Cyber insurance is the ‘silver bullet’ for cyber risk - 15 Dangerous Cybersecurity Myths - Day 13

Hello there. Did you know that small businesses are extremely vulnerable to attack from cybercriminals right now and that most don't survive for more than six months after a cyber incident?

John Byrne here, entrepreneur, insurance professional, online educator, and founder of Surviving Cyber. My goal is to help small business owners and managers like you get to grips with this complex subject of cyber risk.

15 Dangerous Cybersecurity Myths

You may be struggling now, to clearly see the big picture but once you separate the myth from the truth, you can begin to significantly reduce your risk over the next 15 days through this series, I'm going to walk you through "15 Dangerous Cybersecurity Myths You Probably Believe". I'll explain the thinking behind each myth, why it's dangerous to believe it, and the truth you need to hear so that your small business can stay safe.

Now, before we dive in, I want to give you access to my free cyber resilience workshop. It's a 60-minute video workshop that will show you how to create your first survival plan for your small business in 30 days. It's full of practical tips that you can implement. If you don't already have access, use the link survivingcyber.com/workshop to register now.

Myth Number 13 - Cyber insurance is the ‘silver bullet’ for cyber risk  

Now, today, as we continue the series, we're going to explore myth number thirteen: "Cyber insurance is the ‘silver bullet’ for cyber risk.” I hope you're ready to dive in. I'm John Byrne, and this is "15 Dangerous Cybersecurity Myths You Probably Believe".

  • Let's explain the thinking behind myth number 13. Often, I hear business owners say: “Buying cyber insurance means that I'm financially protected from all cyber risks and all eventualities”. This is a nice comforting thought to have, however, it does not reflect reality. Buying cyber insurance can be a material part of a cyber risk management strategy for a smaller company and it does provide financial protection from the consequences of a cyber-attack. However, it's not a silver bullet and I will explain as I go through this point why that is the case.

  • The second view I often hear expressed is: “I get all the help I need to respond to a cyber incident from the insurer and from its expert panel”. Now it's true that most cyber insurers provide an expert panel to assist the insured company in the event of a cyber-attack and that expert panel is a huge help to any small company when trying to respond to a cyber incident. So, there is definitely a large benefit here. However, that does not mean that the small company is resolved of its obligations when it is the victim of a cyber-attack.

  • And a third point I often hear is: “I don't need to invest in cybersecurity once I have a cyber insurance policy, because I'm financially protected”. This is a naive view, but it's often voiced by small business owners and managers because of the desire to look to insurance as the silver bullet. As I go through the truth behind the myth, I will explain why arranging insurance is a good idea, but not a silver bullet. There are always obligations on an insured company under any insurance policy, so cybersecurity cannot be ignored simply because insurance is held.

A Dangerous Myth

So why is it dangerous to believe the myth that cyber insurance is the ‘silver bullet’ for cyber risk? The myth is dangerous because it fails to recognize how insurance protection works and the current cyber insurance market conditions, which are now a lot more demanding than in previous years. Until about 18 months ago, it was relatively easy for small companies to buy cyber insurance but in that time period, coinciding with the COVID environment, Insurers have seen a massive increase in cyber insurance losses. As a reaction to that trend, cyber insurance prices have gone up, coverage terms have narrowed, and the requirements of underwriters on insured companies have increased.

So, the view that says: “Once I get the policy in place, I don't need to do anything else with cybersecurity” is mistaken. Getting cyber insurance in place has become more difficult for small companies than it was 18 months ago. Managing the risk is a prerequisite to arranging insurance and an insurer may not be willing to insure your company if it fails to take basic measures to reduce its risk.

Truth Number 13 - Cyber insurance can be a valuable component of your cyber risk management strategy but there are no ‘silver bullet’ solutions.

So, let's look at the truth behind this myth, which is that cyber insurance can be a valuable component of your cyber risk management strategy but not a silver bullet solution.  

  • Insurance does allow you to transfer the financial consequences of an uncertain event to an insurance company, but it doesn't prevent the event from happening or reduce the probability of the event happening. Insurance is a contingent promise to pay in the event of an uncertain event taking place or an uncertain loss occurring. It's not a financial guarantee. There are always exclusions and conditions in insurance policies with which you must comply in order for claim payment to be made. Payment is not guaranteed under cyber insurance or indeed under any insurance policy and acknowledging this reality is important.

  • The second point to remember is that good risk management could prevent the event from happening or reduce the probability of the event happening. A simple analogy is your attitude to your home risks. Most people lock their homes when they leave them unoccupied, and fit alarms to windows and doors, even though you buy home insurance. The same principle applies to cyber insurance. Good risk management is a key requirement in buying any insurance policy. It complements insurance, it does not replace insurance.

  • And finally, insurers are becoming much more demanding of their insureds when they grant cyber insurance and the small businesses that don't take this topic seriously may be uninsurable in the future, as they won’t be able to provide evidence of a good cyber posture. This is quite a dramatic change in the environment and in the appetite of insurance companies for small company cyber insurance risks. Having said that, cyber insurance can be a valuable component of the cyber risk management strategy of small businesses as it provides the cyber incident response assistance that is needed through the Insurer’s expert panel. It also provides the financial protection that will ensure the survival of the business.

In short, there are major advantages for small businesses to having cyber insurance in place but there is no ‘silver bullet solution’ to cyber risk.  

Free Cyber Resilience Workshop

Thanks so much for reading today's post. I hope you found it helpful in exploding this myth and revealing the truth. Don't forget to register for the video workshop using the link survivingcyber.com/workshop. I hope to see you tomorrow as we dive deeper into "15 Dangerous Cybersecurity Myths You Probably Believe" so we can uncover the truth of how to keep your small business safe.