“Security has become a risk management task. Transferring some portion of risk that may not be able to eliminate is what cyber insurance is all about,” said David Navetta (@DavidNavetta), lawyer at the Information Law Group, in our conversation at the 2013 RSA Conference in San Francisco.
Navetta explained that there are three ways to cope with risk:
- Absorb the risk yourself as an organization.
- If you have a contract, you can pass off the risk to a vendor.
- Get cyber insurance.
Ten years ago, cyber insurance was not that useful a product and tool, admitted Navetta. Today, that’s changed dramatically as insurance carriers do offer broad real coverage that would be of interest to security risk managers in the event there’s a data breach.
But Navetta warned, “Insurance is not a replacement for security. In order to get insurance you’re going to have to show some level of reasonable security.”
To get cyber insurance you’ll need to show security policies, may have to go through a third-party assessment, and possibly undergo interviews regarding security and privacy related issues. But being underwritable is actually easier today than it was before. Insurance carriers look less “under the hood” at your operations as they used to do, said Navetta.
For more on this topic, read Navetta’s post, “Cyber Insurance: An Efficient Way to Manage Security and Privacy Risk in the Cloud?”
Image of insurance tab courtesy of Shutterstock.