Cybersecurity compliance vs. cyber insurance: Where does one end and the other begin?

Cybersecurity compliance vs. cyber insurance: Where does one end and the other begin?

Responsible building owners know that fire insurance is no replacement for compliance with building codes and regulations. With property and lives at stake, property managers must implement community safety guidelines, conduct fire drills, ensure that smoke detectors are still working, and confirm that fire extinguishers are accessible and not yet expired.

In short, they must exercise responsibility for what is within their control. For things outside of their control, such as a lightning strike or a raging wildfire, that’s where fire insurance comes in.

In the same manner, cybersecurity insurance is not a replacement for the strict implementation of cybersecurity measures. Rather, since cybercrime is an ever-evolving threat, there’s always a risk that cybersecurity protections will fall short and lead to costly consequences that could be catastrophic to businesses.

What is cyber insurance?

Short for cyber liability insurance coverage (CLIC) and cyber risk insurance, cyber insurance covers the backbreaking costs related to recovering from cyberattacks and their aftermath. This type of insurance is relatively new, so policies may differ vastly from one insurer to another. However, there are some expenses that cyber insurers commonly cover:


  • Investigation costs – Getting to the bottom of a cybersecurity incident usually requires the services of a third-party cybersecurity firm. That firm, usually in coordination with the FBI and/or local law enforcement, will also determine the extent of the damage, how to fix it, and how to prevent that type of incident from happening again.
  • Privacy and notification expenses – Cybersecurity regulations, such as the Personal Information Protection and Electronic Documents Act (PIPEDA), require firms to notify affected individuals of data breaches. Notifications and other related efforts incur administrative costs.
  • Business losses – Cyberattacks often cause downtime, and handling these disrupts business operations. Victims will also have to spend on data recovery efforts, cybersecurity investments, and reputational damage control.
  • Legal expenses – Cyber insurance can cover the following:
    • Regulatory fines
    • Costs of enforcing intellectual property rights and handling confidential company information
    • Lawsuits and settlements
    • Cyber extortion payments (such as for ransomware)

    As can be seen, having cyber insurance helps firms comply with data regulations. However…

    ...having cyber insurance doesn’t mean that policyholders can be lax with cybersecurity compliance

    After a data breach, a business may be able to recover the aforementioned expenses, but productivity would have still been hampered, irreplaceable data would have still been compromised, and customers would have still been lost. Having cybersecurity protections and complying with mandated data regulations prevent those losses from happening in the first place.

    Another point that you must keep in mind is that there are limits and caveats to cyber insurance policies. To illustrate, data breaches caused by users, be they intentional (through sabotage) or unintentional (such as falling victim to phishing attempts), are not normally covered. Data breaches caused by third-party providers are often not covered as well.

    Last but definitely not least, as with all types of insurance policies, cyber insurance applications and claims are normally subject to investigation. Generally speaking, insurers must find that you maintain adequate security measures before cyber insurance applications are approved and covered costs are reimbursed.

    To help cyber insurers determine your coverage and premiums, they usually ask about standard business information, such as:

    • Nature of your business
    • Financial information (e.g., income and asset statements)
    • Number of employees

    and cybersecurity-related information, such as:

    • Types of data handled (in terms of sensitivity) and their respective volumes
    • History of data breaches and other cybersecurity incidents
    • Use of cybersecurity agencies and/or employment of in-house cybersecurity personnel
    • Implementation of data security systems, business continuity plans, and disaster recovery strategies

    In short, relying only on cyber insurance does not ensure the longevity of your business. You’ll want to have both cybersecurity compliance measures and cyber insurance to have the best cybersecurity posture possible for your firm.

    Businesses in Toronto trust XBASE’s Exponentially Better™ cybersecurity services to keep them safe from countless cyberthreats. To learn how to give your company the best chances of thwarting cyberattacks, download our eBook.

    Do you need help with your IT needs?

    Don’t just settle for average IT support. You want a responsive team that you can trust. Find out more by scheduling a call with us or getting a free quote down below.

    Get Your Free Consultation

    Like This Article?

    Sign up below and once a month we'll send you a roundup of our most popular posts