularly challenging decision is whether to pay a ransom vs. rebuild affected systems, potentially incurring significant data loss. Insurance carriers and their partners help companies sort through the options. No one in the process wants to reward malicious actors by paying them what they ask; but businesses, working with their insurance and technical support partners, meticulously weigh the real and total costs of the choices they make for the health of their organizations. The impact of this decision cannot be underestimated, as it can make the difference between getting back up and running in a matter of days vs. potentially shutting the doors.
When the Debate Is Over: Cyberinsurance Could Be the Organization’s Only Safety Net
The cyberinsurance industry continues to expand on existing coverage offerings and create new ways for organizations to transfer cyber risk. Current discussion on incremental value of cyberinsurance aside, we have observed that cyberinsurance provides a critical risk transfer mechanism and logistic support capability – one that can mean continued life of the business.
Bret Padres, CEO, Crypsis Group