Cybersecurity insurance is a growing sector, as more and more companies are paying premiums that they hope will cover their losses in the event of an incident. Despite this, only a third of organizations have any form of cyber insurance. In fact, market growth has been slowing of late, and for a number of very good reasons. The fact is that there are some significant shortcomings to cybersecurity insurance.
Here are 5 limitations of cybersecurity insurance:
1. Cybersecurity insurance has many limitations
Cybersecurity insurance is very hard to underwrite, which means that most insurers tend to have some very broad limitations. One limitation that often comes up is that they do not cover “acts of war.” This clause has been used as justification to deny coverage for attacks even if they have not been demonstrated as being caused by a foreign government. In fact, most major incidents that occurred in 2019 were not covered due to this clause.
Additionally, insurance only covers the direct cost related to a cyberattack, which means that no insurance can help you recover from the intangible losses in customer trust and reputational damage caused by such incidents. Another major limitation is that cybersecurity insurance generally does not cover physical damage or bodily harm caused by a malfunction of your industrial equipment, should it be hit by a disruptive cyberattack. A threat that has been growing tremendously as of late in the manufacturing industry.
Because these policies are relatively new, it is hard to know what is covered and what is not. Coverage has only been extended to smaller businesses in the last few years, and there is not a huge body of legal precedence to know what insurers may do following a cybersecurity incident.
2. It creates a false sense of security
Furthermore, cybersecurity insurance often creates a false sense of security, leading insured companies to believe that their entire financial losses will be covered following an incident. This leads many of them to neglect their security and to reduce their budgets for IT security, leaving them even more at risk of a cyberattack.
The truth is, the majority of insurers will deny a company’s claim if their cybersecurity measures have been deemed insufficient, just as an insurer may refuse to pay out a theft claim if the thief got through your back door that was propped open with a brick. This means that your cybersecurity risks should never be taken lightly, even if you have insurance, as it could be the main reason why your claim is denied.
3. It forces you to disclose details on your cybersecurity
Before you can be insured, most providers will require detailed information on your cybersecurity management such as your security practices, your policies, the measures you’ve taken to secure your company, etc. This means that your insurer could require you to comply with their security practices before you can be insured, forcing you to create new cybersecurity policies, to raise your budget in IT security, to carry out IT security audits / penetration tests of all your systems and infrastructures on a regular basis and much more. As a result, you might be forced to spend more resources on security controls than necessary, on top of your insurance premium, before you can even benefit from it.
While their strict requirements will often help you mitigate your risks, they will leave you spending more on your Cybersecurity than you could have spent in the first place to prevent any incidents. Even worse, these investments are often wasted as companies will only validate these security controls to comply with the requirements, leaving them aside and neglecting them once they have successfully been insured. This negligence will often be used as justification for the insurer to avoid paying out any claims.
4. It does not cover attacks carried out internally
Moreover, this insurance does not cover the losses associated with an attack or a data breach carried out internally by a malicious actor, an intern or a temporary employee who’s access within the systems had not been carefully secured and validated. This also means that negligence from an employee, such as losing a company laptop with valuable customer data, or getting infected through a phishing attack (the act of sending a coercive email to infect a system or to gain a user’s authentication data) will not be covered by the premium. To make matters worse, nearly 90% of cyberattacks in 2017 were caused by human error, which means that the majority of incidents generally fall under negligence from an employee and are not be covered by this type of insurance.
5. Cybersecurity insurance cannot stop intangible losses
Another shortcoming of cybersecurity insurance is that while it covers the costs needed to recover from an attack (Such as incident response, technical restoration, etc.), it does not cover any long-term intangible losses that inevitably result from a cybersecurity incident. Whether it’s from stolen trade secrets that were potentially sold to your competitors, a loss in trust from your customers, to a drop in your company’s shares, your insurance will only cover a small portion of the overall cost of the incident, which might not even be sufficient for your company to fully recover from it. Hence why you should never rely on it to cover all your losses.
None of this means that it is necessarily a bad idea to take out a cybersecurity insurance policy if you can find one that is affordable and meets your needs. However, you need to be fully aware that there are limitations to cybersecurity insurance, that it can only help with some losses and that it shouldn’t be a reason to neglect your IT security.
Much better is making sure that you have a good security plan in place to nullify the need for insurance coverage in the first place. Protecting yourselves, your employees, and your customers require taking all the necessary actions, even if you are insured. Reach out to an experienced specialist to learn more about how you can mitigate your cybersecurity risks to prevent any incidents.