Why cyber risk policies don’t deserve their sticky reputation

A digital representation of a lock
(Image credit: Altalex)

Cyber insurance suffers from an image problem. Understandably, it can be seen as the nagging Rubik’s cube you want to solve but don’t know how so you keep it at the back of the bottom draw of the cupboard in the basement.

As it is still a new industry, not all cyber insurance is the same, and coverage can span from bare-bones offerings to more “platinum” options. Due to its nuances, insurance can be ignored due to perceived complexity. However, firms should not be put off finding the right policy for them. Reducing cyber risk isn’t easy and never will be. From credential theft to misconfigurations to vulnerabilities and even phishing attempts, there are cybercriminals poking and prodding at organizations from every angle. An attack is a business inevitability.

As an experienced business risk analyst and security solutions architect, I cannot help but advocate for that Rubik’s cube in the basement. To give your business the best chance of battling inbound threats successfully, cybersecurity must be managed holistically. Instead of resigning to the narrative that cyber insurance is ‘just insurance’, we need to move the conversation on, and start looking at it as a tool for defense.

Discovering the value behind the jargon

You don’t need to understand the details of policy design to understand what insurance can do for you. The business leader’s concern is about return on investment and tangible business impact – so what does this look like in practice?

Critically, cyber insurance helps to transfer risk so the organisation does not default to assuming it all alone. It also puts you in touch with risk mitigation resources and experts, unlocking a framework for proper incident response and an entire world of partners and assistance. Insurance therefore serves to mitigate some of the stress caused by an impact of a breach and share the weight of a recovery processes.

A cyber breach can do lasting damage to an organization's reputation. Due to the rate of attacks and their publicity, the public is now hot on which organizations have been hit by a bad actor and how they respond. When facing the judgement of those outside the security community, organizations armed with insurance are looked upon favorably. Insurance is an excellent trust-builder and face-saver, helping to secure value creation as it demonstrates protecting customer and partner data is and will continue to be strategic priority.

Dan Schiappa

Chief Product Officer at Arctic Wolf.

Playing financial tug of war

In today’s unstable economy, cost-consciousness is at an all-time high. Opening the purse strings to pay for policy is naturally a difficult decision. However, pricing your organization's data, which includes sensitive financials, confidential intellectual property, and employee details, is arguably more so.

Cyber insurance enables companies to transfer a portion of the cost of recovering from cyber incidents, particularly steep during ransomware negotiations, onto their insurance provider. For example, those in the security space are no strangers to the infamous Clop ransomware gang whose consistent meteor shower of attacks is a thorn in the side of many organizations. Our research found that Clop-related incidents have accounted for 53% of ransomware and data incidents in June alone, and the median ransom demand is a whopping $3,500,000. The financial beauty in insurance is a policy can make these demands somewhat less painful, coving the costs of damage to others, profits lost, and the cost of negotiating ransomware.

In good news, carriers do acknowledge the financial burden of their service and are currently trying to figure out how to reduce the cost of policies and the number of policies required for protection. Rates have reportedly dropped by 9% in 2023 following a record high at the end of 2022. Insurers are aware blanket coverage on every kind of cyber-attack has proved costly, but as a nascent business we owe them the gift of our patience.

Beyond the policy

Beyond beefing up your protocols and adopting the latest solutions, teams must be given robust guidance on how to pick up the pieces. Peace of mind and organized procedures are precious commodities in the cybersecurity profession. It is a job with tremendously high stakes and high levels of stress and the true prowess of your security team is displayed during attack response and recovery. Therefore, providing teams with any and all resources at their disposal is an investment both in security best practice and in culture.

The journey to the right match

Admittedly, obtaining cyber insurance isn’t always simple – especially in the age of remote work, ransomware-as-a-service, and digitisation. As a first step, it’s crucial to look at the basic security controls required by every organization, such as multi-factor authentication, endpoint detection and response, system backups, incident response planning and testing, and employee training. 

In this mighty list is a mixture of people-oriented and system-oriented priorities applicable to every industry and every company size. From this diving board, companies and brokers need to work with insurers to design the perfect policy match for your business, taking into account the makeup of your system networks and your company’s unique vulnerabilities.

Your end result

The aftermath of a breach is incredibly sensitive, and you only have one chance to get it right. All affected stakeholders will be reliant on the organization to handle it with the upmost care and consideration. This is made much easier for security professionals and business leaders fielding questions from every direction when they have a policy to fall back on.

Whilst it’s important to note cyber insurance alone cannot end cyber risk, it’s the same way a beach-front property needs flood insurance. Cyber insurance helps a business stay standing if a cyber storm blows in. To help convert the sceptics don’t say insurance. A policy is an essential layer of defense.

We've listed the best endpoint protection software.

Dan Schiappa is Chief Product Officer at Arctic Wolf.