Insurance A Complement, But No Cure, For Cyber Security Risk

By Shavonne Smith

Cyber insurance can complement a company’s active security measures by providing coverage in three broad areas:

  • Liability for loss or breach of data

  • Remediation costs to respond to a breach, such as a forensic investigation, notification to affected parties, etc

  • Regulatory fines and penalties, as well as associated settlement costs

In the wake of increased cyber risks, cyber insurance can thus help companies mitigate losses from a variety of exposures, including data breaches, loss of confidential information and business disruption.

Considerations for Cyber insurance

  1. Understand your company’s risk exposure

a) Evaluate your current cyber risk exposure to understand the type and amount of cyber insurance coverage required.

b) Coverage may not be required in areas where controls are well-established and routinely tested.

  1. Understand policy complexities

a) There are a wide variety of insurance policies available, which often require a rigorous underwriting process. Spend time at the outset understanding the pre-conditions that need to be met in order to obtain insurance.

b) It is also important to understand any policy exclusions to make sure you are able to take advantage of the coverage you will be paying for.

What Cyber insurance provides

  • Coverage from financial implications: Cyber insurance can provide financial assistance to cover the costs associated with investigating and resolving information security breaches.

  • Transfer of risk: Cyber insurance allows companies to manage their risk through risk transfer, not mitigation.

  • Liability protection against the evolving threat landscape: Policies can be structured to protect the areas of most concern to your company, whether it be social media, cloud computing or third-party management.

What Cyber insurance does not provide

  • Protection from reputational risk: While a monetary claim can be awarded for an information security breach, the damage done to a company’s brand cannot be repaired as easily or transferred to an insurance carrier.

• Removal of risk: Insurance, whether cyber or otherwise, provides a company with the opportunity to transfer, not remove, risk.

• A replacement for an information security program: Strong security controls and a comprehensive Information Security Program are prerequisites for purchasing cyber insurance. However, they are not provided by the policy itself.

Companies must thus understand their risk exposure and evaluate insurance policies, as well as implement security controls to improve risk posture. They should execute a cyber insurance-focused risk assessment to answer the following questions:

  1. How to select the appropriate insurance policy.

  2. The type of coverage to be obtained

  3. The residual risks the company faces with current cyber insurance

NB: Information in this article is based on the Deloitte white paper, ‘Cyber Security: Getting it Right POV’.. For more information on Deloitte Bahamas Risk Advisory Services’ Cybersecurity offering, contact Lawrence Lewis, risk advisory services partner, at 1(242)302-4898 or llewis@deloitte.com, or Shavonne Smith, senior risk advisory services consultant, at 1(242)302-4880 or shasmith@deloitte.com

Ms Smith holds a Master of Science (MSc) degree from Capitol College in Baltimore, Maryland, and specialises in information assurance and network security. She also holds the CISA designation (Certified Information Systems Auditor), and several Microsoft certifications.


Use the comment form below to begin a discussion about this content.

Sign in to comment