By Allison (Allie) Pan ,
Senior Vice President, Emerging Risks, Marsh Advisory
04/11/2024 · 7 minute read
Today’s digital-dependent world consists of unrelenting cyber threats. At the same time, macroeconomic conditions may place senior leaders under enormous pressure to reduce risk while managing constricted budgets. This can lead to senior leaders considering whether to invest in cybersecurity controls or purchase cyber coverage.
Instead of an either-or choice, organizations should strike a balance through a two-pronged approach to financially prudent cyber resiliency. This consists of investing in cybersecurity controls while purchasing insurance that aligns with risk tolerance to cover losses following a potential cyber incident.
The average cost of a data breach globally was US $4.45 million in 2023, increasing by 15% over a three-year period. The average cost of a data breach in the US was more than double, at US $9.48 million.
Source: IBM’s Cost of a Data Breach Report 2023.
With cyber risks considered among the top challenges as outlined in this year’s Global Risks Report, it is critical for organizations to take actions that can help them mitigate and manage their cyber risk and improve their ability to effectively recover in case they are impacted by a cyber event.
But what steps can organizations take? The needed actions fall into three broad categories that make up the basis of risk management. Please click below to learn more about each principle.
Cybersecurity programs help organizations by reducing their attack surface, defending against threats, securing and encrypting data, segmenting or isolating critical systems, and limiting privileged access, to name a few. Robust cybersecurity programs — and their governance — are critical, and for public companies no longer optional. However, cybersecurity budgets are often insufficient to cover the considerable non-technology costs needed to respond and recover from a cyber incident. Additionally, putting new or enhanced cyber controls into place may take years, meaning that cybersecurity investments may not yield immediate risk reduction benefits, leaving a gap that insurance could help cover.
Cyber and technology errors and omissions insurance can provide post-incident financial protection, by transferring myriad costs associated with system failures or security breaches off an organization’s own balance sheet. Crucially, these insurance programs can cover non-technology costs, including potential legal liability to third parties, regulatory costs, lost income, increased marketing costs to stem customer attrition, and costs to comply with breach notification laws. Transferring these losses helps protect the balance sheet and preserve financial health.
Finally, organizations should evaluate, ideally quantitatively, their material cyber or technology risks. This analysis should assess how existing or expanded controls might decrease that implicit risk, what transfer programs are optimal in coverage and efficiency, and finally quantify the residual risk they can bear on their balance sheets.
A balanced approach is particularly important amidst increased recognition that even the most advanced security controls may not stop all threat actors or mitigate all human error. Simply put, the best controls may not be enough. Strong cybersecurity programs may reduce the likelihood or impact of a cyber event, but are never event proof. When losses do occur, an adequate cyber insurance program provides yet another layer of resiliency to help organizations respond and recover.
Nearly three-quarters of data breaches include a human element. Humans are fallible and some degree of cyber risk is inevitable, underscoring the idea that risk can never be completely mitigated.
Source: Verizon's 2023 Data Breach Investigations Report (DBIR)
A healthcare organization had invested US $7 million to enhance cybersecurity controls and practices, successfully elevating its maturity level, according to National Institute of Standards and Technology (NIST) standards. The achieved risk reduction was calculated to have saved the organization approximately US $25 million and was necessary to meet the requirements of insurers, which appear to be increasingly evaluating organizations’ cybersecurity measures before providing a quote.
The organization’s leaders recognized that it was not possible to eliminate all cyber threats and that residual risk would remain, despite investments in cybersecurity. They decided to supplement security efforts by investing US $1.3 million in cyber insurance, which was also required from a compliance perspective.
The decision to purchase a fairly large limit allowed the organization to transfer US $56 million in potential cyber risk off its balance sheet — a cost reduction that could not be achieved by investing the same amount in cyber controls. Cognizant of the potential benefits of cyber insurance, the chief information security officer (CISO) advocated for a US $10 million limit increase, which provided emergency funds that could be tapped in the event of a cyber incident.
Having a cyber insurance program in place allowed the organization to continue its multiyear investment strategy to improve its already comprehensive cybersecurity processes.
Considering what’s at stake, how can organizations make informed, financially prudent cyber risk management decisions, especially when security experts and risk management professionals may disagree on how to allocate limited budget between security solutions and risk transfer products? To help make objective, informed decisions, senior leaders should consider the following questions.
A cyber event is often an unbudgeted expense for organizations, with financial ramifications as organizations work to identify and stop the threat, and also recover from the event. Consider not only technology costs, but also other remediation expenses, including potential legal costs and third-party liability. Would the organization be able to fund these costs without material impact to its financial results or the need to secure additional funding?
Work with your risk advisor to clarify any misconceptions about cyber insurance and gain a clear understanding of what is typically covered. Your advisor should be able to clarify the services that cyber insurance typically pays for following a breach, such as costs incurred to notify clients or regulators, and which would need to be absorbed by your organization in the absence of coverage. It is important to note that most insurers continue to provide robust coverage that should respond well to cyberattacks.
There are often misconceptions associated with the cost of sufficient cyber insurance limits. While insurance can appear expensive, purchasing a program with adequate limits to cover expenses following a breach is often a fraction of the costs associated with recovery. Also note that the cost savings from obtaining less coverage may not be sufficient to allow an organization to make significant and speedy improvements to its cybersecurity posture.
While cyber insurance applications can be time-consuming to complete, the detailed information that is typically required is often already available. Cyber insurance applications are typically commensurate with other data requests from clients, lenders, or others. Further, although it can be laborious to gather the data the first time around, this typically gets easier in subsequent renewals. Your insurance advisor may be able to guide you in answering the questions and providing insurers with all relevant information to facilitate the application process.