A recent BT blog titled “Taking out cyber insurance? Protect your company’s assets first,” examines the growing trend of companies obtaining cyber insurance that can offer financial protection in the event of a successful cyber attack. But it also reveals that companies have not taken the appropriate security measures, and instead have elected to depend on cyber security compliance activities and cyber insurance in an attempt to transfer risk, which can result in those companies facing serious consequences.
For cyber insurance to be effective and not be a risk in itself, the organization must take appropriate actions and complete evaluations that help them to understand their digital risk profile – that is, understand how well they are protected so that insurance can be underwritten and optimized based on their specific protections. These tailored profiles need to be based upon functional elements of the business and not only around cyber threats and vulnerabilities.
An example used in the energy industry would be a digital profile that bridges the gap between traditional tactical based cyber security methods (how best to guard against threats) to strategic methods (identifying functional impacts of Cyber Physical System losses that are unacceptable and must be prevented) which has shown great promise. The dynamic nature of a digital risk profile is used to rank failure scenarios that enable companies to quantify and prioritize digital risks – continuously if need be.
We at the Digital Risk Management Institute continue to advocate new forms of digital risk management that are able to identity vulnerabilities and even qualify and quantify risk on a holistic basis before cyber insurance is even considered. There are innovative new approaches — such as software defined perimeters and digital risk management frameworks — that are already proving successful for protecting critical data and infrastructures in large organizations. Only through a thorough understanding of your digital risk profile can you reduce the risk and need for cyber insurance.
I’m interested in your thoughts on this. Feel free to comment and if you have not already, we hope you will join the DRM Institute. You can register at this link.
- Juanita Koilpillai is the President for the DRM Institute, a not-for-profit organization formed to identify and communicate best practices for managing digital business risk. Juanita is also the founder of Waverley Labs, a leading independent digital risk management company. Juanita has more than 25 years’ experience in information security and resilient software development and is an active contributor to cyber security and risk management working groups from government and academic institutions such as NIST, DHS, Cloud Security Alliance, and UNC Charlotte.