Cyber Security is not Insurance


Let’s get it straight, Cyber Security (IT Security) is not the same as Insurance or sometimes named “Cyber Security Insurance”.

What is Insurance

Insurance is a post event payment to counter the impact of the negative event. In other words you will get money if you are insured when the insured item goes wrong, but insurance wont protect, stop or prevent the thing going wrong. If anything it has been found in certain cases that it actually increases the frequency of the event as some people insured take greater risks than if they weren’t insured.

What is Cyber Security

Cyber Security is is about the protection of your Cyber assets. This would be the stopping and prevention of things going wrong to your IT data like an Anti-Virus, Firewall or a SPAM filter. So if you had perfect Cyber Security with 100% protection then you could prevent any negative event from occurring and never need to use or purchase insurance. The reality is that there is no such thing as perfect Cyber Security, so there will always be a chance of a negative event, but good Cyber Security can reduce this chance dramatically.

How do cyber security and insurance Align ?

As the diagrams show below, Cyber Security is aimed to be at the Preventative stage of a negative event (aka incident). So without any Cyber Security there is no protection to prevent the incident from occurring.

without_cyber_security

Hacking icon credits

with_cyber_security

For completeness Cyber Security actually extends into after the Incident with Detection and Response because if you can reduce the time it takes to detect and to respond to an incident you can reduce the impact of the incident.

Costs of an Incident

So why does this matter, if the insurance company will pay to resolve the incident anyway ? The truth is there are alot of “hidden” costs that money can’t buy like trust, reputation or lost business. It is also easy to under value the cost of an incident and hence the amount of insurance required. Here is a nice graph on the size of costs associated with a Cyber Security Incident:

incident_cost_acsc2016

Diagram Credit from ACSC Report

 

Which is better ?

If the prevention is better than the cure, and Cyber Security is the prevention and Insurance is the cure. Then Cyber Security is better than Insurance. Using an analogy in the form of a car, which is better car protection (seat belts, headlights, air bags, horn, automatic emergency braking, ..) or car insurance ? As the driver of the car, protection is better as it will reduce the chance of a car incident occurring and reduce the impact in the event of a car incident. Now car insurance is designed to provide money to compensate the car incident, but it wont undo the damage.

This doesn't mean Insurance is a bad thing, it's just consider protection (Cyber Security) before purchasing insurance.

Cyber Security actually can work with Insurance as it is common for an Insurance company to perform an assessment before they provide prices or insurance. Hence it is possible that an Insurance company will assess the Cyber Security of the organisation before providing insurance. It then makes sense in having good Cyber Security so you can potentially reduce your insurance premiums as it is in the interest of the Insurance company to reduce the number of incidents that occur.

Going back to the car analogy, a good example is that a car fitted with Automatic Emergency braking (AEB) is cheaper to insure than a car without AEB.

So now what?

If you are an organisation looking to get “Cyber Security Insurance” get a review or audit of your Cyber Security first, so you understand the Cyber Security Risks you have. Vertex Technologies perform Cyber Security Reviews, Health Checks, Advise and Audits so contact us to see how we can help. Once you understand the Cyber Security Risks then you can take action or use our Cyber Security services to reduce the risks and then seek insurance to cover the gaps.