When planning operations, business leaders and practitioners look to mitigate, transfer, or avoid cybersecurity risks. Mitigating and avoiding risk both have their place, but transferring risk sounds quite enticing! 

Wouldn't it be great if you could purchase an insurance policy and leverage a slush fund to pay off the ransom and deductible if and when there is a breach? Doing so would mean that you are covered in the case of an event. Now you can get back to the company's products and services and pay less attention to cybersecurity demands! 

I'm not sure it's that simple! 

If it were, what would stop banks from doing the same thing? Why should they then need to implement controls to ensure that there are protections around your money? 

The purpose of this write-up is not to assess the utility of cyber insurance. After all, if leveraged correctly, it becomes another weapon in any cyber program's arsenal. We need to understand if cyber insurance can take the place of a well-formed cyber program that considers all possible risk management treatments.

The purpose of Cyber Insurance

Would you get into your car, drive 200 miles per hour down the road, and feel confident because you have insurance? Of course, you wouldn't because more than your vehicle is at stake when performing such activities. Moreover, which insurance policy provides you with a life extension guarantee? 

I wonder what the premium would be on that bad boy! 

Insurance, generally speaking, is intended to protect the policyholder from extenuating circumstances that fall outside their control. Seeking out an insurance policy implies having some power to manage risk within an acceptable limit. 

What is an acceptable level of cyber risk?

That depends on information criticality and the types of products and services your organization provides to the public. 

If that makes no sense whatsoever, we did a write-up on defining cyber risk within your organization that you should read if you haven't any idea where to begin.

The main takeaway should be that the insurance provider will expect your organization to understand its cyber risk posture and provide evidence of placing controls within the environment to limit exposure. 

The last thing any insurance company wants to do is guarantee a sinking ship! 

Is cyber insurance the only way to transfer risk? 

I would argue that cyber insurance is probably the least effective method for transferring risk to other parties. However, it may be the only choice, especially in cases where the organization has not enlisted the help of third parties to deliver its products and services. In the case where third parties are involved in delivering a product or service, both contracts and service level agreements should illustrate the responsibilities of both parties. RACI (Responsible, Accountable, Consulted, Informed) charts are developed to show responsibilities at a process / procedural level to include shared duties in more mature organizations. 

If there are no third parties involved in business operations, the company will almost always choose to leverage cyber insurance to transfer its risk. While this approach is feasible at the enterprise level, cyber practitioners should take a more proactive role to ensure that internal partners hold up their end of the bargain. 

What do I mean by this exactly? 

If your organization has adequately structured the cybersecurity function, it will, in most cases, act as an oversight function, ensuring that both corporate and business unit-level cyber policies are being upheld. This means that cyber is not responsible for implementing technical controls in the operational environment. Instead, they specify requirements and rely on other technical functions within the business to apply the constraints. An example might be infrastructure, applications, or cloud services. This being the case, there is an inadvertent transfer of risk occurring from the perspective of the cyber organization. 

For instance, in the case of firewall rules, cyber would be Consulted and Informed regarding the status and any changes. As for infrastructure, they would be responsible for applying the rules, while both the Chief Information Officer (CIO) and Chief Information Security Officer (CISO) may be held accountable for any breakdown in the controls. 

As with any risk management process, there will be consistent change. Therefore business and cyber leaders should always be looking to assume only the risk necessary to deliver effectively. 

Conclusion: 

We cannot insure cyber risk away without regard for building programs that provide adequate security to our organizations. We will likely need to select multiple risk treatments to reach our company's objectives. 

We should deploy industry-approved control frameworks within our environment before seeking to transfer risk using insurance. Without doing so, premiums will skyrocket, or our organization may find it hard to get a policy in the first place. 

Insurers are beginning to take notice of companies that view insurance as a catch-all to doing the work required to secure their assets. They don't want to be the scapegoat or be left holding the bag! Of course, actuaries are no slouch, and they know precisely when and how to pull the plug. 

What are your thoughts on cyber insurance? Does your company currently employ it? How do you think it helps to improve your cyber program? I'd love to hear your thoughts on the matter. Please leave them in the comments. 

Until next time, let's work to provide cyber solutions that keep business First!