Let me cut to the chase – the answer is no. It is a way to help pay for the damage, but that is about all.
In the article referenced below, the author thoughtfully explains the role of cyber risk insurance – a post-fail risk offset.
The key word there is fail.
Failing in the sense of failing to avoid the breach in the first place.
The after affects of most breaches is damage control and lawsuits that go on for years. Some percentage of companies – a small percentage – go out of business after a breach. Usually there are scapegoats – someone or some people have to be fired.
While cyber risk insurance can help cover the costs of ongoing litigation, it won’t pay for the fact that executives are distracted for years. Depending on the cost of the litigation, it might not even pay for all of the costs of litigation. It won’t pay for you to find a new job and it won’t make customers come back to your brand.
Cyber risk insurance is an important tool but just a tool. Like every other tool, it is important that it is the right tool. While you can probably bang in a nail with a screwdriver, the results are likely to be sub-optimal.
And, since cyber risk insurance is typically not regulated, it is important that you get a hammer if you need a hammer. Nothing is worse than making an insurance claim and having the insurance company tell you that it is not covered. In the case of cyber risk insurance this happens more often than with some other forms of insurance. This doesn’t mean that cyber risk insurance is useless, it just means that you need to buy from someone who is an expert in the area when you are buying coverage. My first question of an insurance broker that you are considering using to buy cyber risk insurance is how many cyber risk policies did you write in, say, the last 3 months and what is the total dollar coverage of those policies. Insurance sales people are commissioned. If cyber risk insurance represents a small part of their paycheck, you can figure out the rest. If cyber risk is not their primary focus, they are unlikely to take the time to become experts in the area. It is a bit of a wild west. You are pretty much on your own.
All that being said, it is much better to have the coverage in the unfortunate situation that you need it – it is just not a replacement for doing things right.
Most of the time, cyber crime is an opportunistic crime. Believe it or not, Equifax was not specifically targeted. But because they had a horrible cybersecurity program, they have spent over a billion dollars recovering from it.
I don’t think they had a billion plus dollars in insurance coverage, so insurance will not make them whole and it is unlikely to make you whole. It will reduce the pain, but that is not the same time.
So what should you do?
#1 – implement a great cybersecurity and privacy program
#2 – get some cyber risk insurance because stuff happens.
But do it in that order.
Source: Dark Reading