Is cyber insurance worth the paper it’s written on?
Weighing up whether you think insurance is worth it, in any situation, depends to some extent on personal experience. You can see the value of protection far more clearly if you’ve been on the losing side a few times.
And that’s easy when, say, your office is broken into and a load of PCs are taken. Or when a visitor trips on your loose front step and sues you for their broken wrist.
But those are ‘real’ things. What about cybercrime? Is the threat as virtual as its environment? Is there any point spending good money on cyber insurance when you could put that money into robust protection instead?
Pros and cons
Every day we hear more sorry tales of businesses large and small all over the world getting hacked, breached, or having to deal with the consequences of a ransomware-riddled system. Some businesses will be more prepared than others, and some will put greater emphasis on prevention rather than cure.
What’s clear is the probability of a cyber attack on your business is increasing steadily from ‘pretty likely’ to ‘pretty much inevitable’. If the likes of Maersk, WPP and Mondelez can throw lots of time, money and professional expertise at fighting cybercrime – and still lose – what hope is there for anyone else?
You’d be forgiven for thinking however much of that robust frontline protection you have, it’s never going to be enough.
Line of most resistance
In a recent study, UK businesses estimated they’d have to spend an eye-watering £1.1m and 80 days recovering from a cyber security incident.
Granted, these are only estimates but there aren’t many businesses, anywhere, that could cope with that level of financial and day-to-day disruption and just carry on regardless.
Combine the implications of these numbers, the increasing likelihood of an attack in the first place and the fact that only 48% of companies globally have an incident response plan and you’re looking at a perfect storm of business-crippling 21st century problems.
But are things really so bleak? Surely there must be something you can do. There is. This is where that bit of paper with ‘cyber insurance’ written on it comes in.
So how much value is there in that bit of paper, exactly?
Well, that depends to some extent on what’s happened. Oddly enough, the more extensive the attack, the more help clearing up the mess the insurance is.
That’s an important point to remember, by the way. Cyber insurance deals with the consequences of what’s happened, not with preventing an attack in the first place. It’s designed to get your business back on its feet as soon as possible, with minimum fuss and expense to you. It’s the cure, not the prevention.
Specifically, it helps by:
Paying for the investigation – after a breach, knowing what’s happened, where you stand and what happens next are essential first steps to recovery. An IT specialist can help you but they cost money. Your cyber insurance pays the bill.
Paying to deal with the bad guys – having your business hamstrung by ransomware is no trivial matter, and cyber security experts more or less agree that paying up isn’t wise. Your cyber insurance arranges for a consultant to manage the situation and, if there’s really no other option, covers the ransom too.
Paying for the repairs – once you know what’s gone wrong, you’ll need to spend time and money putting it right. Cyber insurance pays to repair, restore or replace systems, data and websites damaged by a hack.
Paying your legal costs – reporting a breach to the relevant government data protection department, and fending off the inevitable confidentiality claims against you, needs a lawyer’s help. And we all know how cheap they are. Thankfully, your policy covers the cost of this essential expertise.
Paying to keep you running – can you function without your website? Your CRM software? Your company files? Your email? The longer you can’t do business, the more money it’ll cost you. If you’re out of action, cyber insurance helps avoid a financial meltdown by covering the gap between what you should’ve earned and what you actually did.
Paying to protect your reputation – bad news travels fast and dealing with the fallout of a cyber-attack needs a considered approach. So it’s a good job your cyber insurance pays for a PR specialist to placate irate customers and keep your good name out the headlines.