The answer to both of these questions is easy: Yes. Your organization should have cyber insurance (for a variety of reasons). According to CyberInsureOne, 27% of US Firms have no plans to purchase cybersecurity insurance, only 8% of manufacturing companies have it, and only 50% of healthcare-related organizations are cyber-insured. This is despite the fact that the two greatest threats detailed above target these two verticals – wire fraud at manufacturing and ransomware in healthcare.
Currently, because the insurance companies want to sell the insurance to these threatened companies, the cost of cybersecurity insurance is very low. Making sure that you have the RIGHT insurance with an appropriate level of coverage is a challenge. As a result, we work with several insurance brokers to identify the best practices for good cybersecurity insurance coverage. Like many of the questions presented here, determining the correct level of coverage depends upon an awareness of the threats and risks facing an organization. Ultimately, there are three things an organization can do with risk – they can address it directly by making a change or implementing a tool, they can insure themselves to address the risk (in the insurance industry they refer to this as “transferring” the risk), or they can just decide to “assume” the risk and hope it doesn’t happen.
The holy grail of information security is strong alignment with the business. Everyone has access to the tools and data they need to do their work (but no more), the data and services are available when needed, and the data and analysis of that data is trustworthy and accurate. Striking the balance between protection and convenience (and monetary cost, frankly) is the difficult part.