Buying Cyber – Consider Carefully
The threat arising from cyber security is real. If it is not already, I suspect this threat will shortly be one of the most significant risks that companies face.
Given its significance, the cyber threat needs a comprehensive integrated response with risk transfer being just one element.
As a risk manager I cringed when I heard another risk manager declare at a RIMS annual conference session, “Yep, I bought cyber risk insurance last year. I did so because everybody else is doing it and also because my director thought it was a good idea. To be honest, I must admit that I am not really sure exactly what I bought.”
That risk manager may have done the right thing but definitely for the wrong reasons.
Some risk managers adopt a “risk flavor of the month” approach when considering, indeed purchasing new insurance products.
When you purchase an insurance product you are, as we all know, actually engaged in the practice, or should I say, sometimes the art form of transferring risk to the marketplace. This seems pretty clear, or is it? You should only engage in the practice of risk transfer after you have:
1. Carried out a thorough investigation of your business in order to identify all relevant original or “raw” risk(s).
2 Identified the controls that exist within your business to mitigate the risks identified. In doing so, you also need to assess the effectiveness of the controls in place to treat the identified risks.
3. Considered what other new or augmented existing controls could be established to deal with the risks on a cost effective basis.
4. Assessed the residual risks arising after applying steps 1 – 3 above and determined whether they are within your risk appetite or not.
Some risk managers adopt a “risk flavor of the month” approach when considering, indeed purchasing new insurance products. Cyber risk insurance is one such product that has been flavor of the month for quite some time.
The social/peer pressure to buy “cyber” is unrelenting. It is egged on by the myriad of studies that for example state, x percent of entities now buy cyber insurance and that this will grow to y percent within 12 months.
Do you want to be the brave insurance manager who bucks this trend? I am not suggesting that you be that person; what I do suggest is that you go about the process of evaluating whether or not this risk in your company needs to be insured against in a very disciplined, dispassionate manner.
The advantage of adopting the above is that you will end up with:
1) A very detailed description of the risks you face.
2) A comprehensive assessment of your suite of controls.
3) Absolute clarity as to which element of your risk you will seek to transfer to the insurance marketplace because by doing so, and if you do buy you will end up with a product that precisely fits your needs.
When you make that decision to buy cyber you will feel better as a risk management professional for having done so after following the above.