Security Costs - Part III - The Cyber Insurance Problem

When breaking down costs at the C-suite level there comes the question of risk management, and whether or not all this investment is worth it in the long run.  The question comes up a lot...

Wouldn't it be cheaper to just pay for Cyber Insurance?

And this brings us to some startling truths when it comes to the cost of Cyber Security...

With the growing costs of breaches the amount insured approaches the premiums insurers are able to profit from, and it isn't clear the industry would survive a major chain of breaches.


Even if you pay into a Cyber Insurance Policy you aren't guaranteed for them to always pay out a claim.

While the first problem is one to consider by actuaries and analysis of the growing market - the second problem is the content of many of the Cyber Insurance Contracts and the requirements of the insured.  There are many instances where a claim might fall under an exclusion, some of the common ones are:

  • Failure to Maintain -  This refers to a business failing to implement or maintain a "minimum" security standard as explained in their liability policy.  This means if an insured client doesn't maintain specific security requirements, during claim time the claim will be denied.  This exclusion means even a robust security architecture may require...
    • Event Monitoring
    • Regular Security Maintenance
    • Following Best Practices
    • Employee Training
    • Compliance Training
  • Social Engineering - If an employee is tricked into giving away information that allows a breach to occur, that may cause a claim to be denied.  Since phishing attacks and others qualify as types of Social Engineering attacks, this is a potential gray area of coverage for many Cyber Insurers.  It is important to look specifically for an endorsement within the policy or clause that covers this kind of attack, else you may be required to use a secondary fraud insurance for the claim.  If that was something your company even has insurance to cover.
  • PCI Compliance / Assessment - In the course of researching a breach, if an insured client is found to be out of compliance with PCI - they may be subject to both PCI fines, as well as a denial of coverage.  These fines may not be covered (or may), but also may lead to rejected claims due to "Failure to Maintain" as listed above.


So, what does that mean?

It means that Cyber Insurance, though becoming a more and more integral component of a company's Cyber Security Architecture, is not sufficient to handle the burden of cost when it comes to Security if other components are ignored.  This is why regular assessments and review by "real humans" become more and more necessary with the sophisticated threats we are seeing on a daily basis.

London Security is offering a FREE Ransomware Risk Assessment for the next two weeks, whereupon July 1st the cost will increase to $5,000 dollars. This assessment of your company's ransomware risk is done through a ransomware script that does everything except encrypt your data - it creates malicious activity which will trigger your security (or won't) and if it doesn't you'll be able to find out how bad an impact Ransomware would have on your company's data.

Or, conversely, it will show the value in your current Security Spending.

Register for your Ransomware Risk Assessment!