Click here to listen to this article via the BreachRx Blogcast
As seen every day in the news, breaches from successful cyberattacks are a continuing, severe threat to businesses, both small and large. With the increasing number of cyberattacks, cyber insurance companies have become popular among businesses looking to protect themselves from potential financial losses due to a data breach. Cyber insurance policies offer coverage for data breaches, cyber extortion, and other losses related to cyber events. However, it is important to understand that cyber insurance companies enforce their own interests through their policies, and relying solely on these policies and related insurer marketplaces for a data breach is not in any company’s best interest.
While cyber insurance policies are designed to protect businesses from the financial costs associated with data breaches and cybersecurity incidents, it is important for teams to understand that cyber insurance is not a silver bullet. The terms of cyber insurance policies are often designed to drive down insurer costs, resulting in exclusions that can limit the coverage offered to businesses. For example, most cyber insurance policies seemingly cover companies for ransomware attacks; however, many insurers are now excluding coverage for payments made in cryptocurrency, the typical method of payment demanded by cybercriminals in ransomware attacks. This can leave businesses vulnerable to significant financial losses if they are unaware of their policy’s limitations.
If a company relies solely on their cyber insurance policy and fails to proactively prepare for a potential cyberattack, they will very likely face significant direct financial losses and indirect impacts like reputational damage, lost revenue, and potential legal liabilities in the event of a data breach or ransomware attack. And even with insurers creating cyber insurance marketplaces ostensibly to help companies with their data breaches, these insurers are focusing specifically on lowering their own costs of claims paid to the ever-growing set of companies that have suffered an incident versus helping companies with their attacks.
Take the risk out of your breach response
Automate your incident response today
The Limits of Cyber Insurance
Cyber insurance policies offer strong value for businesses and provide peace of mind for businesses that want to protect themselves from the potentially devastating financial impact of a data breach or cyberattack. In addition to covering some of the cost of legal fees, forensics and recovery, and customer notification expenses such as resulting from when personal information is compromised, some policies also offer risk management services, including employee training programs. These services can help businesses identify and mitigate potential cybersecurity risks before they turn into a costly incident.
For example, suppose a small business falls victim to a ransomware attack that locks down their computer systems and demands a significant sum of money to unlock them. Without cyber insurance, the business could be faced with substantial costs for recovering from the breach. However, with a cyber insurance policy in place, the business may be able to recoup some of these costs, allowing them to get back to business as quickly as possible.
Despite the potential benefits of cyber insurance policies, it is important for businesses to recognize and understand their limitations. Policies can be complex, and the terms and conditions can vary widely between different insurers. The policies are typically written with the insurer’s interests in mind, with exclusions and limitations that can make it difficult for businesses to receive adequate coverage. And these exclusions can leave businesses vulnerable to financial losses, especially if they rely solely on their policy as their only line of defense.
Typical exclusions included in most policies are losses caused by war, terrorism, or acts of God, which can limit the coverage offered even further. Some insurers have equated nation-state cyber attacks with acts of war to exclude covering them, even though attribution is questionable in some cases and more nations from around the world are increasingly attacking commercial companies to gain decision advantage and steal intellectual property for their own benefit. This has led to multiple instances of insured companies suing their insurer to get their claims filled, an expensive proposition beyond the cost of the incident.
In addition, if a business experiences a data breach due to a lack of security measures or employee negligence, their cyber insurance policy may not cover the cost of the investigation and data recovery efforts. Also, some policies exclude coverage for breaches caused by third-party vendors, such as from cloud providers or payment processors. This can leave companies further exposed to significant financial losses if a breach occurs as a result of a vendor’s negligence or malicious activity.
When incidents inevitably occur, the over 180 laws in 120 countries come to bear on a company in the middle of their response. Given most companies do not effectively prepare and know their exposure to these requirements, this byzantine set of regulations ends up as a massive legal cost most companies can ill afford. Worse, cyber insurance policies are not likely to cover the costs associated with the regulatory fines and penalties resulting from a data breach or from a poor notification process to lawmakers and regulators.
It is also important for businesses to understand that cyber insurance policies are not standardized, and terms and conditions can vary widely. The insurer bias of these policies and lack of standardized approaches can make it difficult for businesses to navigate the claims process and obtain the full coverage they are entitled to. Insurers are incentivized to reduce costs by any means possible, which can result in denial of claims, delayed payment, and push towards specific vendors or service providers that may not be the best fit for the policyholder’s needs or situation and even could result in subpar services and remediation efforts, which can ultimately cost more in the long run. Therefore, it is essential for businesses to proactively prepare for a potential cybersecurity incident and not rely solely on their insurer’s recommendations.
Relying solely on cyber insurance for protection against cyber threats is like owning a car without any safety features, such as airbags or seat belts, and relying solely on your car insurance to protect you in the event of an accident. While insurance can provide financial protection after an accident, it does not prevent the accident from happening in the first place or protect you from injury. Just like how safety features in a car can help prevent accidents and reduce the severity of injuries, proactive cybersecurity measures can help prevent cyber threats and mitigate their impact. By proactively preparing for potential threats, businesses can reduce the risk of a data breach and minimize the potential financial losses they may incur.
