Let’s get it straight, Cyber Security (IT Security) is not the same as Insurance (sometimes named “Cyber Security Insurance”).
What is Insurance
Insurance is a post-incident payment to counter the impact of a negative event. In other words, you will get money if you are insured when the insured item goes wrong. However, insurance won’t protect, stop or prevent things from going wrong and a negative event occurring. If anything, it has been found in certain cases, that holding insurance actually increases the frequency of a negative incident as some insured people take greater risks than if they were not insured.
What is Cyber Security
Cyber Security is is about the protection of your Cyber assets. This would be the stopping and prevention of things going wrong to your IT data such as an Anti-Virus, Firewall or a SPAM filter. So, in theory, if you had perfect Cyber Security with 100% protection then you could prevent any negative event from occurring and you would never need to use or purchase insurance. The reality is that there is no such thing as perfect Cyber Security due to the constantly evolving digital landscape. There will always be a chance of a negative event, but good Cyber Security can reduce this chance dramatically.
How do cyber security and insurance Align ?
As the diagrams show below, Cyber Security is aimed to be at the Preventative stage of a negative event (aka incident). Without any Cyber Security there is no protection to prevent the incident from occurring.
For completeness Cyber Security actually continues on after the Incident with Detection and Response because if you can reduce the time it takes to detect and to respond to an incident you can reduce the impact of the incident.
Costs of an Incident
Why do the costs of an incident matter, if the insurance company will pay to resolve the incident anyway?
The truth is, there are a lot of “hidden” costs that money can’t buy like trust, reputation or lost business. It is also easy to under value the cost of an incident and hence the amount of insurance required. Here is a nice graph on the size of costs associated with a Cyber Security Incident:
Diagram Credit from ACSC Report
Which is better ?
If the prevention is better than the cure, then Cyber Security is the prevention and Insurance is the cure.
This suggests Cyber Security is better than Insurance, but both are necessary.
Using an analogy in the form of a car: Which is better? Car protection (seat belts, headlights, air bags, horn, automatic emergency braking, ..) or car insurance?
As the driver of the car, protection is better as it will reduce the chance of a car incident occurring and reduce the damage in the event of such an incident. But car insurance is designed to provide money to compensate for the car incident, but it wont undo the damage.
This means you should get both Cyber Insurance and Cyber Security.Cyber Security and Cyber Insurance actually work together. It is common for an Insurance company to perform an assessment prior to providing an insurance quote. Hence, it is possible, that an Insurance company will assess the Cyber Security of an organisation before providing insurance. It then makes sense to have good Cyber Security so you can potentially reduce your insurance premiums just as it is in the interest of the Insurance company to reduce the number of incidents that occur.
Going back to the car analogy, a good example is that a car fitted with Automatic Emergency braking (AEB) is cheaper to insure than a car without AEB.So now what?
If you are an organisation looking to get “Cyber Security Insurance”, then that is a great idea! You understand that no level of Cyber Security can provide 100% protection. Just make sure you also implement Cyber Security (prevention) beyond just an AntiVirus as AntiVirus is not enough protection.
We can assist with your Cyber Security. We perform Cyber Security Reviews, Health Checks, Advice and Audits. Contact us to see how we can help. The advantage of knowing your Cyber Security Risks is that it enables a reduction of risks through your own actions or through the use of our Cyber Security services. In turn, reduced risks can then potentially result in a reduced Cyber Insurance premium.