Maksim Kabakou - Fotolia

Security Think Tank: Back up risk assessment with broker advice on cyber insurance

What should organisations consider if they are to prepare for cyber insurance?

Although cyber insurance has been available for about a decade, the market is still developing and many organisations are yet to take up such a policy.

Cyber risk is a significant concern given the frequency of breaches and resulting costs, so the market for cyber insurance is expected to grow. PwC estimates the global market for premiums will be about $7.5bn by 2020, and Allianz estimates $20bn plus in the next 10 years.

Examples of cyber insurance coverage as a result of a breach include: crisis expenses, such as mandatory notification of affected customers; business losses, such as business interruption; and defence expenses, such as hiring lawyers or consultants.

The starting point for organisations considering cyber insurance is to conduct an information risk assessment. Once risks have been identified and assessed, treatment options can be investigated.

Organisations may choose to mitigate, avoid or accept some of the assessed risks. If, however, transference is chosen to treat other assessed risks, then cyber insurance can be an option.

The analysis and treatment decisions provided by an information risk assessment can enable organisations to focus their cyber insurance requirements on the most appropriate risks.

Once the scope of the required cyber insurance has been agreed, consider using an experienced broker to support the organisation’s decision-making for cyber insurance. As with “regular” insurance (including brokers being funded on policy sales), they can advise on the most appropriate areas of cover, advise on exclusions as well as inclusions, and help tailor the policy to the budget available.

As part of the process for agreeing insurance, there will be an exchange of information between the insurance provider and the to-be-insured organisation to develop a cyber risk profile. Some policies may require an organisation to obtain a certain level of accreditation, which may be self-certified or conducted by an independent external party.

Maxine Holt is principal analyst at the Information Security Forum (ISF). ............................................................................................

Read more on IT risk management