If you magically found a spare $2 million to spend on cybersecurity, what would you do?
If your CISO was asked, their reaction would likely be immediate and decisive. “We’ll expand our headquarter’s security operations center (SOC) and those in our core international facilities. Then we’ll install next-gen endpoint protection, institute biometric access controls to our data centers, harden our critical infrastructure, and expand our threat intelligence subscription services.”
Those and similar technology investments are a smart way to go. But it approaches cybersecurity as a problem to be solved rather than as a risk that needs to be managed. Managing cyber risk – as with any operational risk — needs to be more nuanced. So let’s look at it from a different perspective.
What if your CFO and Chief Risk Officer were told that $2 million spent on a bespoke cyber insurance policy could transfer $100 million of risk off their books and, at the same time, improve the organization’s operational resilience? In other words, you would not only be financially protected in case of a costly data breach but also ensure that the organization could withstand the financial impact of a disruption to business operations for a material period of time.
That’s not a hypothetical scenario. More and more organizations are facing the harsh reality that their technology will fail, a vendor will not be there when needed, or they will be cyber-attacked—if it hasn’t happened already—, with potentially grave financial, operational, legal, regulatory, and reputational consequences. Cyber risks are not simply problems that can be spent away. They are operational risks that need to be managed with the same level of attention and diligence as any critical risk that could potentially put you out of business.
Cyber risk has now overtaken other, more traditional risks to become the number-one nightmare for business leaders and board members. And that risk has evolved beyond privacy breaches and lost credit cards. The modern commercial entity is now so heavily dependent upon technology—their own and others’—that the board’s biggest concern is whether their organization is truly cyber resilient and up to the challenge posed by the myriad array ofcyber threats.
The Business Continuity Institute, which assesses factors that shape business continuity and their impact on organizations, recently concluded that unplanned technology and telecommunications outages now outpace natural disasters and political risks in disrupting local, national, and even global supply chains. And as severe as the impact may be when an organization is in a geography hit by a flood, hurricane, or tornado, the potential financial impact of something like a ransomware attack—as the 2017 NotPetya malware attack demonstrated—is likely to be even greater.
Companies manage their risk across a spectrum, with technology, protocol, and procedures being the primary risk mitigation tools. At some point along that spectrum, those risk tools no longer prove wholly effective. It is at that point—the residual risk that remains after mitigation and prevention efforts have been exhausted —that insurance comes into play.
Cyber insurance is no more an alternative to sound risk management principles than technology is a silver bullet against every threat or exploit. You should have a cyber insurance policy that aligns with your risk profile and that is integrated into your overall risk management framework.
Cyber Insurance As a Resilience Play
We all know the traditional insurance model. An event occurs that has financial impact on a person, a community, or an organization. The insurance coverage pays the affected party a sum of money in accordance with the terms of its policies, coverage limits, and so on.
But traditional property and casualty insurance has left a vacuum by not evolving breadth of coverage in line with the changing risk profile of its customers. This is where cyber insurance plays a critical and essential role. Cyber insurance anticipates and accounts for the need for operational and financial resilience. There are massive hard- and soft-dollar costs associated with running your business in the Digital Age.
It is a lack of resilience, even more than security, compliance, and the threat of lawsuits, that makes organizations increasingly vulnerable to cyber risk. And the afore-mentioned technology, protocol and procedures can only go so far to prevent and mitigate cyber risk. Cyber insurance covers the residual, unpreventable cyber risk. That’s why cyber insurance must be considered part of an integrated risk management strategy.
The good news is that cyber insurance is increasingly being viewed that way—as part of a holistic approach to risk management on par with traditional governance, risk management, and compliance functions. Interestingly, research conducted by Marsh, with Microsoft, indicates that cyber insurance “take up” rates—the percentage of organizations in a particular sector that purchased stand-alone cyber insurance—have been trending strongly upward in recent years.
What Should You Do First?
Making smart and strategic decisions on how, where, and when to use cyber insurance to mitigate risk starts with some key learnings and actions:
- Cyber risk has to be part of the board’s normal operational risk discussions. It is business risk, plain and simple. It’s not only about “How do we stop that DDoS attack that’s going around our industry?” but it also has to cover “What is the financial and operational impact to our business if our global supply chain is cut off?”
- Get help in assessing organizational risk. Cyber insurance is still a fairly young line of business, and as such, it lacks the rich actuarial data associated with fixed-asset valuation like cars and plants. But there are a lot of helpful assessment tools to evaluate risk, from both inside and outside the firewall. Cyber-risk modeling companies run non-invasive scans and scrapes, and knock on your virtual doors to see if ports are left open.
- Take the time to understand relevant cyber insurance trends on coverages, premiums, and services, and compare your organization with others. Examining your peer group, however you define it, is a good way to put your assumptions into context, and to frame decisions about how to work with your broker to create a customized solution. But that analysis should not be limited to only what cyber insurance your peers are buying.
- Do a thorough, ongoing evaluation of the organization’s at-risk asset values. And be sure to stretch your imagination when identifying those assets. Do you have a lot of personally identifiable information of employees, customers, prospects, and trading partners? Do you have trading algorithms? What is your inventory of intellectual property?
- Be honest about your pain threshold when it comes to cyber risk. Executives and boards need to be on the same page when it comes to evaluating how much cyber risk they are willing to accept and how much they want insurance to cover. One organization may decide to hold the first $25 million in losses as their pain threshold and expect insurance to step in above that, while others may feel uncomfortable waiting for a digital catastrophe before receiving relief through insurance.
- Make sure all the key players are at the table to discuss cyber insurance issues and to make the critical decisions. Of course, insurance decisions traditionally have rested in the CFO’s domain, but smart CFOs, CROs, and compliance officers are bringing CISOs to the table to get a better handle on identifying current and future sources of cyber risk, and to collectively assess the impact of that risk on their operations. And CEOs should do more than just stick their heads into the room when these discussions are taking place; they need to have skin in the game, too.
It’s safe to assume that anyone reading this article acknowledges that their orgaization’s use of technology will continue to grow in the coming years. So it’s reasonable to believe that since the bad actors aren’t sitting still, your cyber risk profile is going to expand and deepen.
You can’t afford to run in place when it comes to properly insuring all your assets—physical, intangible, and digital—against cyber risk. Be sure you consider the full impact of a cyber event on business resilience when deciding what role cyber insurance plays in your enterprise-wide risk mitigation and management strategy.
Robert Parisi is Managing Director and U.S. Cyber Product Leader for Marsh. This article was adapted from Navigating the Digital Age, Second Edition.