Risk mitigation and protection: cyber-resilience and cyber-insurance

Protecting the organisation from cyber-risk goes beyond the digital walls surrounding it – companies need a multi-pronged approach to ensure resilience and reduce risk, explains Richard Frost, Head of Consulting at Armata Cyber Security

The International Monetary Fund (IMF) describes an organisation’s active commitment to securing both its digital perimeter and financial assets as fundamental to reducing risk to company solvency. Right now, cyber security is so volatile it presents a significant, ongoing threat to financial stability. The Global Financial Stability Report found that the cost of the cyber-incident is now sitting at $2.5 billion – a price tag that includes repairing and protecting against the damage caused by the incident. Companies have to take a proactive approach towards policies, cyber-resilience and responsiveness but these should only form one aspect of their cyber risk mitigation strategy. The firewalls, training, endpoint security, alerts and security operations centre (SOC) teams are on the front line, but standing beside them is a digital piece of paper.

A policy designed to protect your assets, reputation and make your business more resilient.

Right now, there are two ways of approaching this: cyber security-insurance or a cyber security warranty. Both are designed to provide companies with more cyber-defence muscles, but each one fulfils a different role and comes at a very different price point.

Cyber-insurance is designed to provide the business with protection of its assets in the event of a successful cyber-attack. The goal is to cover your business with a financial umbrella and offer support throughout the recovery period after the incident. Some cyber-insurance policies and service providers also offer the business hands-on cyber security expertise from their specialists during and after an attack.

In most cases, cyber-insurance not only covers the actual claim for restoring or remediating the actual threat, but the legal costs which can be invaluable for companies that deal with highly confidential data or operate in highly regulated sectors. If your business can prove that it has done everything possible to mitigate risk prior to an attack, then this insurance will have your back.

However, if an investigation by the cyber-insurance company finds you to be negligible – that you happened to drop some cyber security balls – then they can refuse to pay the claim. Even though companies prioritise ensuring they have the right levels of risk mitigation in place, there is always the chance these are not enough. Another downside of cyber-insurance is the cost, especially for smaller companies. This is particularly true in South Africa where the cost of insurance as a general rule is extremely high and the monthly fee can be crippling.

Another option is the cyber-warranty, a product that will pay the business a set amount in the event of an incident and covers the gaps that cyber-insurance leaves behind. Often, managed security services companies will offer a cyber-warranty alongside their products as a mark of faith in their own solutions. That said, if your company invests in a cyber-warranty this doesn’t exclude you from meeting specific requirements around security standards or products. Many warranties are underpinned by an agreement that specifies exactly what levels of security a customer should have in place and what types of products they should be using.

So, now what? Do you cyber-insure or do you cyber-warranty? Which road leads to resilience?

The answer lies in your risk profile and budget. Cyber-insurance is more expensive and calculating the cost paid out to a company after an incident is complex. Many insurance companies aren’t sure what the actual cost of a breach will be or how this cost balances out against the protections they’ve put in place. A cyber-warranty is built on the foundation of cyber-resilience and offers a guaranteed payment amount which is arguably more reassuring. It just makes your business that much more resilient in the event of a successful attack, and this can make the difference between bouncing back or bouncing to the bank.

There is no reason why your business can’t invest in both. Companies that complete the requirements for a cyber-warranty and have one in place are significantly lower risk than those without, and this can translate to a decent discount on their cyber insurance premiums. Either way, ransomware and risk are rampant and a policy providing much-needed protection is vital. Cyber resilience means putting the right security in place and investing in a digital policy that best meets your costs, delivers the right value, and minimises the impact to your business.