Canadian Cyber Security Journal
Filed under: Featured, Opinion

CyberSecurity Is Not Enough: Businesses Must Insure Against Cyber Losses

Recent crippling ransomware attacks have highlighted the tremendous financial price that businesses often pay after suffering a cyber breach; hacker-inflicted damages such as multi-million-dollar ransoms and even larger recovery costs, harmed reputations, and significant downtimes, which, not that many years ago, were topics of only fictional novels and films, have now become part our collective reality.

Cyberattacks can even kill businesses. Large pipeline operators, meat production facilities, government agencies, and major hospitals might be capable of weathering some hacker storms – such enterprises can often afford to suddenly and unexpectedly lay out millions of dollars in response to a cyber breach – but, many smaller businesses would simply collapse if subjected to even a fraction of such damage. And even relatively rich organizations may fail altogether if they suffer the reputational harm that follows multiple serious cyber-incidents. Ironically, while many larger enterprises purchase insurance to protect themselves against catastrophic levels of hacker-inflicted damages, smaller businesses – whose cyber-risks are far greater than those of their larger counterparts – rarely have adequate (or even any) coverage. The impact of deficient protection is clear: research shows that over a third (and possibly as many as two thirds) of smaller businesses that suffer serious data breaches go out of business within a year of the breach, and as a direct result of it.

Aggravating matters is the fact that – contrary to the perception of many members of the general public – the vast majority of cyberattacks target smaller organizations, both because such entities typically have far inferior cyber-defense capabilities when compared with their larger counterparts, and because criminals are more likely to “get away with” lower-profile attacks. (The common misconception that hackers primarily target large corporations is likely the result of the tremendously disproportionate reporting in the media of high-profile attacks; the millions of breaches of small businesses and individuals that took place in the past couple months, for example, have received far less air time than the single breach of a major US pipeline.)

While the need for organizations of all sizes to improve cyberdefenses remains as clear as ever, the reality remains that no amount of technology or training can totally eliminate the risk of a catastrophic breach – and, with smaller businesses facing a strong possibility of failing altogether if they are breached, it is time that we shift part of the cyber-risk mitigation conversation towards leveraging insurance to protect against catastrophic disasters.

The need for cyber-insurance is not something new – cybersecurity professionals have, for many years, been encouraging the purchase of such protection – but, today, the need for obtaining a proper policy should be far more obvious than ever before to far more people than ever before; additionally, a majority of adults in America already employ similar risk management techniques in other areas of their lives.

No bank in the United States will issue a mortgage, for example, to someone who purchases a house but refuses to insure the home against fire; the bank will not relax its position even if the home has been built with every possible known fire suppression and mitigation system. While everyone who is familiar with fire codes recognizes that protection technologies can significantly reduce risks, no knowledgeable person questions that fires can still be devastatingly dangerous even with fire protection technologies in place; no rational person would argue that any technology or collection of technology can fully eliminate the possibility of a fire-inflicted catastrophic loss. Insurance is, therefore, always needed.

Likewise, if one buys a car, the law in every State of the Union requires that the person obtain an insurance policy in order to drive the car; while various laws mandate that all new vehicles sport safety features such as air bags and seat belts, none of the fifty States absolves anyone from buying insurance simply because their vehicle contains advanced safety technologies or because they have many years of driving experience. As is the case with fire, when it comes to motor vehicle dangers, no rational person believes that safety technology or driving experience can totally eliminate the possibility of a catastrophic loss, and, as such, insurance is necessary regardless of how advanced a vehicle’s safety systems may be, and regardless of how much training a driver has undergone.

Somehow, however, when it comes to one of the most common and costly dangers to businesses, we, as a society, continue to dismiss the potential of catastrophic risks; a significant percentage of smaller business concerns are not only underinsured against cyberlosses, but, in many cases, carry no insurance at all. Not only are they not protected against their own losses, but many have zero liability protection in the event that they somehow become a hacker’s catalyst for inflicting cyber-damage on others.

We must transform the recent slew of ransomware attacks into a wake-up call – data breaches can be costly enough to kill otherwise successful small businesses – and, while appropriate cybersecurity practices can dramatically reduce the risks of an organization suffering a cyberattack, or of suffering damage from a breach, the reality is that, without insurance, an unacceptable level of mortal danger to the business likely remains.

Enjoy this article? Don’t forget to share.