Cybersecurity incidents remain a growing risk for the enterprise in today’s digital world. As a result, an organization’s cybersecurity strategy usually isn’t just about prevention anymore, but also about risk mitigation and building resiliency.
Many organizations are reinforcing their cybersecurity strategy by signing up for cybersecurity insurance. Cybersecurity insurance is still in its nascent stage of development, but businesses worldwide are beginning to recognize its importance in today’s evolving threat landscape: Auditing firm PwC predicts insurance policy premiums to grow to $7.5 billion by the end of the decade.
At the recent MIT Sloan CFO Summit in Boston, panelists during a session titled Cybersecurity: How much is too much? talked about the role cybersecurity insurance plays in an organization’s overall cybersecurity strategy.
“In terms of cyber insurance, it is a pretty new industry; it’s still maturing,” Aparna Ramesh, CFO at the Federal Reserve Bank of Boston, said. “I think it will be interesting to see what kind of analysis and information comes out once this industry matures.”
Designed to mitigate financial losses from incidents like data breaches, cyber insurance can protect businesses from some of the risks involved in doing business online. Cybersecurity insurance policies can help cover extra expenditures such as regulatory costs and meeting customer notification requirements that result from the theft or destruction of digital assets.
But Pietr Lindahl, senior director of cyber threat reduction and strategic analysis at Philips, advised organizations against solely relying on cyber insurance.
“It may help soften the blow from a financial perspective, but hasn’t done anything to protect your brand reputation or ensure business continuity,” Lindahl said.
Several factors are considered when budgeting and planning an organization’s cybersecurity investments such as insurance policies, Lindahl said. The amount of money budgeted will vary based on the company’s risk profile, what kind of information they have that could be targeted and what kind of proprietary information they have, he added. He also advised organizations to annually reevaluate their threat landscape and risk appetite.
Scott Ward, CFO at Cybereason and a co-panelist, sees cybersecurity insurance as “just another tool in the toolkit” of organizations trying to prevent and prepare for cyberattacks.
To think of it as a silver bullet is wrong, Ward reinforced. After Target’s huge 2013 data breach, cyber liability insurance covered only 36% of the companies associated costs, he reminded the audience.
“A lot of technology is still evolving, changing and improving and the same has to be said with cyber insurance policies. There is a lot of work going into those policies in the development and understanding what’s covered and what’s not. It’s definitely a work in progress,” Ward said.