Why cybersecurity insurance may be worth the cost

Cybersecurity insurance can compensate you in the event of a cyberattack. But how do you determine the right policy for your needs?

cybersecurity insurance

Image: Duncan_Andison, Getty Images/iStockphoto

A successful cyberattack can harm your organization in a variety of ways. Data loss. Business disruption. Lost productivity. Regulatory fines. Brand or reputation damage. Ultimately, these can all impact your organization financially.

SEE: How to become a cybersecurity pro: A cheat sheet (TechRepublic)

With the threat of cyberattack always looming, one way you can protect yourself is through cybersecurity insurance. Like any type of insurance, this particular kind can kick in to compensate your business in the event of financial damage due to a cyber incident.

Of course, such insurance can be costly. Is it worth the expense? Let's look at how this insurance works and consider some of the pros and cons.

What does cybersecurity insurance cover?

The protections offered by cybersecurity insurance can be broken down into three categories, Jack Kudale, founder and CEO of cyberinsurance provider Cowbell Cyber, told TechRepublic. 1) A loss of revenue or other income due to business interruption; 2) Expenses incurred from trying to recover from the incident; and 3) Liability costs from lawsuits filed by affected customers and partners or as a result of regulatory compliance penalties.

The actual items covered by cybersecurity insurance naturally depend on the policy. If you buy the right type of policy, the insurance can cover everything from data breaches all the way to physical damage, Andrew Barratt, managing principal for Solutions and Investigations at cyber risk service Coalfire, told TechRepublic. An effective policy should cover all threats from ransomware to social engineering attacks to insider threats, Kudale added.

SEE: Why cyberinsurance can save your business (TechRepublic)

Cybersecurity insurance has changed from something that was typically bundled with other commercial policies and not always well defined to more of a standalone item, according to Kudale. Such standalone policies come with dedicated limits and terms clarifying what items are covered. These policies also offer options that let the policyholder customize the coverage based on their exposure to specific risks and threats.

You want to carefully customize and review a cybersecurity insurance policy to make sure it provides the right fit for your organization.

"The trick with cyberinsurance is ensuring that you don't buy coverage that has exclusions you expect to be covered," Barratt said.

"There are some very cheap cyberinsurance packages designed to provide basic coverage towards the cost of forensic work," Barratt added. "There are also incredibly sophisticated policies that will offer major coverage in the hundreds of millions of dollars for restoration of services in the event of a cyberattack that causes physical damage. These tend to be underwritten by insurers that also have terrorism expertise as well as traditional physical damage insurance."

How does cybersecurity insurance work?

As with other types of insurance, your first step following a cyber incident is to file a claim, Kudale said. This action then allows experts and resources to investigate and resolve the claim accordingly. But with a cyberattack, timing is key. Cowbell Cyber and partner Mullen Coughlin offer a dedicated hotline for ransomware attacks. Further, bringing in a breach coach immediately after the incident can help lower the costs and avoid complications.

The underwriters who assess the claim also see if the coverage provides for business interruption, according to Barratt. Such a policy would cover lost revenue resulting from a cyber incident.

What are the advantages of cybersecurity insurance?

This type of insurance can help an organization recover from a cyber incident more quickly and at a lower cost, Kudale said. Modern cybersecurity policies could also provide resources to help businesses avoid cyber incidents in the first place.

SEE: Cybersecurity: Let's get tactical (free PDF) (TechRepublic)

As one example, Cowbell Cyber includes risk assessment so customers understand their most vulnerable areas. Together with training firm Wizer, Cowbell offers cybersecurity training for employees to better identify phishing emails and other threats.

Cybersecurity insurance can also provide a safety net for organizations that are establishing security controls but need to transfer some risk to a third party, Barratt said. A policy can then offer quick access to funds and special services in the event of an incident.

What are the disadvantages of cybersecurity insurance?

As with any type of insurance, you may end up paying high premiums on a policy for which (hopefully) you would never need to file a claim. But the disadvantages go beyond that obvious factor.

Instead, the risks result from policies that are too confusing or too complicated. You may encounter cyber policies bundled with other commercial policies that confuse coverage, according to Kudale. Also, you might end up with a policy that has too many exclusions or that insists on inappropriate limits before an incident is covered.

There are also a lot of different cyberinsurance policies on the market aimed at a range of customers from small- and mid-sized businesses to Fortune 500 companies. And that can lead to misunderstanding.

SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)

"They can be complex, and sometimes the brokers don't fully articulate the values as they're incentivized to sell certain policies," Barratt said. "Some cyber policies lock you into a vendor ecosystem for incident response, which may also not be cost effective either. These policies should really be well considered by corporate risk managers."

Finally, there's the question of whether cybersecurity insurance might encourage criminals since they know that a victim's insurance provider will ultimately cover the cost of the attack. That could especially hold true in the case of ransomware demands.

"From a broad perspective, building in ransomware payments to insurance policies will only promote the use of ransomware further and simultaneously disincentivize organizations from taking the proper steps to avoid ransomware fallout," Brandon Hoffman, chief information security officer at IT management firm Netenrich, told TechRepublic. "Not only does making a ransomware payment also place an organization in a potentially questionable legal situation it is proving to the cybercriminals you have funded their recent expedition."

Hoffman suggests that insurance companies refuse to pay off on policies, especially with ransomware, unless basic security and recovery methods are performed by organizations. Though admitting that such a requirement may sound harsh, Hoffman asserts that there's a reason governments and law enforcement don't negotiate with terrorists. Ransomware should be treated the same way, in his opinion.

Though cybersecurity insurance can be an effective and necessary measure for many organizations, it should never be seen as a panacea. Organizations still need to develop the right security and recovery processes to protect themselves against ransomware and other cyberattacks. Even if you take out a cybersecurity insurance policy, the goal should be to never have to file a claim against it.

Also see