Let’s get it straight, Cyber Security (IT Security) is not the same as Insurance or sometimes named “Cyber Security Insurance”.
What is Insurance
Insurance is a post event payment to counter the impact of the negative event. In other words you will get money if you are insured when the insured item goes wrong, but insurance wont protect, stop or prevent the thing going wrong. If anything it has been found in certain cases that it actually increases the frequency of the event as some people insured take greater risks than if they weren’t insured.
What is Cyber Security
Cyber Security is is about the protection of your Cyber assets. This would be the stopping and prevention of things going wrong to your IT data like an Anti-Virus, Firewall or a SPAM filter. So if you had perfect Cyber Security with 100% protection then you could prevent any negative event from occurring and never need to use or purchase insurance. The reality is that there is no such thing as perfect Cyber Security, so there will always be a chance of a negative event, but good Cyber Security can reduce this chance dramatically.
How do cyber security and insurance Align ?
As the diagrams show below, Cyber Security is aimed to be at the Preventative stage of a negative event (aka incident). So without any Cyber Security there is no protection to prevent the incident from occurring.
For completeness Cyber Security actually extends into after the Incident with Detection and Response because if you can reduce the time it takes to detect and to respond to an incident you can reduce the impact of the incident.
Costs of an Incident
So why does this matter, if the insurance company will pay to resolve the incident anyway ? The truth is there are alot of “hidden” costs that money can’t buy like trust, reputation or lost business. It is also easy to under value the cost of an incident and hence the amount of insurance required. Here is a nice graph on the size of costs associated with a Cyber Security Incident:
Diagram Credit from ACSC Report
Which is better ?
If the prevention is better than the cure, and Cyber Security is the prevention and Insurance is the cure. Then Cyber Security is better than Insurance, but both are necessary. Using an analogy in the form of a car, which is better car protection (seat belts, headlights, air bags, horn, automatic emergency braking, ..) or car insurance ? As the driver of the car, protection is better as it will reduce the chance of a car incident occurring and reduce the impact in the event of a car incident. Now car insurance is designed to provide money to compensate the car incident, but it wont undo the damage.
This means you should get both Cyber Insurance and Cyber Security.Cyber Security and Cyber Insurance actually work together, as it is common for an Insurance company to perform an assessment before they provide prices for insurance. Hence it is possible that an Insurance company will assess the Cyber Security of the organisation before providing insurance. It then makes sense in having good Cyber Security so you can potentially reduce your insurance premiums as it is in the interest of the Insurance company to reduce the number of incidents that occur.
Going back to the car analogy, a good example is that a car fitted with Automatic Emergency braking (AEB) is cheaper to insure than a car without AEB.So now what?
If you are an organisation looking to get “Cyber Security Insurance”, then that is a great idea as you understand that no level of Cyber Security can provide 100% protection. Just make sure you also get Cyber Security (prevention) that is not just AntiVirus, as AntiVirus is not enough protection. We can help with the Cyber Security as we perform Cyber Security Reviews, Health Checks, Advise and Audits so contact us to see how we can help. The advantage of knowing your Cyber Security Risks, is it will allow a reduction of risks through your own actions or through the use of our Cyber Security services which can then potentially allow a reduced Cyber Insurance premium.