Cybersecurity Insurance Enables Bad Cybersecurity Posture

Posted on by Roderick Chambers, CISSP, CISM

Over the past few months, we have seen ransomware hijack the cyberthreats show, impacting businesses and organizations of all sizes and industries. No one is off-limits. Not surprisingly, many of the organizations that I discuss ransomware guidance with are curious about cybersecurity insurance. To those organizations, I pose this question: While insurance provides practical financial securities, does it lend itself as a crutch to vulnerable organizations instead of empowering them to be better stewards of information?

Security Is Often Difficult to Quantify
Security is not a revenue-generating line item for organizations. Chief Information Security Officers (CISOs) and security leaders are often bound by tight budgets. They have to make do with the personnel and technology they can afford, which is typically not enough. CISOs worry about hidden security gaps, evolving attacks and vulnerabilities, and they struggle with finding solutions that deliver better visibility into their organization’s attack surface. Forward-looking CISOs want a system that can help them be more data-driven and quantify cybersecurity-related risks. It is common for a cyberattack to shake the nerves of organizational leadership, causing them to reprioritize and finally award their CISOs the budgets and authorities for technology, personnel and subject-matter experts to conduct risk assessments and penetration tests. While waiting for a cyber event to be detected, cybersecurity insurance is discussed.

Ransomware is trending in 2021, but it is only a subset of a bigger problem: security breaches. Major organizations that experience security breaches garner a news presence. These breaches are often reported and counted toward the global attack trends. But, how many security breaches of smaller-sized companies go undetected? Small and medium-sized organizations are targeted more often. They are more likely to comply with the threat actor’s demands for payment in Bitcoin (usually) to reclaim access to the organization’s data. Despite the reality that paying the ransom is no guarantee the victimized organization will regain access to its data.

Organizations should be focused on maturing the security posture and investing in technology and people to secure their organization and its assets. Until an organization falls victim to a cyberattack, there is a misconception that consumer data, such as name, address, telephone numbers, credit card numbers and bank information, is the only thing these criminals are after. This is not true. Security breaches impact the trusted CIA triad, which is the confidentiality, integrity and availability of information that an organization is responsible for and is obligated to protect on behalf of the consumer.  

Where Does Cybersecurity Insurance Fit into the Process?
To make up for security gaps, companies with stubborn organizational boards or razor-thin budgets might invest in cybersecurity insurance to cover the ransom and operation fees associated with a breach. In reality, cybersecurity insurance provides a false sense of security. While cybersecurity is a maturing industry, carriers are revising their coverage for cyberattacks. For example, in France, global insurance giants such as AXA will stop writing cyber-insurance policies that reimburse customers for extortion payments made to ransomware criminals. This is one example; however, with time, cybersecurity insurers will enforce minimum standards, which will develop into best practices.

A Mature Approach to Cybersecurity Insurance
We have all acquired insurance for homes, vehicles, health and even our lives. But consider, when we are driving a vehicle, and the oil light appears, or we have low air pressure in a tire, what do we do? We fix the problem and spend the money for an oil change or purchase new tires to lower our risk of an accident. Consider an organization a CISO’s house. If a CISO has a roof that leaks when it rains or even a back door with an old lock that isn’t secure, we spend the money to prevent damage or theft. But wait, we have insurance. Why fix the problems when we can submit an insurance claim for damage? Because your insurance provider, at some point, will remove you from coverage.

Roderick Chambers, CISSP, CISM


Information Security and Intelligence Advisor, New York State Department of Financial Services

Risk Management & Governance


Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs