Cyber insurance is an important element in the cyber risk management program, to enable the transfer of residual risks. As a result, insurance is often seen as the “doing nothing” option which represents a “moral hazard” to the insurer. This is far from the truth as policyholders must manage the non-insurable residual risks themselves in accordance with their risk appetite statements. Prudent policyholders partner with their brokers and underwriters to develop cost effective insurance covers to minimise over insurance and ensure they are not under insured.
The current court cases covering disputes in high value cyber insurance claims demonstrate the importance of these considerations. A genuine risk appetite statement provides the foundation of this assessment process. It is written in a language which the cyber risk team can understand and be able to prioritise their mitigation program to fortify against the “residual risk” boundary.
Assessing the sufficiency of cyber insurance cover is an important and difficult task. Sufficiency can be measured against the dimensions in coverage scope, insurable events, coverage limits and exclusions. The Open Group FAIR (Factor Analysis of Information Risk) cyber risk quantification framework is a useful tool to calculate the most cost effectiveness coverage.
The article explains how to apply the FAIR approach in the pre-loss risk assessment phase to guide the process in determining the sufficiency of the cover by quantifying potential business losses…Click here to read full article.