The Risk Management Society (RIMS), just published the results of a Cyber Survey they conducted with their membership. RIMS is a global not-for-profit organization founded in 1950, representing more than 3,500 industrial, service, nonprofit, charitable and government entities throughout the world with a membership of more than 11,000 risk management professionals located in more than 60 countries.
The results of their May 2015, Cyber Survey produced a lot of interesting statistics. What I found particularly interesting were the results around cyber insurance:
51% of member organizations have purchased stand-alone cyber insurance policies, and 74% of those without cyber coverage in place are considering procuring coverage within the next two years. The reported top three cyber exposures were: Reputational harm (79%), Business interruption (78%), and Data breach response and notification (73%).
I guess the wide-spread use of cyber insurance as an information security risk transfer mechanism stems from the never-ending list of companies that have been breached and the fear that no system of internal control is 100% effective – a.k.a., “it’s just a matter of time before we get breached”
Cyber insurance is a relatively new insurance product. Not so many years ago, a company wishing to cover cyber risk had to propose and negotiate language modifications with their insurance carriers of more “traditional” policies such as general liability, errors and omissions, fidelity, and property/business interruption. This was a complex process in large part because a company had to understand the threat-source of potential information security breaches (physical vs. electronic; internal vs. external), the impacted areas (breach of customer and counterparty contracts, loss of current and future business as a result of business interruption, and cost to remediate); and the monetary risk associated with a breach of each one or more of the impacted areas. This is an extreme example of where good “Risk Intelligence” comes into play.
Some insurance carriers have made the process a lot easier, offering dedicated cyber insurance policies that package together many cyber-related exposures. Yet, to fully benefit from cyber coverage, organizations still have to understand the amount of their cyber risk. For example, what is the worst case scenario of the monetary cost to rebuild brand damage, to remunerate customers for business interruptions, compromised personal information, and unauthorized transactions? This information is derived from thorough risk assessments. Ultimately, you need to know if the coverage limit of the cyber insurance (how much insurance?) and the scope of the insurance is appropriate to your organization's risk profile (does the cyber insurance adequately cover all of the risks that you are exposed to?).
The underwriting process for cyber insurance can be very rigorous, often requiring organizations to complete detailed questionnaires and key personnel interviews about the kind and amount of information handled and the information security governance and internal controls in place. The more it looks like you understand your risk and the better your governance process, the lower your insurance premiums.
For our IT & Security Risk Management customers, the nice thing about Archer is that you can perform the necessary risk assessments to identify needed coverage and coverage limits and you can demonstrate to cyber insurance underwriters that you have a strong information security governance program that warrants a lower cyber insurance premium.
There is other, very interesting information in the RIMS survey including typical limits and premiums, roles involved in cyber response plans, the methods and tools used to identify cyber risk, and the typical amount spent to protect against cyber security exposures. I encourage you to read the report if you are interested in this kind of thing.