August’s security awareness topic is cyberinsurance
Introduction and scope of the module
Cyber risk is an increasingly significant concern to organizations that are critically reliant on IT
systems, networks and data ... and can you think of any that are not critically reliant?
Aside from the direct, immediate impacts (losses and costs) and effects on business systems,
networks and data, cyber incidents may have devastating business consequences if supply chains, perhaps even whole industries and nations are affected. Cyber risk extends throughout
and beyond the corporation, exceeding even senior management’s purview.
Arguably the most effective way to reduce cyber risk is to avoid risky business activities
altogether … but naturally that means forgoing the business benefits of those activities. The next best option is to mitigate
or reduce the risks using cybersecurity controls that can be costly and imperfect, but at least the activities can take place. Sharing or transferring risk to
third parties (such as insurers) is the subject of this month’s materials. Finally we have the option to accept
cyber risks that have not been treated (eliminated or reduced) in other ways.
“Big insurers including AIG and Chubb have offered cyber policies since the late 1990s, and
today approximately 80 companies sell them, most focused on data breaches. The market for cyber insurance has recently begun to grow quickly as a series of high-profile attacks have
convinced top executives that hackers pose a serious concern.” [Technology Review]
Cyberinsurance reduces the amount of cyber risk we have to accept.
The new NoticeBored awareness module is intended to:
Introduce insurance concepts, terms and practices, plus information risk treatment, to set the scene for the awareness topic;
Explain cyberinsurance specifically – its nature and value, pros and cons, opportunities and limitations;
Stimulate managers, in particular, to consider taking up cyberinsurance where appropriate, and yet be realistic about its constraints and drawbacks;
Encourage everyone to avoid, mitigate or share information risks rather than simply accepting them, unthinkingly or by default.
Consider your learning objectives in relation to cyberinsurance. What makes cyberinsurance pertinent to the organization and its business? What kinds
of cyber risks that are currently accepted might be worth treating instead through insurance, other forms of risk-sharing, or in some other way?
Explore the research and thinking that went into creating these awareness materials, and tag-along as we develop next month’s module, on the NoticeBored blog.
What’s in the NoticeBored module?
What do we do with all that?
Check through the module using the contents checklist
. Which items do you intend to use? How will you use and distribute them, and to whom?
Customize the generic content supplied, adapting the look-and-feel to suit your awareness program’s branding, and the content to fit your information
security and business situation. Distribute the materials through the intranet Security Zone and blog, by email, as printed leaflets etc.
Print out and circulate the posters and/or use the graphics to illustrate the other materials.
Organize seminars, workshops, presentations or meetings, using the seminar slide decks
… and/or turn them into online awareness courses, Learning Management System modules, podcasts etc.
Run the challenge as a light-hearted activity that happens to involve cyberinsurance. Discuss the case study within awareness events or online. Publish the updated security glossary on your intranet Security Zone. Decide on the prize/s then circulate the
wordsearch puzzle and security test to employees.
Use the awareness survey to gather metrics plus feedback and improvement suggestions.
In conjunction with your contacts on the executive team and other professionals with an interest in this area, try to get cyberinsurance raised and
discussed at exec or even board level. The board agenda, management seminar, management briefing, policy
are all possible routes to the top table. Discuss the updated model information risk management policy
with management, comparing it with any existing policies in this area.
Review the organization’s cyberinsurance arrangements using the Internal Controls Questionnaire (ICQ)
, perhaps in collaboration with Internal Audit.
Nurturing the corporate security culture through awareness
A security culture involves everyone in the organization, top to bottom, collectively valuing, protecting and (where appropriate!) exploiting information.
Subscribe to NoticeBored for fresh perspectives on information and cyber risk and security within the corporate context. NoticeBored picks up on the
strategic, governance, compliance and business aspects, particularly in the management stream of course but the principles underpin the general staff
and professional streams too. Information is a valuable and yet vulnerable asset that needs to be protected for sound business reasons - not just for compliance or ethical reasons.