Understanding the value and practicality of cyber insurance

As the cyber threat landscape expands, enacting defensive measures against malicious actors is only one part of the solution — in the event of a cyber incident, organizations must also have a recovery plan. For many organizations, cyber insurance is an essential part of that plan. 

Here, Security magazine talks with Nick Kathmann, CISO at LogicGate, about the value and practicalities of implementing cyber insurance. 

Security magazine: Tell us about your career and background. 

Kathmann: From the first time I had access to a computer as a kid in the late 80s, I knew I had a particular knack for working with technology. I started at 7, knew all about modems by 10, and by the age of 13 I was helping to run a popular online bulletin board system (BBS) alongside some friends. Our BBS led us to developing one of the earliest intrusion detection systems (IDS) after we started receiving cyberattacks from a competing BBS; we just developed some code to help detect and divert those attacks. This whole experience was both fun and formative for me — and made it very easy for me to choose a career path in cybersecurity when the time came. I’ve been working in the industry ever since, most recently joining LogicGate as Chief Information Security Officer (CISO) in January 2023 after spending some time in Cybersecurity Director positions at companies including Dell and Virtustream.

Security magazine: What is cyber insurance and what value does it provide to an organization? 

Kathmann: Cyber insurance is like car insurance — but instead of providing individuals with financial protection against vehicular damage, it provides organizations with financial remedies in the event of cyberattacks. Certain cyber insurance policies will also cover operational resilience and other related items, but most also have riders that limit the scope of the payout for certain common incidents (like ransomware attacks). Like any insurance, your payout will depend upon the policy you choose and the precautions you have in place. 

Cyber incidents can be enormously expensive today (IBM’s 2024 Cost of a Data Breach report put the average cost of a breach at $4.88M — a 10% increase over 2023), and cyber insurance provides a way for organizations to transfer some of that risk to another party. Insurers also tend to have access to resources like legal counsel, investigation firms, and other things not all organizations have predefined relations with or retainers on file.

Security magazine: Why should organizations consider cyber insurance?

Kathmann: There are two key reasons why organizations should consider cyber insurance: risk transference and financial assistance. Cyber incidents can quickly become expensive, and most organizations simply don’t have the resources to keep up with cascading losses due to attacks. But with cyber insurance, organizations are able to tap into valuable resources that can help them maintain business continuity, investigate the incident, and cushion the financial blow. This helps shift some of the risk onto the insurance company versus your own organization, allowing leaders to focus on other critical business areas without worry.

Security magazine: Who in an organization should be involved in the decision-making process when it comes to choosing cyber insurance? 

Kathmann: It is the combined job of the CISO, Chief Operating Officer (COO), Chief Financial Officer (CFO), and legal counsel to determine four key items as they shop for best-fit cyber insurance options. First, is it up to the CISO to evaluate the likelihood and technological impact of a successful cyberattack. Next, the COO must determine the impact a cyberattack would have on core business operations. The CFO must then calculate the likely cost of the combined damages stemming from an attack, while legal counsel lays out which liabilities exist in the event of an attack — both contractually and regulatory. These details should be fleshed out well ahead of time through effective risk management and resilience exercises, but the unfortunate reality is that many of today’s businesses do not exhibit that degree of forethought.

Security magazine: Anything else you’d like to add? 

Kathmann: Many cyber insurance providers include a provision that states they will not cover attacks linked to terrorist activity. Given the volume of nation-state attackers flooding today’s threat landscape, this is something businesses should pay attention to. Countries don’t want ransomware payouts to terror groups being used to fund further attacks, and have tried to discourage payments that might be linked to those groups. That said, there are often other resources available to organizations if they are compromised amid terrorist activity, but it’s an important reminder to be aware of any exclusions your insurance policy may include.