As a CIO, I always struggled with the value of cyber insurance. The question of cost versus value kept me at a stalemate. On one hand, I was told that having this insurance was a must in case of a data breach, but on the other hand, it would be nearly impossible to prove what was needed to ensure a payout if a data breach occurred.
In the midst of this conundrum, there was one guarantee I had to ensure – do everything in my power to protect the organization’s data and ensure continued operations no matter what attack surfaced. The organization's stakeholders expected this much and held me accountable. It was my responsibility to protect against inevitable attacks and to be sure data was protected from theft. In the case of a breach, I was required to set expectations and a timely path to normal operations, protecting and minimizing financial strain on the company.
As I weighed my options, here are a few pros and cons I noted:
- Possible financial recovery or reduction of losses.
- More assurance or confidence from leadership.
- May provide assistance in communication and remediation of a breach.
- Cyber insurance does not replace the need for proper protection being in place, so it’s another added cost.
- Demonstrating information to regain losses can be complex and not guaranteed.
- Compensation from a breach doesn’t rectify confidential data losses.
At the time, I decided to not purchase cyber insurance, but in retrospect, I’m unsure if that was the right decision. If I were to weigh this decision today, I would make sure to research cyber insurance providers, understand what is required to ensure a payout in case of attack and add this protection to my arsenal as I build the cyber security strategy.
What are your thoughts on cyber insurance?