Does Cyber Insurance Help Or Just Cost You Money?

October 21st, 2021
Does Cyber Insurance Help Or Just Cost You Money?

Insurance costs money. Whether you’re getting home insurance, business insurance, or any other kind of insurance - the house always wins. If insurance companies weren’t making money off of policies, they’d go out of business. That means that, when you get insurance, you’re almost certainly going to pay more into the policy then you’re going to get out of it.

In many cases, you should get insurance anyway. While your house isn’t likely to burn down, and you’ll probably pay premiums for decades without ever making a claim, you can’t take the risk that your house won’t burn down.

With that in mind, let’s talk about cyber insurance, and whether or not it’s worth the money. We can only paint broad strokes - no two policies are exactly the same, and no two businesses have the same needs. Nonetheless, this piece will give you a good idea of if and when cyber insurance is worth it for you.

What is cyber insurance?

Cyber insurance is a type of business insurance designed to protect your business from cyber threats. These threats include data breaches and cyber attacks - some companies sell data breach insurance and cyber attack insurance separately. Cyber attacks that are usually covered include:
- Ransomware
- DDoS
- Spoofing
- Phishing
- Malware
- Brute force

The exact coverages provided by cyber insurance vary, but they’ll typically include:
- Regulatory defence expenses
- Legal/civil damages
- Notification expenses
- Crisis management/PR expenses
- The cost of hiring a firm to respond to the breach
- Data restoration expenses
- Negotiator/ransom payments
- Business interruption expenses

Note that even if you have business interruption insurance, cyber attacks generally aren’t covered under most business interruption insurance plans. Cyber insurance was created as a way of extending coverage for a risk that isn’t covered under most business interruption/commercial general liability plans.

Understanding risk management and cyber insurance

If you’re interested in cyber insurance, it’s important to carefully review your coverage before signing the contract. You’ll want to ensure that all risks, including internal threats, are covered. You’ll also want to verify that there are no pre-conditions to coverage that you haven’t met.

Even if there are no pre-conditions to coverage that include a certain level of security (say, ensuring that your entire staff uses 2FA), it’s still a good idea to secure your network to limit the risk of cyber attacks. This can help you keep your premiums down (as claiming will generally increase your premiums), and it can help safeguard the reputation of your business, which we’ll discuss more later.

Risk management in the digital age

Insurance is a form of risk management. There are five basic methods of risk management:
- Avoidance
- Retention
- Sharing
- Reducing
- Transferring

Avoidance here would mean “avoid having digital infrastructure” or “avoid going online” - unacceptable in today’s world. The second method, retention, means you’ll simply pay out of pocket for any cyber breaches. For some businesses, that’s okay - if there’s little enough sensitive data or risk of a cyber breach, and large enough cash holdings, absorbing the damage from a breach might be acceptable.

Sharing risk is very rare nowadays - if you had an employee-owned business, where every worker was a shareholder, and you all decided to absorb the risk together, it would be shared.

This leaves us with the two best options for risk management: reducing and transferring. Reducing your risk involves taking steps to ensure that cyber attacks won’t take place to begin with - and should a cyber attack occur, risk reduction would limit the damage that cyber attack could do.

Transferring risk is allowing a third party to take on the risk for you - in other words, buying cyber insurance.

Risk reduction and cyber security

We can’t tell you whether or not cyber insurance is the right solution for your business - there are too many variables. What we can say, however, is that whether you opt for cyber insurance or not, if you’re even thinking about cyber insurance, you need to be thinking about cyber security.

There are some things cyber insurance can’t cover. While you’ll be able to hire PR firms, you may still take a hit to your reputation. And while business interruption insurance may help pay staff and the overhead while your business is down, it almost never covers for lost profits - or for the gains your competitors make while you’re offline.

Let’s compare and contrast cyber security solutions and cyber insurance:

Cyber security solutions Cyber insurance
  • Proactive
  • Mitigates risk
  • Can lead to efficiencies incidentally (better hardware, more efficient network, etc.)
  • Reactive
  • Transfers risk
  • No claims=no reimbursement for premiums paid

Looking at that table, it’s easy to see that cyber security solutions offered by a third party have a couple of advantages over cyber insurance. Generally, it’s a good idea to use the two in tandem, but if you have to pick one, beefing up your cyber security is often the best choice.

Our IT services in Manitoba include comprehensive cyber security solutions. While insurance can help you recover after an attack, our services help you stop the attack in the first place. We believe in the age old adage that an ounce of prevention is worth a pound of cure. So if you want to improve your security and the reliability of your network, give us a call.