There are four strategies to manage risk and given the increasing levels of information security risks, all four have become relevant.
Risk can be accepted, mitigated, avoided or transferred. A naive thought can be that insurance is a way of risk transfer and in a way this is true. But the cyber insurance market is broadening their offerings to an extent that they can also contribute to risk reduction by offering ways to more effectively manage incidents.
Cyber insurance as a way to transfer risk
Information security risks are operational risks that can incur operational losses that can be insured. Historically, operational risk insurances covered some of the cyber risks as well, but most insurers have reduced that coverage and created separate cybersecurity insurance products.
Because some of the impacts of cyber incidents can be covered by such insurances, this is a form of (partial) risk transfer. But most cyber security incidents have other impacts as well, reputational impact and loss of data for example, which can not be transferred. The use of cyber insurance as a way to transfer risk is therefore limited. On the other hand, regulations like DORA and NIS2 increase the cyber security liability of executives including high penalty fees which could be transferred.
Cyber insurance as a way to mitigate risk
When an incident occurs, the organization needs to respond and recover. Depending on the maturity of your organization, external support should be considered. This can vary from legal support to hands-on technical support. The security industry offers solutions for this via consultancy firms or specialized incident response teams. More and more cyber insurance product start to include these services now. As a more effective incident response capability reduces the impact and hence the cyber risk, that type of cyber insurance contracts help to mitigate (reduce) risks.
Cyber insurance as a way to demonstrate control
When entering into a cyber insurance contract, the insurer will do an assessment of the organization’s control maturity. While this creates overhead and a burden for your organization, this can be useful. Having a cyber insurance provides some assurance and transparency of level of control to other stakeholders of the organization. In some industries, customers can only do business with insured organizations. Certain events in the life cycle of companies can benefit from higher levels of transparancy of control, for example when during mergers, acquisitions of when preparing an IPO.
The future of cyber insurance
Cyber insurance is developing into a mechanism that is applicable for both risk transfer and risk mitigation strategies. Additionally, cyber insurance can create business value, if go-to-market strategies benefit from transparency of internal control, when preparing an IPO or a merger. Given the fast developments in the cyber insurance marketplace, and the changing risk appetite of organizations, the use of cyber insurance should be evaluated regularly. Elements that should be part of this evaluation are:
- What is the risk appetite of the organization?
- What level of direct operational loss can the organization carry?
- What level of help is needed to respond to a serious incident?
- What level of assurance would contribute to the business strategy?
- What new insurance offerings are out there?
- What new or upcoming relevant regulation is there?
I expect that in the future, cyber insurance will be part of every information security strategy. Explicit and regular decision making about the use of it should already be part of your strategy.