David Kruse serves as our Director of Business Development. He comes from the cyber insurance industry and wants to share the lessons he has learned after his first 2,000 days in the space.
Well, 2,004 to be exact, but who’s counting?
After more than five years in cyber insurance, I wanted to take stock of what that time taught me. I’ve had time to reflect, and the lessons can be boiled down into three specific takeaways:
Every business who uses the internet needs to consider purchasing it. Zero exceptions.
The reason is simple: because human beings run our businesses. The ever-expanding world of technology solutions that promise to make our lives better/easier/more productive/more secure certainly may offer those benefits, but for every solution that gets added, an added layer of complexity is added. That complexity is inevitably managed by a human being (either in the development of the product, the deployment of the product, or the use of the product), and we make mistakes. I’ve made mistkes. So have you. It’s part of being human.
And that’s what hackers are counting on: the fact that someone, at some point, will make a mistake and do something they ought not to, like click that link, download that attachment, decline to invest in information security, or forget to configure a firewall properly. Unfortunately for many, they will make that mistake eventually, and if that’s the day they’re targeted, the results can be costly.
Even if you’re confident that your information security program is solid, you need to take a step back, recognize that it’s being managed by human beings, and consider adding cyber insurance as a backstop. You might decide to self-insure the risk, but at least you’re doing so would be a conscious decision and you can plan appropriately.
Cyber insurance is not enough
The reason is simple: you can’t reimburse swagger. Cyber insurance can pay for your lost business income after a ransomware attack, or the ransom itself if you decide to pay it, but it can’t reimburse you for the feeling of vulnerability and shock that comes after a major cyber incident. The second-guessing, the questioning of trust, the frayed relationships – all of these can be real effects of a cyber incident.
That means that you need to take intentional steps to develop an information security program to prevent an incident, and handle any that occur with poise and concerted action. You carry homeowner’s insurance, but I’m guessing you still have smoke detectors in every room and strategically placed fire extinguishers in your home. This is no different.
Insurance can pull you back from the brink, but it’s best to avoid reaching the brink in the first place
Who you work with matters
The reason is simple: cyber insurance and cyber risk changes too frequently for someone to just dabble in it. Insurance companies (& brokers) need to have staff focused on this on a regular basis to stay abreast of the constant coverage evolution, and businesses should work with information security consulting firms (ideally those with an incident response team) to make sure they’re kept aware of the most recent threats, and the most impactful strategies for mitigating them.
Cyber insurance is good a solution to a real problem, but it can’t be your only solution. For it to work best, it needs to be paired with proactive risk control.
Tetra Defense has information security & experience cyber insurance advisors in-house. Let us know how we can help.