Cyber Insurance is NOT a Substitute for Cybersecurity

Neelesh Kripalani, Sr. VP & Head- Center of Excellence – Clover Infotech

The article explains Why having cyber insurance is not enough to protect an organisation from cyber threats and how proactive cybersecurity is the need of the hour..

COVID-19 related cyberattacks have proliferated since the beginning of the year 2020. With millions of people working from home in the wake of the coronavirus pandemic, the gaps in the cybersecurity ecosystem have become apparent. Cyber criminals and nation-state actors have been presented with an exponential growth in access points to penetrate the corporate systems and this leaves many organizations vulnerable to cyberattack. Employees as well as organizations consider themselves too trivial a target until they finally fall prey to an attack.

The advancement in technology such as artificial intelligence (AI), machine learning (ML) etc. are helping organizations grow, however these are the same technologies being adapted by hackers to launch well planned and sophisticated cyberattacks. This has created a huge demand for cyber insurance that protects a business or organization against the costs associated with data breaches.

What does a cyber insurance cover?

Cyber insurance generally covers your business’ liability for electronic data breach involving sensitive information regarding your customers or employees. In addition, it provides cover against loss or damage to multimedia and media liability, extortion liability, network security liability, regulatory proceedings etc.

What it does not (or cannot) cover?

The various covers under cyber insurance can provide a shield against the financial losses, only up to a certain extent. However, what it cannot cover is the reputation loss, no matter how fat the insurance policy is. Although, some policies cover costs you incur for marketing and public relations to protect your company’s reputation following a cyberattack or a data breach, it’s difficult to predict the cost of crisis management and hence getting yourself insured against such losses is not easy. It’s also a time consuming process which can hamper your business growth in the interim.

Thus, cyber insurance should NOT be considered as a substitute for cybersecurity. In fact, ‘bad security policies’ is one of the general exclusions in cyber insurance. Organizations are mandated to implement proper cybersecurity measures and adhere to strict policies or otherwise the claim can be rejected by the insurance company.

Can cyber insurance help to improve cybersecurity?

Not directly, but as mentioned above, it can have an indirect impact as the insurance company would demand that an organization has assessed its vulnerability to cyberattacks and has implemented the best practices to protect themselves against cyberattacks . The insurance provider may decide to then curate a package for the organization by means of more coverage at lower premiums for following the best practices in cybersecurity.

Proactive cybersecurity is the need of the hour

Larger cyber-attacks generally garner a lot of media attention but, small and medium sized organizations are also being targeted almost as frequently as their larger counterparts. SMEs consider cybersecurity as an afterthought, making them an easy target for cyber criminals. However, COVID-19 has woken up the SMEs from their cybersecurity slumber. The rise in cyberattacks during the pandemic has caused a change in attitude and now, large enterprises as well as SMEs are becoming much more concerned about cybersecurity than before. As more and more companies start seeing remote work as a new normal, proactive cybersecurity has become the need of the hour. The organizations that haven’t yet realized the gravity of the situation and are still not putting a cybersecurity policy in place, will become the soft targets for hackers sooner or later. 


Cyber insurance is NOT a substitute for cybersecurity. One can count on the cyber insurance to recover the financial losses up to a certain extent but the damage to the reputation out of a cyberattack is almost irreversible. Thus, it is imperative for all organizations, irrespective of their size to have end-to-end cybersecurity measures in place coupled with a comprehensive cyber Insurance policy.