We could spend this time discussing the merits of cybersecurity insurance vs IRR (Incident Response and Remediation) protocols. But we would be writing about a false dichotomy. A strong cybersecurity approach requires alignment between prevention and coverage.
Unfortunately, a lot of people think along these lines instead:
- “If I have a good plan in place, then I’ll be ok.”
- “If I have insurance, I’ll be covered.”
Neither of those statements are true. You need to align both your IRR and your insurance for full cybersecurity protection.
The Threat Landscape Demands More of Businesses Every Day
Cybersecurity clauses have started appearing on most, if not all, corporate business contracts, even if that business model is not IT-centric.
With today’s threat landscapes, it’s no longer a question of if an attack will occur, it’s a question of when. Consequently, you need a mitigation and response plan as well as insurance to protect your critical data and, ultimately, your brand and livelihood. Security clauses, at their most fundamental level, delineate responsibility (i.e. “we’ll only be responsible for [X], but you have to meet [these criteria]). These clauses spell out clearly who will be liable for what damage when it occurs.
Consider, too, the recent international pressures of GDPR where your company faces heavy fines of up to €20 Million or 4% of yearly revenue if an infringement (such as a data breach) occurs. Moreover, GDPR enforcers won’t just charge you a fine per event; there is a separate fine for each tier of end-user information that is irretrievable (e.g. phone number, email address, social security number, etc.).
Those little bits of data add up fast, especially when you consider the exponential rate of the fines with each user. To keep your business running, it’s not feasible to stop doing business with European countries, but you also won’t be able to stay afloat if a catastrophic breach hits you and breaks your GDPR compliance.
This is what’s at stake. Now, here’s how you mitigate it.
Incident Response and Remediation
IRR, or Incident Response and Remediation, is a customized, industry-informed mitigation plan that your company should closely follow during a breach scenario or other form of cyberattack.
Having a step-by-step outline of response protocols for key business areas keeps your IT and security teams on the same page during high-stakes situations. Having this process alignment is critical; your team’s accuracy and responsiveness can be the difference between successful response and your company’s name plastered on the front page of cybersecurity news.
While IRR isn’t a requirement in all cases, it’s good sense to have a plan in place.
Selecting an insurance policy for any asset is a bit of an art. You don’t want to overpay for incidents that aren’t likely to happen, but you also want enough coverage for rare instances when they do occur. Cybersecurity insurance is no different.
You need to ensure that your security insurance covers more than just the essentials and the most likely incidents. You need coverage for every instance outlined in your IRR guide (e.g. if you have a plan for a firewall breach that leaks sensitive information, you should also have an insurance policy to match). Insurance helps to soften the financial blow and keep you in compliance where possible, but insurance alone does not protect your brand or your networks from the root cause of harm.
It’s Not Cybersecurity Insurance vs IRR, It’s Both/And
If you don’t have a comprehensive remediation plan when disaster strikes, then you’re much more likely to break compliance strictures and lose critical data to the dark web. Conversely (and yet simultaneously), if you don’t have an inclusive insurance policy that protects your finances and business efficacy, then you might very well not have a business to even protect in the future.
In short, you should never implement cybersecurity insurance to the detriment (or in replacement) of your IRR; rather, it should be in support of your response and remediation protocols. One does not replace the need for the other—you should optimize your IRR and a cybersecurity insurance policy to work together. Let’s change the face of the debate of cybersecurity insurance vs IRR.