So You Have Cyber Insurance—Now What?

By surmounting policy limitations and accounting for unquantifiable damage, enterprises can improve risk management

Cybersecurity insurance risk management

Between regulations and pressure from board members or stockholders, cyber insurance is now a necessarily component of any enterprise’s cybersecurity strategy. There is, however, one disclaimer that shouldn’t be overlooked: Having coverage is smart, but leaning too heavily on it for risk management is dangerous.

Corporate Counsel points out, for instance, that many policies only account for unauthorized access to systems, which absolves them of insuring inside threats such as employee negligence (sharing or losing credentials, falling victim to phishing) and those who simply go rogue. In these cases, they argue, the employee facilitates illicit access. There are also frequently provisions to free insurance companies from covering nation-state attacks—which, given prodigious evidence of Chinese and Russian government ties to independent hackers, is unsettlingly vague, to say the least.

As threats grow more sophisticated—and claims increase in frequency—providers will undoubtedly adjust policies to meet demand. Still, they aren’t equipped to analyze threats. “There isn’t a great deal of actuarial data to help insurance carriers underwrite cyber risk,” writes IT Business Edge, “which means the aggregate effect of cyber risk and the financial liability it poses are critical concerns for the insurance industry.”

A logical next-step will be for insurance companies to educate company employees about minimizing risk. But are they be equipped to do this in an impactful way? When it comes to determining network weaknesses and best practices, nothing will be more effective than the actionable intelligence gleaned from machine-learning analytics.

Coverage can offset some mounting costs in the event of a hack. But any company should ask themselves how to also mitigate the unquantifiable: the negative publicity and business hit that results from public disclosure. Insurance cannot diminish these reverberations.

Additionally, in several circumstances (Yahoo’s predicament comes to mind), breaches are noticed years after their occurrences. “Most cyberpolicies are subject to a specified retrospective date,” notes Corporate Counsel, “which means that liability claims, such as data breaches, arising from events occurring prior to that date are not covered.” Thus, the onus of swift threat detection falls on the enterprise.

Any coverage will mandate that a company has security policies in place, but they are broadly defined. It’s ultimately up to a company’s executive and security teams to together invest in analytics that compensate for what a policy cannot foresee.

Enterprises should treat insurance as a back-up plan. Because there is simply no passing the buck when it comes to risk management.