Using Cyber Insurance for Risk Mitigation

Published on: 23 Apr, 2018
Using Cyber Insurance for Risk Mitigation
Enterprise security has become a complex and expensive affair. Securing an enterprise requires thorough knowledge of information security, dedicated skills and continuous resolve.  For many enterprises, the first step in security is conducting a risk assessment, then devising plans to reduce or evade the effects of specific risks.
Risks can be addressed in four ways:[1]
  • Risk Avoidance. The costliest way to deal with a risk is to avoid it altogether. 
  • Risk Acceptance. If the cost of handling the risk is more than the risk itself, then nothing is done to address that risk.
  • Risk Limitation. A combination of acceptance and avoidance, some actions are taken to reduce the risk, but the risk may not be completely eliminated.
  • Risk Transfer. An intelligent way of handling the risk is to shift it to someone else. One example of risk transfer is obtaining cyber insurance from a third party.
What is Cyber Insurance?

Cyber insurance, also known as cyber risk insurance or cyber liability insurance coverage (CLIC), is acquired to protect enterprises (and even individuals) against risks pertaining to cyberattacks. Such insurance generally covers risk of losses due to data exposure/destruction, denial of service, hacking, errors/omissions, defamation, etc.
The trend of acquiring cyber insurance is growing with the rise in cyberattacks and associated losses incurred. The global cost of cybercrime has now reached as much as $600 billion — about 0.8 percent of global GDP — according to a recent report by McAfee.[2] On the other hand, it is estimated that annual gross written cyber insurance premiums are estimated to reach $7.5 billion by 2020.[3] 

Reimbursable Costs Related to Cyber Incidents

Different insurance companies can normally cover several types of cyber-related expenses, including:
  • Loss of Productivity. Cyberattacks typically create problems for enterprise productivity including service unavailability, interruption in business processes, crisis-like situations and reputation damage.
  • Forensics Analysis. In the event of an attack, enterprises must pay for forensic investigations, typically by third parties, to ascertain the size and extent of damage and devise means to prevent further loss.
  • Notifying Affected Parties. In case of a data breach, the clients and other concerned stakeholders have to be informed as soon as possible.
  • Law suits. Legal repercussions due to data breach/exposure, denial of services, loss of confidentiality, etc. can also form a major cost that must be sustained by enterprises that have suffered cyberattacks.

In today’s world, where cyberattacks seem as common as road accidents and burglary, cyber insurance is a good way of handling associated risks. However, implementing cyber insurance requires deliberate plans and strategies by enterprises.
About the Author

Abdul B. Subhani, is the founder and President/CEO of Centex Technologies, an IT consulting company with offices in Central Texas, Dallas, and Atlanta. He is also an adjunct faculty member of the Texas A&M University - Central Texas computer information systems department. Abdul is a Certified Ethical Hacker, a Certified Fraud Examiner, Certified in Risk and Information Systems Control, a Texas Licensed Private Investigator, member of FBI Infragard, member of Forbes Technology Council and the recipient of multiple other advanced IT credentials. He has been recently recognized as one of the 40 under 40 by The Armed Forces Communications and Electronics Association for his significant contributions in the field of science, technology, engineering and math (STEM). Abdul has been a frequent keynote speaker, moderator, and panelist at leading international technology conferences, and he has given speeches to thousands of students at colleges and universities.