Is Cybersecurity Insurance Leading to More Lax Security?

At an event earlier this year, I had the opportunity to meet with several organizations and the topic of cybersecurity insurance was at the forefront of our conversation. Without question, cybersecurity insurance is gaining popularity amongst companies, who, in today’s threat environment, are constantly besieged by both internal and external threats. Is cybersecurity insurance a valid way to insure from damage against assets, data, customers, branding, and ransom cost related to ransomware?

During the discussion, it was interesting listening to the challenges companies are faced with when it comes to spending dollars to improve their security posture. In security, there has long been an ongoing struggle around how you associate a dollar amount around the cost of better securing your organization against cyberthreats. While it is very easy to take some of the well-known breaches over the last few years and leverage the monetary value associated with them as a comparison, how can companies better relate to their industry a monetary value as a result of being breached so they can justify the spending necessary to mature their security posture? Welcome to the table Cybersecurity Insurance….

It’s hard to say how many security breaches go un-detected as a result of the companies being smaller in size and not having social or news presence of mainstream media, which truly is a dis-service to some of these small-medium companies that are suffering as a result. While larger companies might present a bigger target, smaller and mid-sized companies continue to take the brunt of more targeted cyberattacks, resulting in them complying with the criminals demands and, in many ransomware attacks, for instance, paying a monetary fee to the criminals to reclaim access to their data. And, even paying the ransom is no guarantee that the victimized company will regain access to their data.

But why aren’t these victimized organizations more focused on maturing their security posture in the first place? Why aren’t they investing in technology and people to secure their organization, its people, and its assets? A common misconception is that that personal information, such as name, address, telephone numbers, credit card numbers, and bank information is the only thing these criminals are after, and this is not true. While this type of information might bring a higher selling value on the black market, small to medium-sized businesses tend to suffer more from breaches that negatively impact their ability to operate. This can be anything from database compromise, file system encryption, network disruption, or privileged identity compromise.

How does this relate when we talk about cybersecurity insurance? An interesting (alarming?) trend is that smaller companies are investing in cybersecurity insurance to cover their ransom fees and operation fees associated with a breach—but what are they doing to better position themselves against the breach? I’m troubled with the concept that cybersecurity insurance comes with a false sense of security to some of these companies because they would rather spend the money on the insurance with the mindset that it will help cover their costs associated attributed to the breach, but that’s money they aren’t investing to better mature their company’s security posture.

Is cybersecurity insurance lending itself as a crutch to vulnerable companies instead of empowering them or forcing them to be better stewards of their security program? Cybersecurity insurance, as a relatively new and growing practice, will continue to evolve and mature. With time, cybersecurity insurers will enforce minimum standards which will develop into best practices. They will need to put forth their own regulations for their customers to adhere to in order for the insurance to stay valid. This will take time to mature and develop. Hopefully, it will force those companies they are insuring to better position themselves against cybersecurity breaches.

I’ll end this with a thought… We insure our valuables in case of an accident. Whether it be car insurance, homeowner’s insurance, renter’s insurance, etc. When you’re driving your car and your brakes are bad, or the tires are leaking air from wear or a puncture, what do we do? We fix it—we spend the money to replace the brakes, we spend the money to replace the tire so that we lower our risk of being involved in an accident. Likewise for homeowner’s insurance. If we have a roof that is old or leaking, or even a front door that doesn’t close, we fix it, we replace it, we spend the money to do what we must to prevent theft, damage, or accidents from occurring. But wait, if we have insurance, why fix it, insurance will cover us!! I feel the concept is the same as it relates to cybersecurity insurance.

While we can’t predict or anticipate when a compromise is going to occur, companies should be wary of leaning too heavily on cybersecurity insurance to bail them out. Instead, they should be looking at how they can better position themselves to prevent a breach and leverage their cybersecurity insurance as a last resort when all other avenues have been exhausted.