Many CISOs now include cyber insurance, or cyber liability insurance, in their cybersecurity risk management strategy. Cybersecurity insurance coverage can play a critical role in an organisation’s efforts to mitigate the financial and operational impacts of cyber events. According to a recent Hiscox Cyber Readiness Report, about 41% of firms in U.S. and European markets have already invested in cybersecurity insurance policies.
How does cybersecurity insurance coverage help? When companies face a significant data breach or ransomware attack, they may struggle to recover if they’re relying on the same, lean set of day-to-day resources. Cyber risk insurance coverage can ease the costs of remediation following a cybersecurity incident, including payment for legal assistance, investigators, crisis communicators, and customer credits or refunds.
Many security leaders are thinking even more about the value of having cybersecurity insurance coverage as remote and hybrid work initiatives continue to expand. They worry about the explosion of business-critical and sensitive information, such as customer contacts and credit card numbers, traversing the internet—and thus, the heightened risk for cyber-attacks.
Data privacy laws and regulations adding pressure on companies—and insurers
The security risks of a remote or hybrid workforce aren’t the only concerns for today’s security leaders, though. In recent years, governments and regulatory bodies have been applying more pressure on organisations to do a better job of protecting people’s personal information—and to take responsibility when something bad happens. The California State Assembly even introduced a bill in February 2020 to make cyber risk insurance mandatory for all businesses that contract with state and have access to protected personal information.
The growing number of stringent data privacy laws, such as those listed below, is even prompting some insurance providers to focus on cybersecurity insurance measures:
- Australia’s Data Privacy Act and Notifiable Data Breach Scheme
- The Payment Card Industry Data Security Standard (PCI DSS), which is the global card industry security standard
- The U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- The European Union’s General Data Protection Regulation (GDPR)
Cybersecurity insurance coverage doesn’t replace a robust prevention strategy
Cyber insurers are even challenged to adapt their approach to coverage, as they’re finding losses unsustainable. Insurers have been known to deny plans and claims or increase premiums when organisations can’t demonstrate the implementation of preventive controls. Yet, it’s worth noting that technical controls alone aren’t sufficient to address many human factors and behavioural risks — and today’s threat landscape is dominated by social engineering tactics.
Companies must also be aware of the fine print in their cyber risk insurance policies. If they lose money or data due to a business email compromise (BEC) incident, for example, they may find they’re not actually covered. Many cyber risk insurance policies don’t cover what the insurers consider to be forgery, computer fraud, social engineering, ransom or funds-transfer fraud.