One of the questions I often hear in my work is from organizations unsure whether they should get or increase their cybersecurity insurance.
There are no one-size-fits all answers to this dilemma, but this article is meant to provide some guidance to help you make the decision.
What’s the risk?
The answer starts with gaining a clear understanding of risk. A common term in the risk management field is “risk mitigation.” For many years I found the word “mitigation” annoying in this context because I was taught by my father to never deploy the word “utilize” when “use” would do just fine, and “mitigate” seemed, to me, synonymous with “reduce,” a simpler word everyone understands. I’ve since changed my mind.
You can’t eliminate risk
There’s a cliché in sports about a great player that goes like this, “You can’t stop him, you can only try to contain him.” I’m not sure of the origin, but I first heard the phrase spoken about Michael Jordan. This applies to risk.
Risk is part of existence. You can’t stop it. But there are things you can do to manage or mitigate risk.
Consider the consequences
First, let’s think about the kinds of bad things that can happen in a cybersecurity context. If we think about things like ransomware, account breaches, data loss, and fraud, there are different consequences that may apply.
- Downtime: We can’t work or we have to spend time fixing (or “remediating” in risk management parlance) the incident.
- Reputation damage: Our organization’s reputation may suffer damage from the incident.
- Financial loss: We may literally lose money through fraud or theft or we may have to spend money on resources to help us contain and manage the incident.
Four things you can do with risk
Let’s break it down into four basic actions you can take in regard to risk. All of these together are where the word “mitigate” comes in. Risk mitigation is looking at your risks and deciding which of these actions to take.
Avoiding risk is the first option and generally the best if it’s available. Let’s say you are collecting social security numbers (SSNs) of clients and you identify that as a risk because it’s sensitive information you are collecting and keeping. But you also realize that you don’t use the SSNs for anything and don’t need to collect or keep them. You can easily avoid this risk by ceasing collection of SSNs and deleting the ones you have. Risk avoided.
This is where most cybersecurity work happens. If you are concerned about the risk of your email account being breached, you can’t easily avoid this risk because it would mean not having an email account. But you can reduce this risk by having a strong password and employing two-factor authentication (also known as 2FA) to increase the security of your account.
If I am concerned about data loss if my email account is breached and the attacker deletes all my emails, I can implement a backup solution to automatically back up my email account. Cybersecurity measures or safeguards such as backups, passwords, two-factor authentication, encryption, training, and incident response are all measures to reduce the risk of various incidents.
This is where cybersecurity insurance fits in. Transferring risk means moving the consequences of a bad thing happening to someone else. It’s making it someone else’s problem.
One example is credit card processing. Most small organizations have a third-party processor handle the credit card transactions on their website. They understand that collecting credit cards comes with risk and that they can’t avoid this because they need to accept credit cards. Reducing the risk of accepting credit cards can be quite intensive, so many organizations choose to transfer this risk to a credit card processor (such as PayPal or Stripe).
It’s the third consequence listed above, financial loss, where cybersecurity most often applies. What cybersecurity insurance can do is transfer the financial risk of various cybersecurity incidents to the insurer. You pay the insurer an annual fee, say $2,000, and in exchange they accept the transfer of $1,000,000 of your financial risk.
It’s important to understand that you are only transferring the financial consequences of an incident. You can’t meaningfully transfer the downtime consequences or the reputational damage consequences. That’s not to say the money reimbursed by your insurer couldn’t be used to limit the downtime and reputational damage consequences, but you still haven’t tranferred those risks. You keep those yourself (lucky you).
Which takes us to the last thing we can do with risk: Accept it. Going back to our email example. I can’t avoid the risk of using email because it’s a critical business tool. I have already reduced the risk of a breach by using a strong password and two-factor authentication. I have transferred the financial risk of an email breach by purchasing cybersecurity insurance.
Even with all these “mitigations” in place, I still have risks of downtime if my account is breached or I forget my password. I still have risk of reputational damage if my email account is breached and sensitive communications are exposed to people I didn’t intend to see them.
At this point, I choose to accept those remaining risks. And here’s a key point: We are all accepting all kinds of risks right now, all the time. I could get hit by a meteor or stray piece of space garbage at any minute. I could reduce this risk by living underground, but I’m not going to do that. I accept that risk. What I think is most important is understanding the risks you face, and what options you have to mitigate those risks—and then continuing on with life.
Life is risky. That’s what makes it fun, right?
So, should we get cybersecurity insurance or not?
If you look at your risks and see a lot of financial risk that could be effectively transferred to an insurance company through cybersecurity insurance, then the answer is a resounding YES. But please check with your existing insurance carrier to see what cybersecurity insurance you already have.
If, on the other hand, you look at your risks and see mostly risks of downtime, data loss, and damage to your reputation, my opinion is that you’d be better served investing time and resources in seeing how much effort would be required to meaningfully reduce or avoid those risks.