The volume of cyberattacks and online throats continually growing is helping to make getting cyber insurance the norm for many organizations. While insurance has typically been something the organization’s board of directors worked on with the CFO, the technical nature of cyber risk means the CISO is increasingly being asked to be part of the conversation.
Cyber insurance has become the norm for many organizations. More than half of the respondents in Dark Reading’s most recent Strategic Security Survey say their organizations have some form of cyber insurance coverage. While 29% say cyber insurance coverage is part of a broader business insurance policy, 28% say they have a policy specifically for cybersecurity incidents. Nearly half of the organizations (46%) say they have a policy that covers ransomware payments.
A cyber insurance policy helps organizations pay for at least some of the financial losses they may incur in the event of an attack or data breach – such as costs related to investigating and responding to the incident, remediation, crisis communications, ransom/extortion payments, legal liabilities, and loss of revenue.While insurance does not “eliminate the need for proactive and resilient cyber controls,” it does offer a “safety net” for potential financial loss, according to a new Perspectives on Security for the Board report from Google Cloud’s Office of the CISO. The goal of this report series is to empower boards of directors to take a more active role overseeing the organization’s cyber risk.
“The financial and legal ramifications of cyber attacks demand meticulous insurance strategies, yet crafting them requires a deep understanding of the evolving risks,” the report said, before recommending that boards facilitate cooperation between the security organization – with technical expertise – and the finance organization – with the focus on financial impact.
Collaborating on a Stronger Story
“How to talk about risk and how to manage and mitigate risks is now becoming much more important for the CISO organization to understand,” says Monica Shokrai, head of business risk and insurance at Google Cloud, while noting that communicating risk upwards is something the CFO has been “doing forever.” Instead of trying to turn CISOs into “cyber CFOs,” the two organizations should work together to develop a coherent and integrated strategy for the board, she says.
The finance organization is used to quantifying risk, deciding how much risk an organization has, and then optimizing an insurance program to decide how much risk to retain versus how much risk to transfer. Since the finance side of the house doesn’t have the background in cyber risk, they’re less likely to get the model right. The security side of the house has that expertise and understanding of cyber risk and technology. Cyber risk quantification helps model potential losses.
“The CISO’s technical expertise is invaluable, but true power comes from translating risks into their potential financial impact on the business,” Google Cloud wrote in the report. “By collaborating with Finance, and utilizing public breach data alongside the company’s own incident history, companies can develop a robust cyber risk model.”
The board looks at the risks of the company, tries to determine how those risks affect the company’s balance sheet, and then decides how much risk to transfer. Calculating the financial impact is part of the insurance strategy, and that is similar between cyber insurance and other types of insurance. Traditional insurance such as auto liability or worker’s compensation is based on established case law, so the average board member knows what’s being covered and what’s not. In contrast, cyber insurance is still figuring out exclusions—such as cyber war, systemic risk, and generative AI.
“What’s still emerging about cyber insurance is that boards are starting to recognize the magnitude of the risk that they as an organization are being faced with,” Shokrai says.
It is never too early for security and finance to collaborate on cyber risk management as the finance team already has to think about what risks to accept and what risks to insure against. “If you start with cyber risk quantification, you at least have a benchmark through which you can adjust up and down over time and you can iterate on. It is expected that you will continue to adjust that model as you learn more,” Shokrai says. “You might as well start that collaboration early and improve both teams in the process.”
Source: Original Post
“An interesting youtube video that may be related to the article above”