More Executives Turn to Cyber Risk Transfer

As cyber threats grow in scope and potential impact, the complexity of enterprise digital data protection grows to astonishing proportions. Last year, a Fortune 500 survey revealed that cyber security is the second biggest concern for CEOs, who keep looking for new solutions to keep their data safe and their clients happy. The enterprise data is worth more than gold, so it is unsurprising that the issue of cyber security grows in importance. This particularly gains in weight as clients and customers increasingly expect companies to show a proof of compliance and demonstrate that they have cyber risk strategy in plan. As one of the strategies to mitigate potential risks and comply with cyber security standards, risk transfer is a strategic decision that more and more enterprises are making.

Cyber insurance market growth

Although cyber insurance is not an entirely new notion, its importance grew parallel to the rise of cyber crime. With hacking attempts becoming more sophisticated and more frequently targeted at enterprises, a larger number of executives start taking cyber risk transfer into consideration. Correspondingly, this market has skyrocketed in the last few years with the number of carriers reaching 25 and providing up to $300M in limits. Furthermore, the Advisen report from October 2015 reports that 60 percent of respondents are buying cyber risk insurance, which is a considerable figure compared to 2011, when this form of risk was relatively new. Evidently, risk transfer is becoming a more popular strategy for mitigating cyber risks, which trigger the rise of companies called cyber captives. Providing services ranging from security and privacy liability, data recovery and cyber extortion, these companies offer a new set of options for a modern enterprise. However, prior to taking this step, CIOs need to evaluate the usefulness of this strategy and find the best way to implement it.

Cyber risk management

To be able to understand the extent to which they are exposed to cyber risks, enterprises need to carry out a proper assessment of the key systems. Only after getting the right insight into the actual state of cyber risk exposure, managers can make the right decisions concerning risk management and transfer. In relation to this, Managing Director Cyber Security and Privacy at Protivity, Michael Porier suggests a set of steps to be taken in order to create an actual strategy. In one of his presentations, he outlines a full cyber security framework consisting of the following steps:

1. Cyber assessment – evaluating the actual level of risk;
2. Cyber risk mitigation – implementing the cyber security strategy;
3. Cyber Insurance, risk transfer – deciding on the proper risk transfer option suitable to the particular company.

The full process involving these steps comes down to planning and executing the following:

Risk transfer best practices

With some evident benefits for the enterprise, risk transfer remains a decision that needs to be approached strategically. The whole process needs to be fully transparent for the insurer, as well as the end-users. To ensure this, CIOs need to be informed about all the business aspects this long-term commitment may affect. Some of the recommended steps are the following.

1. Define security responsibilities for each party. When transferring cyber risk to an insurer, it is essential that both parties understand their areas of responsibilities. This may be particularly important in terms of cloud service provisioning, as the vendors may maintain the right to change service policies.

2. Audit provisioning. Enterprises should have the right to audit issuer/provider in order to ensure maximum standards are maintained when operating with the data. Now seen as the 4^th “A” in the process of identity and access management, audit is gaining in importance for meeting regulatory compliance.

3. Compliance assessment. Organizations that operate in or with institutions in the regulated industries need to ensuring that the transfer is fully in accordance with relevant laws and regulations concerning data privacy. This involves understanding the responsibilities of IT professionals in secure environments under HIPAA or other acts such as HITECH, FISMA.

4. Disaster recovery plan of actions. Make a strategic plan of actions for each of the parties in order to ensure immediate reactions in case of a disaster.

These are some of the critical aspects that should be taken into account when transferring responsibilities to cyber insurers. Companies that have evaluated their own needs and found proper options can use the cyber security management framework outlined above to ensure maximum safety for their internal data and maximum credibility in the eyes of clients. Along with security systems and software solutions designed to minimize cyber threats, cyber risk transfer is becoming more commonplace in the enterprise. In recent years, it has become one of the key strategies for mitigating cyber risks and also a big decision many CEOs are yet to make. With a well-developed plan and properly assessed opportunities, enterprises should be able to successfully implement cyber risk transfer and improve their business.  

Image

About the Author: Sarah Green is a tech journalist and blogger writing about cyber security, tech startups and digital business. She also tweets about related topics and likes to share her thoughts with industry experts. Follow her: @sarahh_green Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. _{Title image courtesy of ShutterStock}