Aside from the direct, immediate impacts (losses and costs) and effects on business systems, networks and data, cyber incidents may have devastating business consequences if supply chains, perhaps even whole industries and nations are affected. Cyber risk is an increasingly significant concern to virtually all organizations, especially those that are critically reliant on IT systems, networks and data.
Arguably the most effective way to reduce cyber risk is to avoid risky business activities altogether … but naturally that means forgoing the business benefits of those activities.
The next best option is to mitigate or reduce the risks using cybersecurity controls. These can be costly and imperfect, but at least the activities can take place.
Sharing or transferring risk to third parties is the subject of this module. Cyberinsurance is novel, an emerging good practice in information and cyber security. This awareness module helps people acquire knowledge and capabilities, and (for many) mastering something new is motivational. Regardless of whether your organization is using or considering cyberinsurance right now, or not, the module is an opportunity to explore and learn something different. It also reinforces the idea of consciously identifying, evaluating and deciding how to address information risks.
For completeness, we also have a final option: to accept cyber risks that have not been treated (eliminated or reduced) in other ways – actually, ‘option’ is a bit misleading since some cyber risks have to be accepted, regardless: there is no choice. It’s the default position, which leaves us exposed to the possibility of cyber incidents, and the consequences thereof.
The module is intended to:
- Introduce insurance concepts, terms and practices, plus information risk treatment, to set the scene for the awareness topic;
- Explain cyberinsurance specifically – its nature and value, pros and cons, opportunities and limitations;
- Stimulate managers, in particular, to consider taking up cyberinsurance where appropriate, and yet be realistic about its constraints and drawbacks;
- Encourage everyone to avoid, mitigate or share information risks rather than simply accepting them, unthinkingly or by default.
Consider your learning objectives in relation to this topic. What makes cyberinsurance pertinent to the organization and its business? What kinds of cyber risks that are currently accepted might be worth treating instead through insurance, other forms of risk-sharing, or in some other way?
Information security awareness and training content about cyberinsurance and risk sharing in general.