Why Cyber Insurer Marketplaces Aren’t Enough
To control these costs, insurers have begun creating marketplaces for connecting service providers specializing in incident response to businesses in need of their support. Insurers are doing this to increase competition among the providers in the hopes that will lower their rates and therefore lower the costs of claims they’re paying to these firms associated with data breaches as well as cybersecurity and privacy incidents. Insurers see this as critical because law firms and forensics firms that specialize in data breaches are incredibly expensive, with average costs soon to be over $5M per incident.
For example, law firms that specialize in incident response can demand over $500 an hour for associates and over $1500 per hour for partners. This can result in significant expenses for businesses that experience a data breach or cybersecurity incident. In some cases, the work that is required may be relatively straightforward, such as keeping track of a list of response actions in a spreadsheet, yet still demand these high hourly rates. While these firms offer valuable expertise and resources, the high costs associated with their services can be prohibitive for many businesses, especially small and medium-sized enterprises. And insurers are also feeling the pinch.
However, simply creating a marketplace for these services will not be enough to significantly reduce costs for businesses. High costs come from the fact that many businesses fail to take proactive measures to prepare for a potential cybersecurity incident, such as implementing strong cybersecurity protocols and conducting regular security assessments. Without proper preparation, businesses are more likely to experience data breaches and cybersecurity incidents, which can result in significant costs, even if they have access to discounted cybersecurity services through their insurance policy. And when they respond, their lack of preparation ends up being extensive time and costs from these providers, even if their rates drop significantly.
Marketplaces controlled by the insurers will also give them the upper hand in adding further exclusions from their policies for companies that are ill-prepared for incidents. For example, insurers may limit their liability for incidents by placing caps on payouts or using the specific vendors with the lowest costs, which may not provide the best solutions for specific incidents companies face. In fact, insurers are not guaranteeing the quality of the services provided by the vendors within these marketplaces, and have limited control over the vendors’ operations. Some providers inside these marketplaces are already shifting to prioritize completing as many jobs as possible over providing quality services to keep their revenue high, which is a recipe for leading to poor outcomes for businesses that rely on them for incident response.
Relying solely on a marketplace to lower costs associated with a data breach, without proactively preparing for cyber threats, is like relying on a good insurance policy to protect you from a car accident without taking any safety precautions or driving lessons. While a good insurance policy can help alleviate some of the financial burden of an accident, it does not guarantee your safety on the road. A marketplace for cybersecurity services may help reduce the costs associated with a data breach, but it does not guarantee protection against cyber threats. An effective incident response strategy can help mitigate these costs.
While the marketplace for cybersecurity services might help lower costs for the insurer, they will not be enough to lower costs for businesses if they do not proactively prepare for a potential cybersecurity incident. They will then face significant costs, even with access to discounted cybersecurity services through their insurance policy’s marketplace. Instead of relying on a marketplace for cost savings, businesses must take the necessary steps to proactively protect themselves from potential cyber threats.
Proactive Incident Readiness Is the Only Way
While cyber insurance policies can provide some level of protection for businesses in the event of a data breach, they should not be viewed as a first-line defense against cyber risks. To avoid the pitfalls outlined above, businesses should view cyber insurance as a last resort and should not be relied upon as a substitute for cybersecurity measures. Instead, teams and companies should invest in proactively preparing for likely threats they face and the potential impacts of their attacks.
Proper preparation includes implementing strong cybersecurity protocols and multi-factor authentication, training their employees on best practices for cybersecurity, and working with experienced cybersecurity professionals to identify potential risks and implement measures to mitigate those risks. This includes leveraging incident automation to develop myriad operational-level incident response plans and procedures specific to the different and likely incidents they face from attackers, including the likely regulatory and customer notification processes. Teams should then conduct regular risk assessments and security exercises inclusive of all parts of the business related to incidents. Just like how taking driving lessons and implementing safety features can help reduce the likelihood of a car accident, proactively preparing for cyber threats can help reduce the likelihood and severity of a data breach.
While cyber insurance policies can provide valuable protection for businesses in the event of a data breach or cybersecurity incident, businesses should not rely solely on their cyber insurance or liability policies as their only line of defense. Cyber insurance policies are often designed to drive down insurer costs, resulting in exclusions and limitations that can leave businesses vulnerable to financial losses. Additionally, the high costs associated with law firms and forensic firms that specialize in data breaches can be prohibitive for many businesses, even if they have access to discounted services through their insurance policy.
By proactively preparing for a potential cybersecurity incident, businesses can reduce the risk of a data breach and mitigate potential financial losses. And by taking a proactive approach to cybersecurity, businesses minimize the risks of impacts that result from these inevitable events.
Need help with an incident response strategy?
Leverage the BreachRx platform to build an actionable incident response plan today!