Organisations need to do more to gain an understanding of their unique risk profiles in order to ensure the right cyber insurance for their needs. This is according to a white paper published by BDO.
Cyber insurance: managing the risk profiles some of the positive trends around cyber security – for example, both the level of Board involvement and investments in cyber security have increased significantly in the last two to three years – but makes it clear a lack of understanding around which cyber insurance policy to choose means that many businesses remain at risk.
The landscape is further complicated by the fact that there are no standard cyber insurance policies currently available, meaning that the terms, grants of coverage, exclusions and conditions vary hugely. A recent report noted up to 19 different categories of coverage on the market, relating to data breaches, cyber extortion, business interruption, data and software loss and physical damage, as well as death and bodily injury.
Gregory A. Garrett, Head of International Cybersecurity: “An organisation’s cyber insurance policies must be suited to its particular risks and exposures and is an essential factor in implementing an effective and holistic cyber risk defence programme. Cyber insurance directly addresses the financial resources to mitigate attacks but, at BDO, we provide not only financial but also tactical support. It’s less about whether or not to obtain cyber insurance and more about finding the cyber coverage that fits the organisation. Proper risk assessment and a good briefing on risk are the necessary preparatory steps to take before talking to a broker.”
Given this reality, companies need to ensure that the cyber policy they purchase is appropriate for their specific cyber risk profile. It is advised that organisations follow the agile road map below before negotiating the purchase of a cyber policy.
Identify critical business assets and their associated cyber risk: Cyber insurance can cover risks as diverse and exceptional as industrial espionage, employee misconduct, crisis communications and forensic investigation. The first step is to establish an organisation’s risk profile
Evaluate risk exposure and quantify risks: The value of those critical assets can be quantified by modelling the potential financial impact – i.e. the cyber risk exposure of a cyber attack against non-defendable assets
Decide if the current level of protection is enough: Assess whether any identified risks can be remediated or whether financial protection in the form of an insurance policy is required, in the event of a cyber incident
Implement a security risk remediation programme to address the identified gaps: Evaluate cyber insurance needs for those risks that cannot be remediated and select an appropriate policy.