There are three ways of managing IT security risks in a Risk Treatment Plan.

• Accept the Risk – a positive decision to accept a risk to the business as being something you are comfortable with.
• Mitigate the Risk – put a control in place to reduce the risk.
• Transfer the Risk – move the cost of the event happening to someone else.

Transferring the Risk is commonly done by Insurance, although there are other methods of Risk Transfer.

Cyber Liability Insurance Cover (CLIC) is often overlooked as an option to help a company survive a critical loss of data or a major security incident. The market and take-up of such insurance is variable. In the US, some form of CLIC is often a regulatory requirement, so take up is high. However in the UK where there is no requirement for a business to be able to survive such an event take up is very low (approximately 1% of UK companies have some form of CLIC).

While some form of Insurance is invaluable to aid a business during a disaster, be it flooding, the loss of a critical member of staff, or a massive business crippling data loss; the devil is, as always in the detail.

I have worked with several large organisations in reviewing their compliance with the expectations of their insurers and have two key lessons:

• The Cyber Insurance Market is relatively recent and has little historical record to generate risk profiles against, additionally, the market is relatively small at the moment giving a low spread for insurers to work against. This has a direct impact on Premiums.
• The Cyber Insurance Policies place obligations on the policy holder to have a good level of security management and protections in place. In many places, this obligation is not complied with – leading to the possible non-payout of the insurance contract.

Insurance services are adapting to this with schemes to reduce Insurance Premiums based on the results of security audits – both to inform the Insurer of the risks they are running and to give the policy holder assurance of the validity of the policy.