Businesses are increasingly exposed to data breaches as cyber criminals relentlessly try to exploit their networks. All too often these businesses turn to cyber security insurance, thinking it will be an easy way to safeguard against any financial loss that they may suffer after a cyber attack.
Companies reach the erroneous conclusion that taking out a cyber insurance policy is a great excuse not to invest in good security practices or products. They see it as a way to cut investment in IT security. It does seem tempting to pay the insurance premium each month, hope for the best and rely upon a third party to pay out in the wake of a massive data breach. However, this is a misguided theory. In reality, the insurance approach to cyber security is never a substitute for the time-tested approaches of investing in people, proven technology and good management.
Cyber Attacks Are Not Force Majeure
When considering cyber security insurance, it’s vital to make the distinction between what is preventable and what the business cannot control. As with other forms of insurance, insurance companies will not pay out if the business or consumer does not take adequate care to secure their property against the threat.
In the physical world, insurance companies send out inspectors and require attestation by survey forms to show proof that the insured is following best practices to prevent damage. In the case of cyber insurance, however, the insurers do not check for adequate controls and only test controls when a claim is actually made. This is time consuming and expensive to do, not to mention too late.
The end result of this liability transfer strategy is that many companies that buy cyber security insurance elect not to take due care. Instead, they merely purchase the insurance just to make sure they are covered. Unfortunately, for the short-sighted business that chooses this path, the usual outcome is that the insurance company will not pay out on the policy because the insured has not taken reasonable steps to secure its environment.
Back to Security Basics
In truth, cyber security insurance will never pay off for the purchaser because it does not replace proper security or internal IT controls. For example, most information is stolen or breached from inside an organization. Yet it can be easily prevented by putting in controlled access to privileged resources and accounts, a solution known as privileged identity management. However, in most companies the C-Suite is led to believe that it is cheaper to only purchase insurance instead.
Cyber Insurance cannot make up for inadequate leadership. It must come from the top downwards. And it must be integral throughout the business, as well as an investment that is perceived to be valuable.
Centers of Excellence
Ultimately, companies that invest in building their own “Security Centers of Excellence” and implement strong cyber defense controls see an excellent return on their investment. But it does require leadership and vision to make these investments. In building this competency, losses are generally negligible. In fact, cyber insurance firms will pay claims to a business that has taken appropriate security measures.
Instead of paying the cyber security insurance premiums and hoping for the best, it’s time for organizations to take back control and lead from the top when it comes to cyber security.