At Towergate, we regularly have conversations with our clients about how they can defend against cybercriminals seeking to exploit their company. In the process, we’ve noticed that the same harmful lines of thinking keep cropping up. Here, we go through the main misconceptions about cyber insurance our customers have that could hurt their businesses if left unchecked.
Cyber insurance is only for businesses who handle customer data
Just because your company doesn’t collect sensitive data from its customers, that doesn’t mean it doesn’t have any sensitive data at all. If your business has employees, it has sensitive data that can be exploited by threat actors – things like bank details, home addresses, medical information, and more.
Additionally, if you do business with other vendors and conduct transactions, your business is in possession of sensitive data in the form of private account information – yours, and the other party’s.
We’ve got a good IT system, so we don’t need cyber insurance
Having IT security in place is great, and your business wouldn’t want to be without it, but even the best IT security isn’t a substitution for cyber insurance, and nor is it designed to be.
The fact is that cyber breaches can and do happen to businesses that have robust IT security systems. This is for a couple of different reasons.
The first is that the strategies and tactics threat actors use to exploit your business’s vulnerabilities are changing and adapting all the time. In the same way that seasoned security analysts are devoted to learning about the increasingly sophisticated methods of cyber-attackers (so that they can defend against them), so too are cybercriminals learning from experience what works and what doesn’t, and increasingly refining their methods of attack.
The second reason is that IT security doesn’t actually account for a business’s top cybersecurity risk: its employees. Staggeringly, it’s estimated that up to 95% of cyber-attack incidents are due to human error.[1] It only takes one employee slip-up to cause a cyber crisis that could cost your business more than just money.
Our IT is outsourced, so we don’t need cyber insurance
Just like the above, this misconception assumes that the only cyber-attacks cyber insurance can help to protect against are those that breach IT systems, but this isn’t the case.
Much of the time, threat actors use tools that don’t require any network penetration, like social engineering. Using social engineering tactics, threat actors can convince your employees that they’re a representative from a legitimate source before they trick them into sharing sensitive data.
Your initial thought might be that your employees are too educated and tech-savvy to fall for such exploits, but this isn’t the case. In fact, the biggest social engineering attack of all time was orchestrated against Facebook and Google in a scam that set the huge multinational companies back over $100million USD.[2]
What’s more, even the most reputable IT companies have clauses in their contracts designed to protect them from liability should a cyber-attack breach their defences and impact your business. That’s where cyber insurance comes in; cyber insurance has a strong damage control element that would utilise crisis management methods to preserve your reputation while ethically dealing with any customers impacted by the breach. Further, good cyber insurance policies provide additional protection for losses to your business should your IT provider suffer an incident which does not actually transmit to you but does cause you a financial loss.
I’m covered for cyber insurance on a separate, general policy
While it’s true that other policies might partially cover some elements of business cyber protection, it would be a mistake to depend fully on it.
For two years in a row now, cyber threats have been ranked as the top risk to businesses.[3] As our technology and cybersecurity defences advance, so too do the tactics of threat actors grow more sophisticated. Years ago, terms like vishing, ransomware and botnets weren’t in the cyber lexicon, because they didn’t exist; today, they’re problems that loom large for any modern business.
The cyber world is developing rapidly, and that means the threats facing businesses will continue to advance. It would therefore be inadvisable to rest your business’s cybersecurity on a policy that neither understands nor covers your business from the sophisticated threats it faces, now and in the future.
Cyber insurance is too expensive
Just like any other form of insurance on the market, cyber protection varies in cost. There is no one-size-fits-all solution because different companies face different threats, e.g., a power plant company will face a different set of cyber risks to an IT company. Your cyber insurance policy should therefore be able to reflect your business’s individual needs.
But there’s a bigger question at hand. Instead of, ‘is cyber insurance too expensive?’ a better question to ask would be, ‘what costs would my business face if it suffered a cyberbreach?’ Not just the monetary cost, either, but the cost to your reputation and even the trust of your customers. Is this a cost that your business could afford?
Cyber insurance from Towergate
If you have any questions about protecting your business against a cyber-attack, please contact your local Towergate office who will be happy to help.
Sources
[1] www3.weforum.org/docs/WEF_The_Global_Risks_Report_2022.pdf
[2] 15 Examples of Real Social Engineering Attacks - Updated 2023 (tessian.com)
[3] https://www.cfc.com/en-gb/resources/articles/2024/01/is-cyber-insurance-worth-it
