With cyberattacks rising at an alarming rate around the world, cyber insurance has become an increasingly popular layer of protection for businesses across all sectors. However, despite its clear appeal as a means of supporting and augmenting cyber risk management, insurance might not be the right fit for all companies in every circumstance. In fact, there are compelling reasons why some might be advised to avoid, delay, or at least seriously reconsider buying or renewing a policy \u2014increasing costs, stringent requirements, coverage limitations, and general complexities are but a few.In December 2022, Zurich CEO Mario Greco stated that cyberattacks are becoming \u201cuninsurable,\u201d telling the Financial Times that governments need to \u201cset up private-public schemes to handle systemic cyber risks that can\u2019t be quantified, similar to those in some jurisdictions for earthquakes or terror attacks.\u201d This remark should be taken with a pinch of salt, as neither Greco nor Zurich specialize in cyber risk, but it does exemplify the increasing uncertainty surrounding cyber insurance and its viability for some businesses.\u201cSometimes when industry topics really take off and grab a lot of attention, they can end up being widely spoken about without being widely understood; this is the case with cyber insurance,\u201d says Manoj Bhatt, head of cybersecurity and networks at Telstra Purple and an advisory board member of ClubCISO. \u201cWhile threat vectors increase and develop, cyber insurance offerings are also subject to a lot of change. This means that, from a business standpoint as well as a security one, it\u2019s important to take the time to fully weigh up the value that a particular cyber insurance policy will bring to your organization, and how quickly the coverage may age.\u201dHere are 7 reasons why you may want to avoid or delay investing in cyber insurance.Incident remediation may be cheaper than insurance premiumsTwo things organizations might want to consider right off the bat when contemplating an insurance policy are the cost to and benefit for the business, SecAlliance Director of Intelligence Mick Reynolds tells CSO. \u201cWhen looking at cost, the recent spate of ransomware attacks globally has seen massive increases in premiums for firms wishing to include coverage of such events. Renewal quotes have, in some cases, increased from around \u00a3100,000 ($120,000) to over \u00a31.5 million ($1.8 million). Such massive increases in premiums, for no perceived increase in coverage, are starting now to be challenged by board risk committees as to the overall value they provide, with some now deciding that accepting exposure to major cyber events such as ransomware is preferable to the cost of the associated policy.\u201dAs for benefits to the business, insurance is primarily taken out to cover losses incurred during a major cyber event, and 99% of the time these losses are quantifiable and relate predominantly to response and recovery costs, Reynolds says. \u201cGiven that a high percentage of cyber events can be remediated for less cost than the current high premiums being charged for cyber insurance, it is understandable that firms are now questioning the value of such investments. Whilst ransomware attacks are still occurring frequently, operational resilience functions are increasing the ability of firms to survive such an event relatively unscathed.\u201dThis increasing cybersecurity maturity means that coverage for these types of events is only necessary to cover the risk of indirect costs such as regulatory fines, loss of market position, and customer reparations, Reynolds adds. While these indirect costs can have a massive impact on a firm\u2019s liquidity should they not be covered by cyber insurance, given the low likelihood of manifesting, they will likely be considered wildcard events that do not necessarily justify high premiums, Reynolds says. \u201cIn an era where businesses are being forced to make cuts in their budgets, providing coverage at huge cost for perceived low-frequency events is hard to justify.\u201dThere are also occasions where policy excess will outstrip the cost of making the claim and therefore it may be easier to consider dealing with the attack outside of the insurance process, adds Bhatt.Ransomware coverage increasingly being scaled backRansomware attacks are one of the biggest cyber threats companies face given their prevalence, increasing sophistication, and potential to cause widespread damage. The increased risks posed by ransomware attacks in recent years had made cyber insurance even more appealing. However, most insurers no longer cover all the potential losses from ransomware attacks, Jon Miller, co-founder of Halcyon, says. This means investing in cyber insurance specifically for ransomware protection could be a costly mistake.\u201cWith so many variables in a ransomware attack, insurance providers find it difficult to quantify the real risk of ransomware to accurately set premiums. For cyber insurance policies that do offer ransomware coverage, most will no longer cover the ransom payment (they can vary too wildly, so it is too hard to define actuarially). Only after a ransomware attack hits an organization do they find that the policy will only cover a fraction of the remediation and recovery costs.\u201dNation-state attack exclusions and attribution challengesExclusions relating to state-backed attacks are also clouding the cyber insurance waters and could make businesses question the viability of policies. Last year, insurance marketplace Lloyd\u2019s of London announced cyber insurance exclusions to coverage for \u201ccatastrophic\u201d state-backed attacks from 2023. In a market bulletin published on August 16, 2022, Lloyd\u2019s stated that whilst it \u201cremains strongly supportive of the writing of cyberattack cover\u201d it recognizes that \u201ccyber-related business continues to be an evolving risk.