It may not be all it's cracked up to be.
Insurance is meant to provide peace of mind, but if you’ve ever had to make a claim, you’ll know just how tricky it can be sometimes. Of course, it differs from insurance company to insurance company, but in many cases, they’ll look for any technicality possible to avoid paying out.
That’s just how it is, and it’s no different with cyber insurance - just ask Mondelez. This week, this huge food company took the insurance firm Zurich American to court, over its refusal to cough up the cash for a $76 million claim.
We’re not going to cover this case in detail here (check out the Register’s excellent coverage here), save to say Mondelez was hit by the NotPetya malware, affecting thousands of servers and laptops. But because NotPetya is linked to Russian state-sponsored hackers, Zurich claims it was an act of war, which is not covered by its policies.
This case could have huge implications for the cyber insurance business, but who knows who the courts will eventually side with? What we can say for certain is that having cyber insurance should not be considered as justification for poor cyber security. If you suffer a major breach that results in huge financial loss, you simply can’t say for certain that your insurer is going to compensate you.
Furthermore, even if you do get a payout, will it be enough? If insurance companies think they can get away with paying you less than you need, they will often try.
And what about the things that money can’t buy? No, we don’t mean love, but rather your reputation and your data. That could include personal data of staff, information about orders, details of projects, intellectual property. The money from an insurance payout won’t replace this data, and your business may not be able to continue without it.
So is cyber insurance a waste of time? Not at all. If you suffer a cyber breach that knocks your business out for a few days, you might lose several thousand pounds, but the damage might not be lasting. In such a scenario, financial assistance could be just what your business needs to stay on track.
But cyber insurance should be used in tandem with robust, up-to-date cyber security technology and practices. You should also make sure you have a reliable backup and disaster recovery solution in place, to keep your business running if the worst happens. And you should always, always assume your insurance company will look for a way to void your claim.