We don't need cyber insurance, we invest in IT security

This might be the single most common objection to purchasing a cyber insurance policy.

Not purchasing a cyber policy because you have ‘good IT security’ is akin to suggesting that you don’t need theft cover on a property policy because you have high quality locks on your doors, or fire cover because you have a sprinkler system in place.

There is a big difference between vulnerability and risk. And while a client that has invested heavily in IT security may be less vulnerable to certain types of cyber-attack than an organisation that has invested very little, they still have a risk exposure. Cyber threats are rapidly evolving and there are a plethora of ways in which attackers can access networks. Even large corporations that spend vast amounts of money on IT security every year still get hit.

People are often the weakest link in an organisation’s IT security chain. According to IBM, 95% of successful cyber-attacks and incidents are the result of human error₁. Technology and training may reduce the likelihood of an employee accidentally clicking on a malicious link in an email, or from being tricked into transferring funds to a fraudster as part of a social engineering attack, but it can’t eliminate those risks completely. And no amount of investment in IT security can stop employees from leaving their laptops on a train or a rogue employee from releasing sensitive data on the internet.

_{Source: CFC Cyber myths debunked} 

_{1 IBM Cyber Security Intelligence Index 2013}