\u201d Therefore, the company will require all its insurer groups to apply a suitable clause excluding liability for losses arising from any state-backed cyberattack in accordance with several requirements.One of the challenges for organizations is to establish attack attribution to a nation-state, says Jonathan Armstrong, a lawyer and partner at compliance firm Cordery. \u201cWhilst with specialist help you can often say that there are indicators of nation-state involvement, we know it\u2019s hard to be certain. It\u2019s these difficulties which are likely to lead to litigation, as the insurers may think there is nation-state involvement, but the insured might think this is not the case.\u201dIn an analysis of the Lloyds of London decision to exclude nation-state attacks from coverage in August 2022, Red Goat cybersecurity consultant Lisa Forte points out that insurers may unilaterally decide what are and are not nation-state attacks. \u201cIt has been claimed in the sea of analysis on this decision that the attack won\u2019t necessarily need official attribution to be excluded from the policy coverage,\u201d Forte writes. \u201cSo, the insurer could claim that the attack is excluded because it is \u2018reasonable\u2019 to attribute it to a nation-state. Not the clarity we perhaps wanted!\u201dYour business is already self-insured for cyber risksSome companies may want to avoid paying for cyber insurance because they already benefit from certain types of coverage that protect them from a cyber risk perspective, says Philip D. Harris, research director, risk, advisory, management, and privacy at IDC. \u201cSome large organizations and even some smaller local governments are able to draw from an already established pool of funds set aside for these types of events,\u201d he tells CSO. \u201cLarge organizations with large amounts of cash on hand can set aside these funds in the event of major events the organization has to deal with. Likewise, smaller local governments that are unable to afford cyber insurance [outright] may have taken it upon themselves to put together a consortium of smaller local governments that each fund a pool of dollars that are used in the event of major cyber events.\u201dYour cyber insurance investment is based on an insurer\u2019s questionnaireHarris also warns companies against throwing money at a cyber insurance policy if their decision to invest is based solely on the completion of a cyber insurer\u2019s questionnaire to determine their security posture. \u201cThe cyber insurers that require customers to fill out their cybersecurity questionnaire are ultimately only getting a limited, point-in-time view of the insureds security posture,\u201d he says. \u201cCompanies that have not had a professional cybersecurity services vendor complete a detailed assessment to have a complete picture of deficiencies, plans to remediate, and an ongoing roadmap for improvement are doing themselves a disservice by depending upon a somewhat generalized security questionnaire.\u201dHe believes that insurers should just stick to insurance and let qualified cybersecurity service vendors handle the assessment of the insured\u2019s cybersecurity posture. \u201cArmed with this detailed assessment, the insurer can then take a serious look at the customer and potentially offer better premiums that make sense.\u201dYou can\u2019t comply with policy requirementsFor a cyber insurance policy to be in force and valid, an organization needs to have an extensive accounting of its security program, Miller says. \u201cIf the organization is out of compliance when it comes time to submit a claim \u2014 for example, if it did not apply patches in a timely manner or if it misconfigured security applications \u2014 it will quickly find that its policy coverage is useless.\u201d Pete Bowers, COO of NormCyber, agrees. \u201cOrganizations must put in place a comprehensive program \u2014 covering people, process, and technology controls \u2014 to shore up their overall cyber defenses. Until they do this, cyber insurance, as the sole mechanism to transfer and mitigate the risk, is not the right choice.\u201dInvestment is better spent on improving your security postureA final deciding factor in choosing not to invest in cyber insurance is simply that the money could be put to better use by improving an organization\u2019s overall security posture and cyber resilience. \u201cZero coverage may be daunting, but the removal of the perceived safety net that insurance provides may be exactly what organizations need \u2013 a wake-up call to make their business more secure,\u201d Sean Moran, researcher and writer at JUMPSEC, writes in a blog post. \u201cNot by checking compliance boxes to satisfy insurers, or relying on minimum standard annual testing, but by implementing controls that will make their organization more resilient to attack.\u201dOrganizations opting against cyber insurance for 2023 should reinvest in their holistic cyber defense capabilities, ensuring that the potential impact of a breach can be minimized, he added. This includes testing backups, effective identity, access management, and network segmentation, a well-established recovery plan, assessing which business components are most likely to be targeted by an attacker, and targeted prevention, detection, and response controls, Moran adds.