Cyber Insurance won't stop you getting hacked

Imagine driving a car 100mph into a line of stationary traffic, but then going “it’s ok, I’ve got insurance”.

Car insurance doesn’t make your driving style inherently more safer, nor give the roadworthiness of your vehicle an extra seal of approval. We’re still required to drive with due care and attention, and ensure our vehicle is safe to drive.

We don’t use insurance in this way for our car, so why should we use it this way in the cyber domain?

Cyber insurance is there to cover some of the financial costs of a cyber attack, but with business disruption and reputational impact now much larger components in the era of ransomware (when figures suggest the cost of recovery from a ransomware attack can often be 7-fold the amount levied in the ransom payment itself: https://www.bleepingcomputer.com/news/security/ransom-payment-is-roughly-15-percent-of-the-total-cost-of-ransomware-attacks/amp/) - is cyber insurance alone an appropriate risk mitigation strategy? Surely not.

Arguably, there is evidence that having cyber insurance actually makes you a greater target of ransomware, because attackers can be more comfortable of a payout: https://grahamcluley.com/ransomware-gang-says-it-targets-firms-with-cyber-insurance

Whilst I’ll accept there are some indirect benefits, such as the threat of higher premiums driving better baseline standards, getting cyber insurance should never be the first step in building a more secure and resilient system. I’m not saying it isn’t worth considering as the final layer of top-cover, but it should only be after you’ve taken steps, covering people, process and technology, to be as proactively secure as you can be.

Technology should be deployed to be Fail-Safe, not Fail-Fingers-crossed.