Understanding Cybersecurity as Operational Insurance

Unpopular insurance opinion: Cyber insurance isnt enough to protect your business. It won't be your silver bullet against bad actors. As a cyber insurance broker, I've learned that a policy is just one layer in your cybersecurity armor. How I uncovered this hard truth: Last month, a client called me, her voice shaking. Despite having a comprehensive cyber policy, her tech startup was under siege after a devastating ransomware attack. The policy covered the ransom and even gave her some funds towards trying to get customers back, but couldn't shield her company's reputation or defend against the loss of customer trust. Remember that insurance is a backup plan, not an all in one risk management strategy. Here's what every business leader needs to know: 1. Policies are evolving. Insurers now demand stronger security measures before providing coverage. 2. Underwriting is more sophisticated and is rewarding those with controls like MDR and penalizing companies that aren’t taking cybersecurity seriously. 3. Coverage has weak spots. No policy can cover every type of cyber or social engineering attack. 4. Claims can be rejected. Neglecting best practices might leave you exposed. 5. Recovery isn't guaranteed. A payout can't always repair the damage to your reputation. Don't misunderstand – cyber insurance is crucial. But it's most effective when reinforced with: • Robust cybersecurity infrastructure • Regular vulnerability assessments • Comprehensive employee training • Well-rehearsed incident response plans Remember: Insurance is like body armor. It offers protection, but it doesn't make you invincible or teach you combat skills. As a broker, I'm not just here to sell you insurance. I'm here to help you manage risk. What do you think is the biggest threat to businesses right now? #cyberinsurance #cybersecurity #riskmanagement #insurance

"It baffles me that Co-op didn't have cyber insurance for ransomware." --Every armchair CISO & CFO last week Gotta be careful with those judgments. Boards and management make tradeoff decisions all the time. Hear me out. Let's make up some numbers here. Let's say the cost of their annual cyber insurance coverage was $2M, with a deductible of $1M. Let's further say that they estimate that a significant incident costs $10M. Finally, their risk assessment is that an event like this will occur about once every 5 years. Remember too, that payouts on claims are not guaranteed. Assuming that 75% of claims are paid in full, that's another factor to keep in mind. In the incredibly competitive world of retail, where margins are slim to none, that $2M could go a long way. If you do the math, the annual loss expectancy (ALE) for the incident is $2M. Management could easily have decided, "I'd rather spend the $2M on store improvements to increase revenue, and I'll pay for the $10M, if it even happens, from reserves." Remember - if you pay for cyber insurance, that money is gone. If you don't, and you don't have an incident, that money is there for investment and leverage. And most companies suffer from optimism bias - "It won't happen to us." or more likely, "It won't cost us as much because we have a solid program." So, in hindsight, maybe this looks awful for Co-op's risk management process. But there are real reasons why this could have been a perfectly reasonable decision at the time. Hindsight is 20/20, y'all. Careful when you're judgmental. –  Interested in more content like this and don't want to miss a post? Connect with me for ~3x/week posts on cybersecurity, leadership, photography, life lessons & personal finance (View my profile, click 🔔). PS: Opinions are my own. #lessonsfromaCISO #cybersecurity #security #infosec #commonsense #leadership #leadershipadvice #cyber #CISO 🔐

CISOs: Your next best cybersecurity investment might be cyber insurance (or more of it)!  Take the recent Marks and Spencer event - they’re reporting north of £300m of losses but only the ability to recover £100M of that from their cyber insurance program. Based on cyber insurance availability and currently favorable market conditions, M&S could have purchased more, and almost certainly £300m or more of coverage.   Especially considering that despite anything put under the microscope during the inevitable hindsight analysis of the event, Marks and Spencer’s cybersecurity program is probably very good.  But even the best security program can’t stop everything from happening. Perfect cybersecurity is unachievable, despite organizations spending like it is.   Like most, my guess is that Marks and Spencer spends much more on cybersecurity tech than it does on cyber insurance. Right now, M&S executives are probably wishing that they had spent more on the latter, even if that would have meant less of the former.   Leading to the contention that for many organizations, the next best cybersecurity investment is probably cyber insurance instead of more cybersecurity tech. Without jumping to an ill-informed conclusion, how can organizations make that decision? That’s a simple ROI comparison - how much risk reduction benefit can be achieved by the next security initiative or technology purchase, versus that same amount spent on cyber insurance?  The results might be surprising. Regardless of what it points to, the insights will make all involved feel more confident that precious funds are most effectively spent.   And if the answer points to more cyber insurance, that decision will pay off if (when) and event happens and the bills come due! Axio