Cyber Security: The challenge for insurers and practices alike


The relatively new provision of cyber insurance means that we can expect significant changes in years to come in terms of policies available, range of providers, conditions attached, and of course – the cost of premiums. Where cyber insurance is unusual is that the data that would otherwise be used by actuaries to determine likelihood of an insurable event is both limited, and has a brief shelf-life when you consider the very threat being measured may have already increased, decreased, or morphed into something new.

One of the aspects of cyber insurance that has concerned some researchers is the possibility that the gaining of a policy will see greater complacency from the holder due to the additional security that they now have (Talesh, 2018). This is likely the reason why insurers are clearly placing a much higher standard on those seeking insurance to demonstrate that they have done what they can to avoid a breach in the first place. This is really the crux of the issue for the insurance industry and those seeking coverage.

Whether you (or your organisation) wish to obtain a cyber insurance policy or not, the next steps that you need to take are the same. As we have evidenced, the first line of defence comes from the user, which means that an understanding of the risks and training that enables people to recognise what the risks look like is crucial. Keep in mind that like the cyber insurance policy, the protection software that you have may provide a false sense of security with users that isn’t warranted. There is clearly a huge amount of work and education required from company directors and officers that needs to be documented and reviewed in such a way that complacency never sets in or rests on the assumption that an attack would only happen at a bigger company.

The repeated theme of this article is that due to the dynamic nature of the threat and the huge number of potential access points to your data, we need to operate as though we had no protection beyond that provided by our vigilance. If we take that as our action philosophy, it enables us to examine the problem as though there were no safety net. The value of the data that we hold and the fact that an attack only needs to succeed once means that the value of plans that stop a breach from occurring are worth so much more than the plans that are implemented after it occurs – though of course you need to do both regardless.