Cyber Insurance is a means of transferring the risk that an organization is unable to avoid, mitigate or absorb.
However when a company approaches a Cyber Insurer or a Cyber Insurance Broker, and a question of the cost of insurance crops up, an Information Security Professional is bound to ask a question if his company is considered as a “Standard Risk” or a “Sub Standard Risk” or a “Super Standard Risk”?. The expectation is that if a Company has undertaken more than average measures to secure itself and reduce the risks, it should get some advantage in the premium front. For example, if a Company has spent money in getting itself certified for ISO 27001, it is a natural expectation that the risk levels in that company should be lower than other comparable entities. Hence it should be considered as a “Super Standard Risk” and a corresponding reduction in premium. Conversely, if the information security preparedness of an organization is low, then the insurance company is entitled to consider the subject as a “Substandard Risk” and charge a risk premium.
In practice however, companies may not know how much of value benefit its ISO 27001 certificate would provide. Alternatively, it may not know what a COBIT audit or a PCI DSS or multiple audits are worth. Many times an entity would have undergone a security audit from its client though not certified by an ISO or COBIT. In such cases, the company would like to know if there is any difference in the premium charged by an Insurance company.
This is also a very important aspect for Information Security professionals since any reduction in Cyber Insurance Premium on the consideration of the Information Security implementation status of a subject company would directly determine the Return on Investment for investments made on the CISO or the ISMS.
Well, it is time that we the potential buyers of Cyber Insurance or the Information Security professionals know what benefit that a Cyber Insurance Company attributes to our Information Security initiatives.
We expect that some light will be thrown on this issue in the Indian Cyber Insurance Survey 2015 presently being undertaken in India. The survey will capture what the industry expects in this regard and hopefully we will also capture if there is any gap in perception between what we think it should be and what it actually is.
On your part, please participate in the survey and let your views be recorded.
Naavi