Mitigate Risks, Not Threats

In the words of former FBI director, Robert Mueller, “There are only two types of companies: those that have been hacked and those that will be.”

This reality, combined with increased awareness and frequency of cyber attacks, has led to a rise in cyber insurance. The percentage of insurance clients opting for cyber coverage has increased from 26% in 2016 to 47% in 2020. The insurance industry is now facing pressure and concerns about an increase in claims due to the conflict in Ukraine. However, cyber insurance is not the ultimate solution to the growing threat.

In the late 1990s, cyber insurance had fewer restrictions and more coverage, but that has changed in recent years. Now, there is a shift towards traditional risk measurement, with underwriters assessing the biggest risks and excluding certain risks from coverage. Premiums for cyber insurance have also increased, with more than half of policyholders experiencing a price rise of up to 30% by the end of 2020.

While the conflict in Ukraine may lead to more cyber insurance purchases, most policies will not protect against nation-state attacks or ransomware. Insurance companies are likely to refine their language and increase coverage exclusions to hedge their risks. Therefore, organizations looking to mitigate risk should not solely rely on cyber insurance.

The first step should be a risk assessment to determine the anticipated impact of a cyber incident. Insurance is an important part of risk management, especially for high impact but low probability risks. Organizations should also focus on improving their security measures, automating risk monitoring, and consolidating security tools for better visibility. Only after completing a thorough risk assessment and establishing a strong security foundation should organizations consider investing in cyber insurance.

The interest in cyber insurance is expected to grow, but it is crucial for companies to understand the details of their policies. The future will likely bring more clarifications and rewriting of exclusion clauses. Instead of relying solely on insurance, organizations should prioritize proactive cyber hygiene as the best defense against cyber attacks.

3 responses

  1. Vicente Rosenbaum

    This is a very insightful article. It emphasizes the need for companies to focus on preventive measures and not rely solely on cyber insurance. While insurance has its place, it can’t replace good cyber hygiene and robust security measures.

  2. sean christiansen

    I completely agree with this. Cyber insurance should be a part of a comprehensive cybersecurity strategy, not the entire strategy itself. It’s essential for companies to invest in stronger security measures and regular risk assessments to really protect themselves from cyber threats.

  3. Laurie Lesch

    This article hits the nail on the head – cyber insurance shouldn’t be the first line of defense for companies, but rather a last resort. It’s crucial for organizations to focus on strengthening their cybersecurity measures and regularly assessing their risk levels. Insurance may provide some financial coverage, but it can’t restore lost trust or reputational damage caused by a breach.