Cyber Insurance Alone Isn’t Enough to Protect Your Business
Just like insurance to protect assets or insurance to shield you from liabilities, cyber insurance is an important component for your business operational resiliency.
But cyber insurance alone should never replace your business continuity management program (BCMP), cybersecurity processes, or incident management and disaster recovery (DR) plans.
Moved by a push to digitalize business operations in the cloud, the cyber insurance market is expected to reach nearly $21 billion by 2024. Healthcare currently drives the market trend, noting as much as 80% of healthcare data could be in the cloud this year.
Cyber insurance provides peace of mind that you may be supported if a critical incident or disruption occurs, but cyber insurance alone doesn’t offer the same protection as robust business continuity (BC) and cybersecurity programs.
What’s cyber insurance and what’s it designed to do?
Cybersecurity insurance helps businesses decrease financial risks associated with doing business in an online world, including policies to help recover expenses related to loss or damage to digital assets such as a data breach.
According to Nationwide Insurance, cyber insurance may cover legal expenses and fees associated with:
- Notifying customers you’ve had a data breach
- Restoring personal identities of affected customers
- Recovering compromised data
- Repairing damaged systems
Other policies can also cover IT forensics, help with ransomware payments, data restoration and recovery, public relations support, protection against class action lawsuits, and settlement funding.
Cyber insurance doesn’t cover everything and it can’t always help your organization restore operations quickly, mitigate future risks, and fully recover from a cyber incident. But your business continuity program can.
Here are 5 ways your organization could come up short if you solely rely on cyber insurance:
1. Errors and Omissions
While many cyber insurance policies cover attacks and breaches, few cover what happens if someone accidentally omits data or when errors occur.
Let’s say, for example, you have an employee who makes a coding mistake while developing an app for one of your business processes. You haven’t included product development testing in your business continuity program. You don’t have plans to test for mistakes, evaluate potential impact, or outline steps to address issues.
Your company launches the app. Everyone loves it! But that mistake in coding? It lets an attacker waltz into all of your protected data.
While your business continuity and cybersecurity processes could have prevented this from occurring, without it, you may think you’ll be OK because your cyber insurance policy should cover an attack.
Well, maybe, but in some cases your insurer could say that mistake gave the hacker access. It was human error; therefore you’re not covered, and you’re left on your own to restore your data, protect customers, protect your data from future breaches, and run damage control for your brand.
2. Little or no third-party protections
If you’ve got a robust business continuity program, you know it’s not just important to have your own disaster recovery and incident management plans, you know it’s critical to do vendor assessments to ensure they too have their own response and recovery protocols as well.
Without these assessments and your own supplementary response and mitigation protocols, you may put your organization at greater risk. Many cybersecurity insurance policies don’t cover third parties.
For example, what if your credit card payment processer has a breach? You didn’t do a vendor assessment, so you weren’t prepared mitigate risks. If your cyber policy doesn’t specify third-party coverage, once again you’re on your own for response and recovery and related expenses.
3. Limited risk mitigation
Wouldn’t it be great if there were no limit to what your cyber insurance policy would cover? Just like your homeowner’s insurance, unfortunately, that’s not possible. Many cyber policies have a variety of limits from a claim level up through total payout.
Instead of relying singularly on an insurance policy to cover you in the event of an attack, include cyber attacks in your business continuity program so you can increase your preparedness and thereby decrease associated response and recovery costs—or better yet—mitigate incidents altogether.
4. Limited windows for responsibility
In 2019, it took organizations an average of 206 days to discover a data breach and then another 73 days to contain it. That’s almost 300 days in a year your organization could be at risk—from a single attack.
For most cyber insurance policies, coverage begins on the day you start your policy. If a breach is in progress before your policy goes into effect and it’s not discovered until afterward, there’s a chance that breach won’t be covered.
Further, many insurance plans have limits on breach scope, meaning they’ll only cover the directly affected time periods associated with the incident, not the short- or longer-term fallout that could include loss of access to customers and products or future loss of customers related to incident fallout and brand damage.
5. Lost time and resources
If you have a disruptive incident, you will likely need to pull team members from day-to-day responsibilities to aid in response and recovery. That means you could get stalled on opportunities for growth, connecting with new customers, making new sales, and developing or improving new products.
In most cases, cyber policies won’t cover these losses, so you’ll be on the hook for not just time and resources, but also lost revenue opportunities.
Conversely, your BC and DR plans can ensure you’re responding with the right team members, at the right time, at the right locations, with appropriate tasks and responsibilities so you can quickly resume operations as normal, thereby preventing stalled progress from hurting your bottom line.
Double Your Protection with BCMP
While cyber insurance is a good tool to help lessen the financial impact of a cyber attack, it should never replace your BC, DR, incident management, or cybersecurity plans and processes.
Get business continuity insights delivered to your inbox.