For years, organisations have been looking for ways to avoid the potentially catastrophic consequences of data breaches. They might have finally found the answer in the form of cyber insurance.
Like any insurance policy, cyber insurance helps cover the costs associated with relevant damages. This includes things like loss of productivity, assisting those affected by the breach and fixing infrastructural damages.
With the average cost of addressing these measures estimated to be $3.86 million (about €3.4 million), financial assistance can be the difference between a bad quarterly performance and going out of business.
But that’s not to say cyber insurance is a panacea – or that it’s a simple fix. Let’s take a look at how it fits your organisation’s overall security strategy.
Cyber insurance is a numbers game
Deciding whether to take out a cyber insurance policy is, in theory, relatively simple. You need to determine whether the cost of the policy is greater or less than the money you’ll spend recovering from security incidents over the policy’s lifetime.
The cost of cyber insurance at a small organisation ranges from about €900 to €6,500 a year, so if the policy lasts five years, you could be paying anywhere from €4,500 to €32,500.
It’s up to you to decide how that compares to the estimated cost of recovery from security incidents. Fortunately, there’s a trusted process that can inform your decision–making.
Risk assessments are essential for cyber insurance
To determine the cost of security incidents, you first need to know the likelihood of them occurring and how damaging they could be. That’s why you must conduct a risk assessment – preferably in line with ISO 27001, the international standard for information security.
Risk assessments help you identify and analyse risks, which will determine the steps you should take to treat them. There are four ways to do this:
- Avoid the risk entirely by eliminating it.
- Modify the risk by applying security controls.
- Retain the risk (if it’s not deemed serious enough).
- Share the risk with a third party (like an insurance company).
As you can see, cyber insurance is only one option, and you should rely on it only when necessary. It’s not an alternative to implementing information security controls, as the insurer will want guarantees that you’re taking the necessary steps to avoid the possibility of a security incident.
Effective security is something you should be striving for anyway. Cyber insurance is a reactive measure, helping you respond to a breach rather than prevent it, and although it gives you financial help following an incident, you’ll still suffer an initial loss of productivity and reputational damage – both of which could cause long-term problems.
This is where you go back to the original equation: the cost of an insurance policy versus the cost of damages. However, now you can see that the issue is more complex.
What you’re really calculating is the cost of an insurance policy minus the long-term damages of a breach versus the cost of security controls minus the inevitability of security incidents.
So should you take out a cyber insurance policy?
The equation above may well leave you with more questions than answers. How do you calculate ‘the inevitability of security incidents’, let alone the cost of recovery?
You obviously can’t – at least not with any certainty. Nor can you be 100% sure that a cyber insurance policy will save you money. However, we can say that a policy will probably save you money, because the frequency of and damage caused by data breaches grows every year.
Any significant security incident could have disastrous consequences, and you will probably need help recovering. As long as you back up your policy with effective security controls, like technological defences, staff awareness training and information security processes, cyber insurance will almost certainly be a worthwhile investment.
Reduce your cyber insurance premium with ISO 27001
As we suggested earlier, ISO 27001 is the key to getting a cost-effective cyber insurance policy and improving your overall information security posture.
The Standard contains policies, processes and controls that are designed to protect information in all its forms, helping organisations manage the data they collect and the threats they face.
Although some organisations are put off by the cost of an ISO 27001 implementation project (typically €2,500 or more, depending on the size of your business), it will reduce your insurance premium in the long run.
Getting started with ISO 27001
Those looking for advice on how to implement ISO 27001 should take a look at our documentation toolkits.
These bundles contain a selection of guides, document templates, copies of the Standard and software. All you need to do is pick out the right toolkit for you based on your experience and skills.