One of the hot topics last year, and undoubtedly this year too, is cyber insurance. Is this the panacea that information security has been waiting for? Cyber insurance is intended to mitigate the loss from any information security incidents. Once a company has identified and logged all of its security risks, it can decide whether to accept, mitigate, avoid or transfer the risk.
Writing for Tripwire, Leron Zinatullin explains what cyber insurance can and can’t do, in order to help those companies make an informed choice. This can help a business prioritize its needs based on a cost-benefit analysis.
Mitigation and acceptance are quite common approaches. Countermeasures can be implemented to reduce any likelihood and/or impact of a particular event occurring. Often, though, it gets to a point where countermeasures are simply not economical and the risk is simply accepted.
If the cost to mitigate or the risk itself is just too high, then the company can also avoid the activity that leaves it exposed: avoidance. The final option, transferring the risk to a third party, is where cyber insurance becomes useful. However, it is important to remember that risk cannot be transferred fully. It is a case of sharing the risk and both parties should fully understand their own accountabilities, liabilities, and allocations of risk.
However, it is important to remember that risk cannot be transferred fully. It is a case of sharing the risk and both parties should fully understand their own accountabilities, liabilities, and allocations of risk.
Equally, insurance can be expensive and it is important to understand the cost-benefit of taking out such a product. This is where understanding the business becomes essential in determining whether a good deal is being had. There are many aspects which are taken into consideration when deciding a premium: size of business, territory, type of business, and more. There is some scope for reducing the cost of this, though. An example of this would be to demonstrate that the organization has already considered and acted on some measures to reduce the risk of a potential security incident.
The premiums are never fixed, though, and there needs to be a discussion between company and security broker to make sure the premium is right for both sides. If a company understands the risks, then there is most certainly room for negotiation on price.
Finally, it is important to mention that having and implementing controls to prevent security incidents and taking out an insurance premium are not, and should not be, mutually exclusive strategies. Consider other areas of the business for example. Physical locks and access strategies are used in any building, yet the contents are always still insured. A similar, holistic approach needs to be taken with information security.
The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: “Security is not a product, but a process.”