Is cyber insurance a worthwhile investment?

Here are five questions to help determine if your company needs cyber coverage.

Organizations should be fully aware of what’s at stake from a cyber risk perspective because each company carries various degrees of risk relative to their distinct type of attack surface. (Photo: zephyr_p/Shutterstock.com)

The cyber insurance market is rapidly maturing and there are many reasons for this. Companies are increasingly leveraging technology to expand or streamline their businesses, remote work is seeing wide-scale adoption, cybercrime is inflicting trillions of dollars in damages and global cybersecurity legislation and privacy obligations are increasingly holding firms accountable. The cyber insurance market is projected to become a thriving $20 billion industry by 2025.

Gauging the value of cyber insurance

Cyber insurance premiums are becoming costlier by the day. In the first quarter of 2021 alone, cyber insurance premiums rose by an average of 18% owing to the increasing number of claims and thinning margins of cyber insurers. It’s now time to evaluate whether the amount of coverage is affordable and delivers real value to the policyholder. Below are five questions to help organizations assess whether carrying cyber is a worthwhile investment:

1. What is our risk exposure?

Organizations should be fully aware of what’s at stake from a cyber risk perspective because each company carries various degrees of risk relative to their distinct type of attack surface. Assessing cyber risk against well-known security standards or frameworks such as ISO/IEC 27002, the NIST Cybersecurity Framework or the ISF Standard of Good Practice for Information Security, can serve as a good starting point for determining a company’s risk posture. Risk assessments not only frame the organization’s requirement for cyber insurance but also serve as evidence for efficiency in risk management. Insurers evaluate how a company measures, monitors and manages its risk and therefore entities with a sound security posture are in a better position to negotiate favorable rates.

2. Is our risk insurable?

Once the business has insight into their risk exposure they can more successfully define their requirements from the cyber insurance policy. Most brokers can advise on the policy inclusions and it’s the policyholder’s responsibility to understand the nuances and evaluate whether the terms and inclusions of the policy meet their risk cover requirements. There will always be elements not covered under the policy and the organization must be prepared to accept those risks.      

3. Do we have the right coverage?

The value of cyber insurance is mainly dependent on its ability to provide sufficient risk coverage should a cyber incident occur. Organizations that carry out a detailed risk evaluation are in the best position to determine the extent of coverage needed. Prioritizing risks and taking into account the losses associated with those risks can help businesses select the right type and amount of coverage. Ultimately, cyber insurance shouldn’t be an off-the-shelf type of solution, it must be tailored to the business.

Review gaps in traditional insurance policies as things like property/casualty, product liability, directors’ and officers’, kidnap and ransom, and general liability cover are also relevant in certain types of cyberattacks. The insurance industry has now started to eradicate “silent cyber” (cyber risks that are not explicitly mentioned in a policy) and a majority of them do not entertain any claims pertaining to cyber risks.

4. What does it cost to insure?

Given the fact that insurance is a risk-transfer process, there are several factors insurers take into account while arriving at a premium and agreeing to the terms of the policy. These factors can include:

Remember that the better an organization is at managing information risk, the better the terms and price of the policy will be. Having said that, other external factors govern the cost of insurance such as rising demand for insurance, escalating cyber claims or unstable geopolitical environments.

5. Do benefits outweigh the cost?

Businesses must make an informed decision of whether they accept the risk as it is and put it on the balance sheet or take up the policy and invest in cyber insurance. Even when the policy is affordable, it may not completely satisfy the business’s requirements and therefore it might be necessary to search for an alternative risk reduction method. That’s why choosing an insurer should not be the sole decision of IT, legal or the security team in isolation. All key stakeholders of the business such as the C-suite, legal counsel and insurance manager must closely scrutinize the policy and decide whether the terms offered justify the price quoted.

Cyber insurance is about sharing, rather than divesting, cyber risk. Organizations must establish a symbiotic relationship with insurers to enhance security arrangements and better manage cyber risk. By helping insurers gain a more sophisticated understanding of the organization’s security posture, both parties will be better equipped to gather the right information to accurately measure and model an organization’s cyber risk.

Steve Durbin is CEO of the Information Security Forum, an independent, not-for-profit dedicated to investigating, clarifying, and resolving key issues in information security and risk management by developing best practice methodologies, processes, and solutions that meet the business needs of its members. ISF membership comprises the Fortune 500 and Forbes 2000.

Related: