Cyberinsurance
is not new to the scene, and an increasing number of organizations are accepting its
critical role in safeguarding them against costly cybersecurity incidents. Yet
recently, we’ve seen ongoing discussion of its overall value to organizations,
as well its net impact to the state of cybersecurity.As pundits
discuss, debate, and ponder, crippling cyber incidents continue. According to recent reports, the annual costs of worldwide data
breaches are expected to surpass $5 trillion by 2024, with North American
businesses taking the brunt of the force. Who is footing these exorbitant
bills? Of the many smaller, cash-strapped organizations within this statistic
that chose to opt out of cyberinsurance, how many weathered the storm?Cybersecurity
services providers, particularly those involved in incident response, often
have a very full picture of breaches and their aftermath. We work with
companies that have insurance and those that do not; we see companies that
recover and continue to do business, and those that do not. There are many
shades of grey (and Tylenol and Tums) in between. All philosophical debate
aside, at the end of the day, many companies must focus on their own
businesses, employees, customers, and shareholders. The costs of
cyber incidents are real and tangible, and they go beyond the here and now –
the damage to brand and customer confidence can linger in revenue-tangible ways
for years to come. In the case of ransomware, business or municipal operational
downtime can have severe and occasionally life-threatening outcomes on
customers and citizens.
Cyberinsurance’s
Role in Risk TransferAmong many things that keep business
leaders up at night, cybersecurity continues to hit the top of the list of
business-related concerns. According to Travelers’ 2019 Risk Index survey published in late September, cyber risks are
the top concern across all businesses for the first time since the survey began
in 2014, ahead of medical cost inflation, employee benefit costs, the ability
to attract and retain talent, and legal liability. Since its early days in the
Lloyd’s Coffee House during the 17th and 18th centuries,
insurance has continuously proven to be a vital mechanism for transferring
risks that can’t otherwise be managed or avoided by an individual or
organization. Cyberinsurance is being increasingly relied upon to offset the
acceptable levels of cyber risk organizations assume. It is also being used to
safeguard against the risk that can never be fully mitigated despite any level
of effort—because the sad reality is, no amount of CapEx or OpEx can completely
address cybersecurity risk.No industry vertical is exempt from
risk and thus potential value from the safety net cyberinsurance provides.
Early on, financial services and healthcare were the largest consumers of cyberinsurance.
However, other verticals are catching up. We support this trend; malicious
actors target every sector for the intellectual property or data they control,
and in certain critical infrastructure sectors, such as manufacturing, any
interruption in operations can send waves of destruction through the supply
chain.Cyberinsurance,
Viewed from an Incident Response Lens We have worked with many companies
that would have been unlikely to regain operational efficiency without the
assistance of their cyberinsurance carrier. Many lack experienced staff,
incident response processes, and preparedness to act quickly following a
business-impacting event. Cyberinsurance companies assist their policyholders
by bringing the right team of experts to the table quickly to help resolve the
incident, including legal and technical aspects. Companies without cyberinsurance
experience far greater financial and logistical stress, which can challenge
clear decision making.Organizations with more mature staff
and processes can often field a number of cyber incidents on their own on a
regular basis. However, catastrophic events that dominate media headlines are
often outside of any organization’s capability to handle financially and
logistically. Many companies purchase coverage to provide them with peace of
mind in such catastrophic scenarios. In this way, cyberinsurance is no
different than other line of traditional property or casualty insurance
coverage.There can be hard decisions to make.
In the case of ransomware, one particularly challenging decision is whether to
pay a ransom vs. rebuild affected systems, potentially incurring significant
data loss. Insurance carriers and their partners help companies sort through
the options. No one in the process wants to reward malicious actors by paying
them what they ask; but businesses, working with their insurance and technical
support partners, meticulously weigh the real and total costs of the choices
they make for the health of their organizations. The impact of this decision
cannot be underestimated, as it can make the difference between getting back up
and running in a matter of days vs. potentially shutting the doors.When the Debate
Is Over: Cyberinsurance Could Be the Organization’s Only Safety NetThe cyberinsurance industry continues
to expand on existing coverage offerings and create new ways for organizations
to transfer cyber risk. Current discussion on incremental value of cyberinsurance
aside, we have observed that cyberinsurance provides a critical risk transfer
mechanism and logistic support capability – one that can mean continued life of
the business.Bret Padres, CEO, Crypsis Group
