Every now and again I hear otherwise sensible security people question why they should improve their security controls, when increasing their cyber-insurance coverage seems much easier and less costly, as if they were alternatives to one another.  To me this is akin to debating whether it is better to eat right and stay fit or buy more health insurance coverage.  To be clear, cyber-insurance is not a substitute for having strong and sensible security controls, just as health insurance is not a substitute for healthy living. Why is this?

Firstly, cyber-insurance can’t reasonably cover non-quantifiable, but quite real losses that are associated with breaches, such as brand impact, hits to customer goodwill, and wasted staff time responding to incidents.  Secondly, like a recent US federal court decision highlighted regarding a rather easy to defend against email enabled attack, whether a successful attack is even covered is debatable and often will need to be fought out in court to find out for sure.  Thirdly, and very logically, insurance companies that write cyber-insurance increasingly are measuring organizations’ security posture and maturity to determine pricing and level of coverage.  If your “cyber-health” is poor, expect to pay more, just like health coverage costing more for smokers than for non-smokers.

Clearly the takeaway of this blog is that security controls and cyber-insurance are complements and not substitutes.  And given the relative immaturity of the cyber-insurance industry, the difficultly of determining what is covered, and the constantly evolving creativity of the attackers, good IT risk management practice calls for having effective security controls that are backed up with cyber-insurance coverage that can help take the edge off a successful attack.  Think complements not substitutes.

Want more great articles like this?Subscribe to our blog.

Get all the latest news, tips and articles delivered right to your inbox