Most cyberattacks launched by hackers result in financial repercussions for the organization and cause disruption of its critical assets and services. Cyberinsurance serves as an effective risk mitigation solution by providing protection against cyberrisk such as ransom demands from hackers.
Cyberinsurance policies protect critical data elements such as personal health information (PHI), personally identifiable information (PII), 支付卡信息, confidential third-party information and data hosting, 外包数据处理, data storage and data-intensive activities from dynamically emerging cyberattacks. Since cyberattacks have increased at an unprecedented frequency and scale, organizations have had to consider options such as cyberinsurance with greater attention.
Cyberinsurance plans generally cover direct and immediate losses due to data breaches and information security breaches, which often includes legal costs, 信用监控成本, litigation costs (such as breach of privacy) and costs of regulatory investigations, 罚款和处罚. Recently, many of the insurance players in the market have started covering ransom payments as well.
Organizations must consider their cyberrisk appetite when determining an appropriate cyberinsurance plan. Cyber insurance is not a panacea for all cyberrisk. Cyberinsurance plans are required only when existing security controls do not provide the desired level of data protection. Cyberinsurance plans also do not cover risk such as reputational damage, devaluation of trade names and loss of intellectual properties. Calculating nonfinancial losses such as reputation loss is not possible mathematically, which is why such losses cannot be covered under cyberinsurance plans.
Organizations should do a trade-off between the amount they want to invest in implementing security controls and the amount they want to invest in procuring cyberinsurance plans (i.e., higher levels of security controls implemented will require lower-value cyberinsurance plans). Regardless of the data protection offered by cyberinsurance plans, they should not be considered as a primary weapon against scaling up innovative cyberattacks. These types of attacks should be handled with well-defined risk management models.
The increased flow of data across the globe and the increased regulations related to data protection and privacy have increased the demand for cyberinsurance plans. The COVID-19 pandemic has also triggered changes in how the world conducts business and the reliance on the internet, causing the possibility of cyberattacks to increase. 因此, organizations should explore good cyberinsurance plans to protect their internet-enabled business, which is the new normal in the modern world.
编者按: For further insights on this topic, read 维姆玛尼’s recent Journal article, “Decoding the Secrets of Cyberinsurance Contracts,” ISACA杂志,第4卷,2021年.
ISACA杂志 Turns 50 This Year! Celebrate with us—and don’t forget you can still receive the print copy by visiting your 偏好中心 选择加入!