IT insurance and responsibility

Another 9% plan to purchase insurance and 26% are at least discussing it, as shown in the Survey of the industry association Bitkom. For almost half of the companies surveyed (49%), however, a cybercrime policy is not currently an issue.

Roland Messmer from LogRhythm comments: "Of course, this topic begs comparison with the omnipresent car insurance. And just as with the latter, insurance against the consequences of IT incidents is not a license to neglect IT security from now on. No driver, no matter how well insured, can afford to ignore all the applicable rules, regulations and empirical values in the day-to-day business of road traffic and thus put material and existential values for his environment and himself at risk.

Insurance to cover consequential damage in the event of hacker attacks, acts of sabotage, and technical and operating errors does not absolve companies of their responsibility to their customers for the security of their data and to themselves for the availability and functionality of their IT systems. And this responsibility cannot be delegated."

From this perspective, insurance against IT risks is a building block of IT security that needs to be built on a solid foundation. And this foundation includes end-to-end encryption concepts, the use of intelligent security tools for continuous monitoring of the IT infrastructure in real time, proper identity and patch management, and a professional emergency plan that takes effect if an incident occurs.

Messmer emphasizes: "A cybercrime policy can therefore be a useful addition to a coherent security concept as protection against an unavoidable residual risk, but it can never replace it. Before a company considers taking out such an insurance policy, it should first critically check whether it has really done its homework. After all, motor vehicle insurance does not release drivers from their obligations to have a valid driver's license and to have their vehicles regularly inspected by the TÜV."