A Bird’s Eye View of Cyberinsurance Plans

Vimal Mani
Author: Vimal Mani, CISA, CISM, Six Sigma Black Belt
Date Published: 10 January 2022

Most cyberattacks launched by hackers result in financial repercussions for the organization and cause disruption of its critical assets and services. Cyberinsurance serves as an effective risk mitigation solution by providing protection against cyberrisk such as ransom demands from hackers.

Cyberinsurance policies protect critical data elements such as personal health information (PHI), personally identifiable information (PII), payment card information, confidential third-party information and data hosting, outsourced data processing, data storage and data-intensive activities from dynamically emerging cyberattacks. Since cyberattacks have increased at an unprecedented frequency and scale, organizations have had to consider options such as cyberinsurance with greater attention.

Cyberinsurance plans generally cover direct and immediate losses due to data breaches and information security breaches, which often includes legal costs, credit monitoring costs, litigation costs (such as breach of privacy) and costs of regulatory investigations, and fines and penalties. Recently, many of the insurance players in the market have started covering ransom payments as well.

Organizations must consider their cyberrisk appetite when determining an appropriate cyberinsurance plan. Cyber insurance is not a panacea for all cyberrisk. Cyberinsurance plans are required only when existing security controls do not provide the desired level of data protection. Cyberinsurance plans also do not cover risk such as reputational damage, devaluation of trade names and loss of intellectual properties. Calculating nonfinancial losses such as reputation loss is not possible mathematically, which is why such losses cannot be covered under cyberinsurance plans.

Organizations should do a trade-off between the amount they want to invest in implementing security controls and the amount they want to invest in procuring cyberinsurance plans (i.e., higher levels of security controls implemented will require lower-value cyberinsurance plans). Regardless of the data protection offered by cyberinsurance plans, they should not be considered as a primary weapon against scaling up innovative cyberattacks. These types of attacks should be handled with well-defined risk management models.

The increased flow of data across the globe and the increased regulations related to data protection and privacy have increased the demand for cyberinsurance plans. The COVID-19 pandemic has also triggered changes in how the world conducts business and the reliance on the internet, causing the possibility of cyberattacks to increase. Therefore, organizations should explore good cyberinsurance plans to protect their internet-enabled business, which is the new normal in the modern world.

Editor’s note: For further insights on this topic, read Vimal Mani’s recent Journal article, “Decoding the Secrets of Cyberinsurance Contracts,” ISACA Journal, volume 4, 2021.

ISACA Journal Turns 50 This Year! Celebrate with us—and don’t forget you can still receive the print copy by visiting your preference center and opting in!

ISACA Journal