Cyber Insurance Is Not an IT Strategy

By Rachel Eckert, SLED Manager

Ransomware attacks on our state and local governments’ IT infrastructure are increasing at an alarming rate and our customers are looking at cyber insurance to mitigate risk. But cyber insurance shouldn’t be confused with a sound cybersecurity strategy that guards against attacks in the first place.

Here’s what you need to know about cyber insurance and how you can work with customers to develop cyber strategies that will serve them for the long term.

Cyber Insurance Pros and Cons

Ransomware spawned the cyber insurance market – but what you are promised and what you receive may be two different things.

There are two types of cyber insurance coverage, “first-party” and “third-party.” First-party insurance covers a company’s own damages from cyber losses. Third-party coverage, on the other hand, is like general liability insurance, covering legal expenses resulting from one firm being blamed for causing another’s cyber losses.

Expenses that may be covered by cyber insurance include costs of notifying clients and credit monitoring services, public relations campaigns and lost revenue due to the breach. Ransom payment, attorney fees and defense before regulatory/legislative bodies may also be covered, but policies and coverages differ.

This all seems like a very prudent and responsible course of action to take in the face of accelerating Internet-related criminal attacks. Unfortunately for policy holders, cyber insurance can come with loopholes and gaps that may result in claims not being paid. The policies are often narrowly written to cover costs related to the loss of customer data, such as helping a company provide credit checks or cover legal bills.

Even in the best case, cyber insurance companies may end up paying a ransom, because it is cheaper than full forensic recovery. But that approach to cyber security won’t decrease the number of ransomware attacks, and it may even encourage more attacks because it gives the attackers what they wanted to begin with: Money.

The Four Elements of an IT Cyber Strategy

Cyber insurance can be a great tool, but it is only one aspect of a good cybersecurity strategy, which should also embrace continuity of operations (COOP), disaster recovery and active patching.

Here are four key steps to be built into any cyber strategy:

1. Mitigate the gaps – Patch systems, back-up data and bolster access credentials.
2. Become more predictive – Investigate forensic detection technologies and utilize automated threat detection.
3. Increase awareness – Train both IT and non-IT employees in good security practices.
4. Plan strategically – Develop and keep incident response plans updated, develop crisis communications plans and increase awareness among legislative bodies about the importance of maintaining funding.

There is definitely a business case for cyber insurance, as long as you strike the right balance. If you have to choose between spending money on cyber insurance or an improved IT cyber strategy, the strategy is always the best choice. As ransomware attacks continue, that’s really the best way to minimize risk to your customer’s IT infrastructure and critical data.

This blog is adapted from an article first published in GCN. The full article is posted here.

Keep on top of the latest IT trends in government? Subscribe to immixGroup’s Government Sales Insider blog now.

Want to learn more about how you can engage with state and local governments? Contact our Market Intelligence team today.