“I’ve heard that cyber insurance doesn’t pay out!”
Or my second favourite: “we don’t need cyber insurance, we have next generation firewalls!” Both are false statements and yes, I’ve had more than a couple of IT leaders tell me that their excellent perimeter controls mean that they are unlikely to have a cyber incident that would impact the organisation sufficiently to need insurance.
Let’s address the first one, the implication that cyber insurance doesn’t pay out. It does and there are many examples where it has to the limit of the policy, the incident response component has fulfilled its purpose, and this has happened without objection from the insurer.
Issues can arise where an organisation buys a policy without fully understanding the triggers, and also ensuring that the amount of coverage is sufficient for the full cost of an incident. Cyber risk is very hard to quantify, but a good start is to break down the scenarios that can occur and ensure that they are covered by their existing policy, or those under consideration.
Now the second one - “we don’t need cyber insurance.” As many well-publicised and very costly cyber incidents tell us, having great controls will not completely mitigate the risk of a cyber incident. They may reduce the likelihood, but there are too many areas of vulnerability, not least of all people, that can never be completely discounted. Organisations should think in advance about the worst that can happen, and what can be done to minimise the impact when it does. Leaders need to know that their organisation can withstand a cyber incident, both financially and reputationally, and should be able to articulate this to customers, staff, shareholders, and increasingly, regulators.
Towards the end of 2019, I caught up with many of my contacts in the IT security, insurance, legal and incident response sectors to discuss services, alongside incident readiness, where the Cyber Advisory Practice could better assist customers. A common thread that ran through the discussions was cyber insurance and the fact that there is still a reticence for organisations to adopt insurance as a cyber risk management solution and that there are questions about both effectiveness and how to obtain the best solution. Cyber insurance is not a “nice to have” or a box-tick, it is a critical component of a mature organisation’s cyber risk management toolkit.
For these reasons the CAP is pleased to announce Cyber Insurance Assessment services for organisations that would like to know more about how cyber insurance can complement their existing risk controls, and how best to integrate it as a tool in their enterprise cyber risk management framework. Organisations that already have cyber insurance may also want to ensure that their existing policy is fit for purpose and ensure that it will assist to reduce the financial and reputational impact of incidents.
The assessments look at the major cyber risks the organisation faces, existing security controls in place, incident readiness and risk remediation planning.
On completion of a Cyber Insurance Assessment, customer stakeholders will be presented a report that provides an independent risk-management-focused assessment of the organisation and how insurance supports cyber risk mitigation. The reports are in plain language and aimed at risk managers, insurance buyers, IT leadership and the board. The reports can also be provided to brokers and insurers to assist them in determining potential solutions. Customers can then make an informed internal discussion as to whether to buy insurance or update an existing policy, and which components of the proposed solutions are appropriate.
Please get in touch if you, or your customers, would like to discuss further.
