One often-bantered ‘solution’ nowadays is the use of cyberinsurance… policies extolled to protect your company in the event of a cybersecurity-related incident.  There are many types of policies available today (see the graphic above), and as a risk management professional or system owner you need to be aware of them, and what they cover.

More importantly though, is to understand what they DO NOT cover, and what is still expected of you.

  • It isn’t like purchasing automobile insurance – there are no industry standards for coverage, requirements to qualify for reimbursement may be buried in fine print
  • More and more insurance companies are requiring minimum levels of due diligence and ongoing due care, including the use of pre-insurance and ongoing third-party cybersecurity audits that identify the level of maturity and systematic protection you have in place.

In other words – much like having auto insurance does not mean you are covered if you drive in a knowingly reckless manner or fail to maintain your vehicle – cyberinsurance also requires you to be a responsible and secure ‘driver’ for your IT infrastructure.  You MUST have a well-defined cybersecurity and risk management program in place, and show that you are at least ‘working the list’ to implement controls and protections that most consider a minimum in a business environment.

Don’t get me wrong – even with good programs the costs of cyber-related incidents are quite high, as the numbers keep telling us:

  • The U.S. National Cyber Security Alliance estimates that 60 percent of small companies – 6 months after a cyberattack – are unable to keep their doors open.
  • The Ponemon Institute’s2016 State of Cybersecurity in Small & Medium-Sized Businesses (SMB)” report gives real costs to these attacks, too: a whopping 50% of SMBs reported a data breach in the prior year. The average price for small businesses to clean up the mess: $879,582 (and that doesn’t include even more than that in additional revenue losses that the businesses attributed as a result of the disruption to operations).

Do you have that kind of spare change in your seat cushions?