As cyber threats proliferate across IT and operational technology (OT) environments, organizations seek to better understand their cyber risk exposures and how to mitigate them. Insurance plays a pivotal yet often misunderstood role in protecting against losses from breaches, ransomware, and industrial control system attacks. Cyber insurance should be
one component within an overall risk management strategy.
According to veteran insurance professional Rogan Dwyer, formerly of Lloyd’s of London, whom we interviewed on a recent podcast; companies too often view their cyber policy as their primary line of defense rather than the last resort when other safeguards fail. This misconception leaves dangerous coverage gaps once an incident occurs. He explains that insurance should function as a last resort once other controls fail rather than a wholesale transfer of liability to the carrier.
Boards must take greater responsibility for fully grasping the protections that policies actually provide, along with their limitations.
Dwyer advises boards of directors to actively participate in crafting an insurance strategy tied closely to internal cybersecurity and technology frameworks. He advises that Boards must take greater responsibility for fully grasping the protections that policies actually provide, along with their limitations. It still requires policy holders to implement proactive security and incident response capabilities across their IT and OT organizations and technologies internally.
The reality is, insurers themselves struggle to keep pacewith the current rate and complexity of cyber threats, applying outdated methods ill-suited for this dynamic landscape. Annual applications supply minimal data for underwriting while focusing heavily on affirmative risks like property damage rather than silent non-affirmative risks that prove more costly, like business interruption from unplanned or unscheduled downtime – whether from an external cyber event or internal causes. Audits happen sporadically, revealing an organizations’ true vulnerabilities only after attacks have already occurred.
Cyber insurance holds value in financially backing specific elements of risk such as covering costs, lost revenues, and legal liabilities from an attack. But the actual policies contain intricate exclusions and provisions that make claims difficult to process and collect on. Dwyer advises
boards of directors to actively participate in crafting an insurance strategy tied closely to internal cybersecurity and technology frameworks.
Dwyer also advocates collaborative education for underwriters regarding current threats and security best practices, allowing development of smarter cyber insurance offerings. By partnering more closely with brokers and clients to understand precise exposures, underwriters can go beyond narrow constraints that incentivize only maximizing policy sales.
Consultative loss prevention and inventory assessments further align all sides in better managing ongoing risk.
Adopting this approach shifts the industry away from simply reacting to past losses through subsequent rate hikes. Instead, it fosters tighter relationships where insurers proactively seek out clients that are committed to shoring up defenses – ultimately benefiting everyone. This results in carriers gaining premium volume from a more solid book of business with fewer claims. Organizations gain stronger cyber resilience alongside insurance as the backstop rather than the only safeguard in protecting their organization in the event of an adverse cyber event.
In effect, cyber insurance transforms from a narrow indemnification instrument to a vehicle promoting more comprehensive cybersecurity protection across the entire business ecosystem. However, this requires insurers embracing change and enterprise leadership getting more actively involved to better understand and secure both IT and OT environments.
Only then can insurance fulfill its purpose in mitigating cyber risk without becoming either an excuse for managerial complacency or a source of unpleasant surprises when disasters strike.
The key takeaway for organizations is to recognize that cyber insurance works best when embedded into a broader risk management strategy with strong security foundations already in place. While beneficial as a supplemental backstop, relying wholly on insurance to transfer responsibility for protecting critical infrastructure or manufacturing operations, is a high stakes
gamble. Staying invested alongside carriers in transparent information exchange and continuity planning improves the odds of sustaining better resilience and protection should it be needed, in the long run.