Is cyber insurance a must-have?

Is cyber insurance a must-have?

Article written by Dave Russell, Vice President of Enterprise Strategy, Veeam and Rick Vanover, Senior Director of Product Strategy, Veeam

The frequency and severity of cyberattacks have dramatically increased in recent years, leaving businesses and individuals vulnerable to financial loss and reputational damage. As technology continues to advance and with the ever-present threat of cyberattacks, this has led to a growing need for cybersecurity insurance.

Cyber insurance was created in the late 1990s when organizations began moving their businesses online. As many business leaders sought to understand the complexities of the digital world, insurance policies came in to mitigate the risks associated with the internet and protect companies against unauthorized access to an organization’s systems and data.

The earliest form of cyber insurance was policies that were often broad in scope and not specifically tailored to fit the needs of organizations. However, as the number of cyberattacks increased, so did the nature of cyber insurance. Today, business leaders can opt for highly specialized insurance policies that cover a wide range of risks, including ransomware, data breaches, and business interruption.

In the Asia Pacific region, the adoption of cyber insurance is expected to grow by 35.5% CAGR during the forecasted period of 2019 – 2025. While artificial intelligence, robotics, virtual reality, and the Internet of Things have proliferated technological advancements, this has led to new parameters of threat. Cyber insurance is expected to provide financial compensation and cover a business’s responsibility for data.

Is cyber insurance a must-have?

Dave Russell, Vice President of Enterprise Strategy, Veeam

It is important to remember that cyber insurance is not meant to be a standalone solution. As attacks can vary in severity, cyber insurance also varies in premium prices, which can go up to millions. According to a report by S&P, the global cyber cover premium pool is expected to rise by an average of 25 percent annually. There are ranging degrees to the extent that an organization can insure for. For first-party coverage, it would typically cover the cost of things such as the investigation of the incident, loss of revenue due to business interruption, risk assessment for future cyber incidents, ransomware attack payments based on coverage limits, and notifying affected customers. Third-party or cyber liability coverage can be purchased to protect a business if a third-party sues for damages from a cyberattack incident. This can cover legal fees, settlements, and regulatory fines for noncompliance.

The complexity of cyber insurance policies and the nature of the coverage a company provides can make it a daunting task for businesses keen on acquiring coverage. This can be a challenge for smaller enterprises that may lack the knowledge or resources to purchase an adequate policy. In addition, with the rise of cyberattacks, disputes may arise in the aftermath of an attack, with insurance companies and organizations debating on the payout. This can lead to a lengthy and costly legal battle.

While cyber insurance has been around since the 1990s, it is still a relatively new concept that continues to be updated based on new methods of cyberattack. There is a lack of standardization among insurance companies, and more has to be done to ensure that a regulatory standard is adhered to in terms of what can be covered.

Organizations are often targeted for various reasons, with financial gain being the most common motivation. Attackers use a variety of ways to access sensitive information, from phishing through to hacking into systems to extract sensitive information. 

Cyber insurance makes up only one part of practising good cyber resiliency. While it provides financial relief, it does not eliminate the fact that a cyberattack took place, and that the trust of the organization has been compromised. Beyond encrypting sensitive data, installing cybersecurity software and regular staff education around cyberattacks, backing up data is a good way to ensure that there is business continuity in the event of an attack, and that hackers will not have the power to demand money from organizations to get their data back.

Is cyber insurance a must-have?

Rick Vanover, Senior Director of Product Strategy, Veeam

Data should always be backed up using the 3-2-1-1-0 rule, where there should be three copies of data on two different media, with one copy being offsite, and another being offline, air-gapped or immutable, achieving zero errors with a recovery system. This will safeguard data and ensure that if a company goes offline, it can be quickly restored with little to no downtime. According to Veeam’s recent Data Protection Trends report, 82 percent of organizations have an ‘Availability Gap’ between how quickly they need systems to be recoverable and how quickly IT can bring them back. A further 79 percent cite a “Protection Gap” between how much data they can lose and how frequently IT protects their data across cloud and on-premise. This further highlights the importance of how many backup copies one should have. 

Ultimately, strong backup is the insurance that organizations need. Cyber insurance can be part of an overall plan, but solely relying on it will not be wise. As the technology landscape continues advancing and growing, companies need to lead their own defense against cyberattacks.

The views in the article are those of the authors and may not reflect the views of this publication.