Cyber Security – Insure or Ensure?
A modern trend towards convenience and the usual SME constraints around cost has seen the rise of a number of cyber insurance products as a means of “protection” against cyber threats.
Just as you would with any other type of insurance you might consider taking out, it is essential you understand the “fine print” around any caveats and exclusions.
A dictionary definition of “insure” is “arrange for compensation in the event of damage to or loss of (property)…” and while no one is disputing the value or necessity of various types of insurance, this does sound like shutting the stable door after the horse has bolted.
An interesting contrast is a definition of “ensure”, one of which is “Make certain that (something) will occur or be the case”, which sounds more like checking the stable door is closed before the horse can bolt.
In cyber security terms, it is all but useless to simply insure, unless you also ensure (at a minimum that your insurance claim will be paid).
Those caveats, exclusions and all the other fine print that you check on other types of insurance policies will probably contains phrases such as “regularly patched” or “employ complex passwords” or “take all reasonable measures…”.
There are a myriad of them, and for good reason. Insurance is a game of risk. The greater the risk, the higher the premiums, up to a point. Beyond that point, the insurance company will deem the risk to be unacceptable and refuse to payout (or in extreme cases, to insure at all).
What is a risk to them, is also a risk to you.
If you do NOT patch your systems regularly, or use default or weak passwords, or fail to follow a lot of other minimum mitigation strategies, you WILL suffer a cyber security breach some time. By clearly understanding your risks, you are better able to mitigate against them, and thereby ensure that not only are you and your business more secure, but you are able to insure against possible loss.
Because understanding your risk position can be tricky in itself, complying with the conditions of your insurance policy and even simply knowing where you stand presents new challenges. That’s why we’ve created a new service around risk mitigation using a minimum viable set of controls. It removes the ambiguity and allows you to make informed decisions.