With the number of breach victims in 2014 thus far reaching over 77 million, investing in a cyber insurance policy may sound like a good idea. But before latching on to this safety net and calling it a day, it is important to remember that cyber insurance policies are still in their early stages of development. While cyber insurance should be considered part of your risk management arsenal, it is not a substitute for regular penetration testing and vulnerability assessments. As it turns out, cyber insurance is a safety net with many large holes.
Your cyber insurance policy may not be retroactive.
Many times, organizations purchase policies with only protecting their future in mind. However, some breaches take months or even years to be discovered, as attackers are careful to not make themselves noticeable. Thus, insurers might be able to avoid paying claims if an attack is found to have begun before the scope of the policy.
Most insurers set a time limit for breach notification
As soon as a breach is detected, the clock starts ticking. Insurers want to know about a possible breach as soon as possible. The amount of time you have to investigate a breach and initiate damage control may be limited by cyber insurance policies. The insurer’s notice provision is a separate issue from public disclosure, but delaying notice to insurers for any reason could still hurt your claim.
Read the fine print.
It goes without saying that the policy will not solve all your breach problems. As with any insurance policy, there are always exclusions and limitations. For example, some insurers will wheedle out of paying claims by disputing liability when it comes to contractual relationships. Ergo, incidents involving third party vendors or financial institutions are grounds to avoid coverage.
You’re only protected from intruders, not insiders.
When it comes to data exposure, it is important to remember that you are always vulnerable from all angles. Most insurance companies have revised policies to only cover data exposure from theft, but what about leaks from an insider? Not covering breaches that happen within a company, whether it was an accident or a malicious act by an employee, is a significant loophole.
There’s no insurance for your reputation.
Of course, insurance policies will cover some of the financial costs caused by a breach, but there is no insurance for the brand damage or reputational harm. Regular penetration testing, vulnerability assessments, and social engineering testing remain the best way to protect your organization, brand, and reputation from cyber attacks.