By Kyle Ferguson, Vice President, SSIC
This is the first blog in our “Board Conversation” series, where we will explore security topics that resonate with executive leadership and within the boardroom.
In light of recent “mega breaches,” which are receiving extensive media attention, the global cyber insurance market is growing as enterprises seek to transfer the uncertainty of cyber risk.
This seems logical. But is it?
Behind this seemingly logical approach to transfer cyber risk lies a world of haphazard decision making and guesswork. I am always curious to learn how organizations make decisions about how much cyber insurance to purchase, and to understand how much value they find in their cyber insurance coverage.
The answers are always similar: shrugged shoulders, rolled eyes, and something about the board not wanting to be the subject of the next cyber-attack headline and criticized for not doing everything it could do to offset risk.
Like many cyber-risk decisions, a familiar foe is behind the haphazard decision making and guesswork—fear, uncertainty, and doubt as related to cyber risk—that leaves the corporate world perplexed.
How can we cut through this confusion and present intelligent cyber-risk transfer options to the board?
The first step—and the one that’s remained missing in the marketplace until very recently—is to start by quantifying cyber risk in financial terms. Specifically, quantifying cyber risk probability and impact to understand the delineation between risk remediation and risk transfer. We call this delineation the “risk-transfer zone.”
What is a Risk-Transfer Zone? How Can I Create One?
A risk-transfer zone is a thin or broad delineation line (or box) that clearly separates risk remediation and risk transfer. As an example, please see below:
Figure: Sample Risk-Transfer Zones
Ideally, you want to remediate as much of the risk that comes before the start of the risk-transfer zone. Due to such high probability, this risk cannot be transferred and nor should it be accepted.
Within the transfer zone, you could either accept or transfer the risk. In most cases, remediation is not an option as the cost to remediate exceeds the associated expected loss value. With the current price of cyber insurance, insurance seems like the smarter play if it truly addresses your impacts.
Finally, you want to transfer as much of the risk (as possible) in the risk-transfer zone. As losses in this area are low probability but potentially catastrophic, this risk is hard to remediate in a cost-effective manner. Again, insurance seems like the smart play until you can no longer buy insurance.
Removing the Guesswork from Risk Transfer Decisions
So how do enterprises approach transferring the uncertainty of cyber risk if they don’t even understand where uncertainty begins? Everyone has to assume there is some certainty that needs to be understood and addressed.
At this point, I think we can agree that most enterprises are just guessing or leveraging their insurance broker to make a decision on their behalf.
Why guess on something that ultimately could put your enterprise in jeopardy? If you guess wrong, the impact of a cyber event could massively erode margin and/or shareholder value. It is even possible that a massive cyber event could permanently shut down an enterprise if there isn’t enough insurance to cover damages.
The solution? Remove the guesswork. Implement a cyber-risk strategy that enables you to understand cyber-risk probability and impact. Use the probability and impact charts to create risk-transfer zones. Finally, use the risk-transfer zones to make sound cyber insurance buying decisions.