Cyber Insurance: Navigating the New Normal

 

Cybersecurity insurance. I genuinely do not understand why people still treat this as optional. You have car insurance, house insurance, maybe health insurance. Yet somehow cyber insurance is viewed like an add-on instead of a basic business safeguard.

Here is the blunt truth. It is not a magical shield that makes you immune to attack. Please never let me hear the words I do not need cybersecurity because I have cyber insurance. That is spurious at best and fallacious at worst.

Cyber insurance is a financial backstop. It gives you access to teams, tools, responders, and funding to attempt a recovery. But if your systems and processes are rubbish before things go bang, none of that will matter. If your backups are misconfigured, you cannot unbreak that egg regardless of how much money you throw at the problem.

Brokers are not handing out policies like showbags anymore. (And yes, I miss the Bertie Beetle bag as much as anyone). The risk landscape has shifted. Insurers want evidence. Questionnaires. Proof of controls. Proper configurations. And you need to be honest with your responses, because the alternative is insurance fraud or denial of a claim.

Incident response plans are now non optional. Underwriters want to know you actually understand what to do, not that you think you understand what to do. Yes, some organisations still squeak through with poor controls, but they pay for it with brutal premiums and eye watering excesses.

I have seen organisations dropped entirely because their posture was so weak the underwriter refused to carry them any longer. Fixing that means identifying what underwriters need to see and building governance that actually inspires confidence. Poor governance equals expensive premiums. And losing coverage entirely is worse.

Insurance does not remove accountability. Regulators will still hold you liable if you have not taken reasonable steps. A policy will not save you from penalties or brand damage if the investigation shows your controls were inadequate.

Your incident response plan must be rehearsed. Validated. Tabletop tested. When things go sideways, minutes matter. You need clarity on who calls whom, when they call, and who is authorised to make decisions.

And when you take out a policy, use a broker who understands cyber insurance. Coverage gaps are everywhere. Social engineering. Crime. Supply chain incidents. Data restoration limits. Ransomware negotiation. If you do not know what is excluded, you do not have a strategy. You have a wish.

Cyber insurance works best as part of a broad risk management strategy. Governance, controls, and testing create resilience. Remove one of those three and you are sitting on a two legged stool. That is not a stool. That is a flop.

If your organisation has never run a tabletop exercise, reach out. I am happy to talk you through how they work and how they can strengthen your resilience.