Contact Us
Kogod Cybersecurity Governance Center
4400 Massachusetts Avenue NW
Washington, DC 20016
KSB - Kogod School of Business on a map
4400 Massachusetts Avenue NW Washington, DC 20016 United StatesWritten by Rebekah Lewis
Published
When deciding whether to invest in cyber insurance, one of the most important first steps that any organization should take is to look inward, drawing upon (or developing if it does not already exist) a foundational understanding of the organization itself - its goals, its challenges, its assets and its risk appetite. Only after doing this groundwork and building upon it to establish an effective cybersecurity governance program can an organization approach the question of cyber insurance armed with the information it needs to make responsible and effective choices. These were some of the guiding principles and observations highlighted at a recent event co-hosted by the Kogod Cybersecurity Governance Center (KCGC), AIG and Axio. (Note: AIG is a KCGC Advisory Committee member and sponsor). This installment of KCGC | In Practice reviews some of the key insights drawn from these discussions about how to best leverage the interrelated benefits of cybersecurity governance and insurance.
Discussions about cybersecurity include a lot of buzz these days regarding insurance and its potential to help individual organizations, and even more broadly to influence the market, in managing cybersecurity risk. But many organizations are still grappling with fundamental questions about cyber insurance: How do we determine whether we need it? Who should be responsible for the decision to purchase coverage? How much and what kind of insurance do we need? This installment of KCGC | In Practice highlights recommendations for addressing these questions, building on discussions at the recent "Solving Cyber Risk" workshop co-hosted by the Kogod Cybersecurity Governance Center (KCGC), AIG and Axio. Read on to learn more.
To determine whether an organization needs cyber insurance, it must first address the basic question of whether cybersecurity is a relevant risk in the first place. Participants at the recent "Solving Cyber Risk" workshop reported that many companies (still) do not believe cyber incidents can impact their bottom line. If this were true, it could be a valid reason to dismiss the need for cyber insurance fairly quickly. But, this belief is often grounded in a mistaken impression that cyber incidents are primarily related to the theft or misuse of sensitive data such as credit card data or other personal information, including personal health information.
Many organizations who recognize the relevance and significance of cybersecurity risk still struggle with the fundamental question of whether purchasing cyber insurance is a prudent risk management choice for them. While external factors like trending cyber threats and attacks, benchmarking or even the price of insurance policies and packages are relevant, workshop participants did not recommend starting with an outside-in approach. Instead, organizations should focus first on understanding their own capabilities, needs and goals.
In addition to the fundamental issue of whether insurance is an appropriate and cost-effective investment, organizations also struggle with the critical question of who should be responsible for making the decision about cyber insurance. On this issue, panelists and other participants agreed that many organizations might need to reevaluate their existing approach if they want to make the wisest choices.
An organization's decision to invest in cyber insurance ideally should be driven by a full evaluation of whether its risk mitigation practices - including, primarily, responsible governance and appropriate technology - result in a residual risk that exceeds the organization's risk appetite. If it does, then investing in insurance as a method of transferring and reducing some of that residual risk makes good sense. Once the company has determined that insurance is appropriate and begins evaluating policies, it should keep in mind a number of important considerations.
On balance, the decision about whether to invest in cyber insurance and, if so, how much and what kind, is primarily organization-specific. And while that means that following the pack is not as viable a shortcut as it may seem, practitioners should take some comfort in the fact that most of the information they need is largely within their domain, and perhaps not nearly as volatile as they may think. In fact, the internal process of assessing residual cybersecurity risk is likely to improve a company's cybersecurity program.
Questions? Comments? Feedback about this article? Contact us at cybergov@american.edu.
Kogod Cybersecurity Governance Center
4400 Massachusetts Avenue NW
Washington, DC 20016