In early February, the editor of CSO Online tweeted that he was writing a feature on “why modern businesses shouldn’t buy cyber insurance”, asking people to get in touch to contribute their thoughts on why they shouldn’t invest. We know that the best features have counterarguments before (often) drawing a conclusion, so Assured took the opportunity to respond, putting forward one of our most experienced cyber brokers to give an alternative perspective.
Unfortunately, CSO Online didn’t take us up on our offer, nor did they speak to another cyber insurance specialist, so we thought we’d take it upon ourselves to respond to the points raised in the article, 7 reasons to avoid investing in cyber insurance, with our own experience and perspective. Ed Ventham has 10 years of experience as a specialist cyber broker. He leans on his knowledge and expertise as he dissects the seven arguments against cyber insurance. It’s our mantra to lean into conversations around cyber insurance, whether or not they are flattering or challenging. We also believe in being unwaveringly honest, even when it doesn’t serve us to be so.
Below you’ll find each of the seven reasons to avoid investing in cyber insurance as reported by CSO Online. Directly beneath each, you’ll find Assured’s response to each. We hope you find this useful. After all, there are two sides to every story, and we believe in telling both (see our debate with Jake Moore as evidence of this).
1: “Incident remediation may be cheaper than insurance premiums”
Assured Reacts: We do not deny that incident response is a fundamental part of the support that is provided by cyber insurance, but a cyber insurance policy offers so much more than just incident remediation, including (but not limited to) business interruption protection, ransom payments (if desired), pro-active services including phishing campaigns, threat intelligence, dark web monitoring, and 24/7 cyber risk advice.
When it comes to being cheaper, the premium reflects the risk. Insurers agree to a fixed rate for incident response, usually cheaper than if a business went directly to the incident response vendor. CSO Online quoted that “renewal quotes have, in some cases, increased from around £100,000 to over £1.5m.” No source was quoted, so we have been unable to verify these extortionate numbers, but we suspect that they are inaccurate or perhaps there’s more to the story. For example, the business has gone through exponential growth or the risk was incorrectly rated the previous year. That said, premiums have increased since 2020 but we’re now seeing signs of stability and reduction. The original increases were a result of increased risk, claim frequency and severity. It’s a case of supply and demand.
2: “Ransomware coverage is increasingly being scaled back”
Assured Reacts: Ransomware is the single most significant loss vector for insurers paying out claims. It’s also the most common type of attack. Coverage for ransomware is only scaled back when an organisation’s security does not meet the requirements. CSO Online quotes Jon Miller: “only after a ransomware attack hits an organisation do they find that the policy will only cover a fraction of the remediation and recovery costs.” This is frustrating because this situation would never occur when cyber insurance is sold correctly by a specialist cyber broker. Assured clients are educated about the exact policy they are buying, with any holes or blackspots flagged at the point of purchase. Miller’s perspective is fuelled by generalist brokers selling cyber policies without the time to deep-dive the depth of coverage. That’s why Assured only deals with cyber – we have the time and expertise to ensure our clients never face a situation like the one Miller describes.
“Coverage for ransomware is only scaled back when an organisation’s security does not meet the requirements”
3: “Nation-state attack exclusions and attribution challenges”
Assured Reacts: This was a decision taken by Lloyd’s of London and one which we covered in depth in August. Many insurers have followed suit, although some have not. You can read more about that here.
4: “Your business is already self-insured for cyber risks”
Assured Reacts: If a business has set aside funds to self-insure in the event of a cyber incident, then the financial support of a cyber insurance policy is, of course, redundant. This we agree with. It is worth reiterating once again, however, that a cyber insurance policy offers so much more than just financial protection. A proper policy affords you options and expertise, including advice if you’re unsure whether to pay a ransom, help to determine whether you’ve been hacked, and support if a regulator is investigating you. Access to a panel of experts in your darkest professional days is invaluable. Some of the largest businesses in the world buy cyber insurance for the sole reason of outsourcing cyber incident response. If they are subject to a claim, it can also help to manage the legal consequences within the confines of a policy – claims can be long and arduous, which is another reason to outsource. These corporate giants have enough cash to provide balance sheet protection, but they still see the advantage and power of partnering with a specialist cyber insurance provider.
5: “Your cyber insurance investment is based on an insurer’s questionnaire”
Assured Reacts: Assured fully agrees that reliance on a technical application form alone leaves enormous room for error. Our value proposition is that we don’t do this. To truly understand and underwrite a business properly, start by understanding why a company is buying cyber insurance in the first place; this will give a clearer picture of the risk. The technical questionnaire is necessary, but if a business is handed a form to complete without any other engagement, we can categorically say they will not achieve coverage aligned to their unique business. So yes, if your cyber insurance investment is based entirely on a questionnaire, it will likely be a waste of time. That’s precisely why we don’t bind policies based on a questionnaire alone.
6: “You can’t comply with policy requirements”
Assured Reacts: CSO Online quotes: “If the organisation is out of compliance when it comes time to submit a claim…it will quickly find that its policy coverage is useless.” Well, yes, just like if you buy house insurance and leave all the doors and windows open when you go away on holiday, your insurance becomes void. Insurance is a backstop for when security fails. Obtaining cyber insurance coverage doesn’t mean you stop security; it means you must maintain a level of security that protects your business operation. If that level of security fails, that is what insurance is for. It isn’t a question of security OR insurance. The two go hand in hand.
“Obtaining cyber insurance coverage doesn’t mean you stop security; it means you must maintain a level of security that protects your business operation”
7: “Investment is better spent on improving your security posture”
Assured Reacts: As we stated above, it’s not a case of one or the other when it comes to cybersecurity or cyber insurance. Insurance is not, and should never be viewed as, a safety net in place of better security. Better security is needed to obtain insurance. Sadly, security fails. People also fail, and cyber insurance stands behind that. We encourage businesses to continue investing in cybersecurity and evolving alongside risk. If cyber is a risk to your business, then a genuinely holistic approach is to invest in both security and insurance.
Assured reacts to the rest
One statement we couldn’t agree more with is: “despite its clear appeal as a means of supporting and augmenting cyber risk management, insurance might not be the right fit for all companies in every circumstance.” Cyber insurance isn’t for everyone. We would only work with a business that understands that cyber risk is a relevant and genuine risk to them.
In the introduction to the CSO Online article, the author lists some reasons that companies might be advised to avoid or delay buying cyber insurance. These include “increasing costs, stringent requirements, coverage limitations and general complexities.” These arguments against cyber insurance belong in 2021 and are now a narrative out of date.
- Cost: New entrants to the insurer space mean more competition, and as a consequence, prices have recently stabilised and, in some cases, reduced.
- Stringent requirements: This shouldn’t be arduous. If you care about your organisation’s cyber risk, you should want to have good security practices in place. These ‘stringent requirements’ are what businesses need to stay secure; they’re not unnecessary standards made by insurers sitting in their ivory towers.
- Coverage limitations: This is only for businesses that don’t meet the security threshold needed for cover. See above.
- General complexities: Cyber is a complex risk, so it would be concerning if the cyber insurance policy is simple. This is precisely why we set up Assured, to unveil the complex façade that has caused so much fear and distrust around cyber risk management.