Cyber insurance market growthAlthough cyber insurance is not an entirely new notion, its importance grew parallel to the rise of cyber crime. With hacking attempts becoming more sophisticated and more frequently targeted at enterprises, a larger number of executives start taking cyber risk transfer into consideration. Correspondingly, this market has skyrocketed in the last few years with the number of carriers reaching 25 and providing up to $300M in limits. Furthermore, the Advisen report from October 2015 reports that 60 percent of respondents are buying cyber risk insurance, which is a considerable figure compared to 2011, when this form of risk was relatively new. Evidently, risk transfer is becoming a more popular strategy for mitigating cyber risks, which trigger the rise of companies called cyber captives. Providing services ranging from security and privacy liability, data recovery and cyber extortion, these companies offer a new set of options for a modern enterprise. However, prior to taking this step, CIOs need to evaluate the usefulness of this strategy and find the best way to implement it.
Cyber risk managementTo be able to understand the extent to which they are exposed to cyber risks, enterprises need to carry out a proper assessment of the key systems. Only after getting the right insight into the actual state of cyber risk exposure, managers can make the right decisions concerning risk management and transfer. In relation to this, Managing Director Cyber Security and Privacy at Protivity, Michael Porier suggests a set of steps to be taken in order to create an actual strategy. In one of his presentations, he outlines a full cyber security framework consisting of the following steps:
- Cyber assessment – evaluating the actual level of risk;
- Cyber risk mitigation – implementing the cyber security strategy;
- Cyber Insurance, risk transfer – deciding on the proper risk transfer option suitable to the particular company.
Risk transfer best practicesWith some evident benefits for the enterprise, risk transfer remains a decision that needs to be approached strategically. The whole process needs to be fully transparent for the insurer, as well as the end-users. To ensure this, CIOs need to be informed about all the business aspects this long-term commitment may affect. Some of the recommended steps are the following.
1. Define security responsibilities for each party. When transferring cyber risk to an insurer, it is essential that both parties understand their areas of responsibilities. This may be particularly important in terms of cloud service provisioning, as the vendors may maintain the right to change service policies.
2. Audit provisioning. Enterprises should have the right to audit issuer/provider in order to ensure maximum standards are maintained when operating with the data. Now seen as the 4th “A” in the process of identity and access management, audit is gaining in importance for meeting regulatory compliance.
3. Compliance assessment. Organizations that operate in or with institutions in the regulated industries need to ensuring that the transfer is fully in accordance with relevant laws and regulations concerning data privacy. This involves understanding the responsibilities of IT professionals in secure environments under HIPAA or other acts such as HITECH, FISMA.
4. Disaster recovery plan of actions. Make a strategic plan of actions for each of the parties in order to ensure immediate reactions in case of a disaster.These are some of the critical aspects that should be taken into account when transferring responsibilities to cyber insurers. Companies that have evaluated their own needs and found proper options can use the cyber security management framework outlined above to ensure maximum safety for their internal data and maximum credibility in the eyes of clients. Along with security systems and software solutions designed to minimize cyber threats, cyber risk transfer is becoming more commonplace in the enterprise. In recent years, it has become one of the key strategies for mitigating cyber risks and also a big decision many CEOs are yet to make. With a well-developed plan and properly assessed opportunities, enterprises should be able to successfully implement cyber risk transfer and improve their business.