Five minute read
One the questions we get often at RoundTable is from organizations asking whether they should get or increase their cybersecurity insurance.
This post is meant to provide as clear of a response as we can provide to that question.
The answer starts with gaining a clear understanding of risk. A common term in the risk management field is “risk mitigation”. For many years I found the word “mitigation” annoying in this context because I was taught by my father to never deploy the word “utilize” when “use” would do just fine and “mitigate” seemed, to me, synonymous with “reduce,” a simpler word everyone understands. I’ve since changed my mind on the word “mitigate.”
You Can’t Eliminate Risk
There’s a cliche in sports about a great player that goes like this, “You can’t stop him, you can only try to contain him.” I’m not sure of the origin, but I first heard the phrase spoken about Michael Jordan. This applies to risk. Risk is part of existence. You can’t stop it. But there are things you can do to manage or “mitigate” risk.
First, let’s think about the kinds of bad things that can happen in a cybersecurity context. If we think about things like ransomware, account breaches, data loss and fraud, there are different consequences that may apply.
- Downtime - we can’t work or we have to spend time fixing ( or “remediating” - in risk management parlance) the incident
- Reputational Damage - our organization may suffer reputational damage from the incident
- Financial Loss - We may literally lose money through fraud or theft or we may have to spend money on resources to help us contain and manage the incident
Four Things You Can Do With Risk
Let’s break it down into four basic actions you can take in regard to risk. All of these together are where the word “mitigate” comes in. Risk mitigation is looking at your risks and deciding which of these actions to take.
Avoiding risk is the first option and generally the best if it’s available. Let’s say you are collecting social security numbers (SSNs) of clients and you identify that as a risk because it’s sensitive information you are collecting and keeping. But you also realize that you don’t USE the SSNs for anything and don’t need to collect or keep them. You can easily AVOID this risk by ceasing the collection of SSNs and deleting the ones you have. Risk avoided.
This is where most of cybersecurity work happens. If you are concerned of the risk of your email account being breached, you can’t easily AVOID this risk because it would mean not having an email account. But you can REDUCE this risk by having a strong password and employing two-factor authentication (also known as 2FA) to increase the security of your account.
If I am concerned about the data loss if my email account is breached and the attacker deletes all my emails, I can implement a backup solution to automatically backup my email account. Cybersecurity measures (or “safeguards” in risk management parlance) such as backups, passwords, two-factor authentication, encryption, training and incident response are all measures to REDUCE the risk of various incidents.
THIS is where cybersecurity insurance fits in. Transferring risk means moving the consequences of a bad thing happening to someone else. It’s making it someone else’s problem. One example is credit card processing. Most small organizations have a third-party processor handle the credit card transactions on their website. They understand that collecting credit cards comes with risk and that they can’t avoid this because they need to accept credit cards. Reducing the risk of accepting credit cards can be quite intensive, so many organizations choose to TRANSFER this risk to a credit card processor (such as PayPal or Stripe).
It’s the third consequence listed above, Financial Loss, where cybersecurity most often applies. What cybersecurity insurance can do is TRANSFER the financial risk from various cybersecurity incidents to the insurer. You pay the insurer some annual fee, say $2,000, and in exchange they accept the TRANSFER of $1,000,000 of your financial risk.
It’s important to understand that you are ONLY transferring the financial consequences of an incident. You can’t meaningfully transfer the downtime consequences or the reputational damage consequences. That’s not to say the money you could be reimbursed by your insurer couldn’t be used to limit the downtime and reputational damage consequences, but you still haven’t TRANSFERRED those risks. You keep those yourself (lucky you!).
Which takes us to the last thing we can do with risk. Accept it. Going back to our email example. I can’t avoid the risk of using email because it’s a business critical tool. I have already reduced the risk of a breach by using a strong password and two-factor authentication. I have transferred the financial risk of an email breach by purchasing cybersecurity insurance.
Even with all these “mitigations” in place, I STILL have risks of downtime if my account is breached or I forget my password. I still have risk of reputational damage if my email account is breached and sensitive communications are exposed to people I didn’t intend to see them.
At this point, I choose to ACCEPT those remaining risks. And here’s a key point - WE ARE ALL ACCEPTING ALL KINDS OF RISKS RIGHT NOW. I could get hit by a meteor or stray piece of space garbage at any minute. I COULD reduce this risk by living underground, but I’m not going to do that. I accept that risk. What I think is most important is UNDERSTANDING the risks you face, UNDERSTAND what options you have to manage (mitigate) those risks and then continuing on with life.
Life is risky. That’s what makes it fun, right?
Hey, what about the original question - Should we get Cybersecurity Insurance or Not?
If you look at your risks and see a lot of FINANCIAL risk that could be effectively TRANSFERRED to an insurance company through cybersecurity insurance, then the answer is a resounding YES. But please check with your existing insurance carrier to see what cybersecurity insurance you already have.
If, on the other hand, you look at your risks and see mostly risks of downtime, data loss and reputational damage, my opinion is that you’d be better served investing time and resources in seeing how much effort would be required to meaningfully reduce or avoid those risks.
If you’d like more help or to talk about cybersecurity or anything else IT-related, please reach out!