Cyber insurance has been in the news a lot lately, especially insurers – some being attacked and subsequently paying millions, to others declaring they will no longer cover ransomware claims and subsequently being attacked. Likewise, a recent report by the GAO (covered in today’s Security & Resilience Update) sheds some light and challenges for the future of this valuable risk management service. However, like many other risk management strategies, cyber insurance is meant to help reduce risks posed by and improve resilience to cyber threats. It is a tool in the toolbox. Cyber insurance is not a silver bullet that absolves organizations of risk to cyber threats or the responsibility to employ further activities to improve cybersecurity posture. Similar to outsourcing services – while you can outsource IT or cybersecurity services, you cannot outsource technology/cyber risk. Likewise, not knowing your cyber risk isn’t a defensible position either. Indeed, many cyber insurance policies require policy holders to fulfill even the most basic cyber hygiene requirements and have even been denied claims when it’s revealed that they haven’t held up their end of the contract. As Crowdstrike aptly states, cyber insurance is not intended to cover a company’s gross negligence for ignoring their cyber risk. Rather, it is there to cover risks that exist even after reasonable efforts have been made to minimize those risks. Read more at Crowdstrike.