Beneath its inevitable complexity, organizational cybersecurity is about determining levels of acceptable risk. No organization is financially willing to – or even able to – address every gap, remediate every vulnerability, teach every employee how to avoid clicking a questionable link. They strategically and mindfully assume a level of risk and spend considerable cybersecurity budget to address the rest through solutions, people, and processes.
But there is always risk.
As John A. Shedd is believed to have originally coined in his 1928 volume “Salt from My Attic,” “A ship in harbor is safe – but that is not what ships are built for.” It is abundantly clear the risk is considerable, even for the most cash-flush organization. Some of the most headline-grabbing cyber incidents have featured global multinational corporations that have spent heavily on robust cybersecurity programs. Yet, they still fell victims to costly, brand-damaging cyberattacks. And the costs are indeed high: the average cost of cybercrime for an organization increased US$1.4 million in 2017 to US$13.0 million in 2018 according to Accenture’s 2019 Ninth Annual Cost of Cybercrime Study. The costs go beyond what is quantifiable in the here and now – the damage to brand and customer confidence can linger in revenue-tangible ways for years to come. In the case of ransomware, business or municipal operational downtime can have severe and unacceptable (occasionally life-threatening) outcomes on customers and citizens. We have seen smaller or cash-strapped organizations struggle with recovery; some are forced to shutter their businesses.
Cyber Insurance’s Role in Transferring Risk
For our clients across a wide range of industries, cybersecurity is (and will remain) a top business-related concern. According to Travelers’ 2019 Risk Index survey published in late September, cyber risks are the top concern across all businesses for the first time since the survey began in 2014, ahead of medical cost inflation, employee benefit costs, the ability to attract and retain talent, and legal liability. Since its early days in the Lloyd’s Coffee House during the 17th and 18th centuries, insurance has continuously proven to be a vital mechanism for transferring risks that can’t otherwise be managed or avoided by an individual or organization. Cyber insurance is being increasingly relied upon to offset not only the acceptable levels of cyber risk organizations assume, but the risk that can never be fully mitigated despite any level of effort.
In a highly connected world, cyber risk increases rapidly, as does the need for cyber insurance. There are a variety of sources that estimate the current size of the cyber insurance marketplace; the NAIC indicates a current size of $3.1B in premiums since they began collecting surplus lines data in 2016. While banking/financial services and insurance (BFSI) were the largest consumers of cyber insurance, other industries such as retail and manufacturing, which have increasingly leveraged technologies such as payment card systems and the Internet of Things, are expected to increase their adoption; even personal lines of cyber insurance are growing to meet a tangible need.
Cyber Insurance Through an Incident Response Lens
Having worked directly with a large number of companies to manage cybersecurity incidents, we’ve seen a number of clients that would have been unlikely to regain operational efficiency without the assistance of their chosen cyber insurance carrier. Many companies across all industry verticals do not have experienced staff, incident response processes, and preparedness to act quickly following a business-impacting event. Cyber insurance companies play an active role in assisting their policyholders by bringing the right team of experts to the table quickly to resolve various aspects of the incident, including legal and technical. By contrast, we observe the heightened level of financial concern and logistical stress placed on those companies that do not have cyber insurance policies.
There are often difficult decisions that may need to be made in the course of any cybersecurity incident. In the case of ransomware, one particularly challenging decision is between paying a ransom vs. restoring business operations. Weighing the checks and balances of either decision is critical to understanding all of the risks at play. No one in the process wants to incent malicious actors by paying them what they ask; but businesses, working with their insurance and technical support partners, meticulously weigh the real and total costs of the choices they make for the health of their organizations. Just as with any line of insurance, companies purchase coverage to provide them with peace of mind in catastrophic scenarios. In this way, cyber insurance is no different than other lines of traditional property and casualty insurance coverage at its core.
Net-Net on Cyber Insurance
Cyber risk is here to stay. Just as few of us wish to risk incurring medical costs without assistance, cyber insurance is becoming an increasingly necessary cost of doing business in a digital, technology-enabled world, particularly granting the growing concern of data privacy within the public at large. As the cyber insurance marketplace continues its growth into the future, it will always remain an essential risk transfer mechanism—and as a cyber incident response provider assisting in over 1,000 cases annually, we have found those customers aided with policies to be better armed to recover than those without.