This question has become more important on the backdrop of the fact that current cyber insurance coverage seems paltry if one considers the scale and growing cost of cybercrime.
Within the $ 7 Trillion dollars insurance industry, cyber insurance coverage is estimated to be approximately $10 billion.
While cyber risk management may be a more recent (relatively) area of business and enterprise risk, considering the growing scale of cybercrime that is projected to be over $ 20 Trillion by 2026, there appears to be a significant disconnect between how much of cyber risk is underwritten by insurance companies.
Granted that organizations will not and cannot transfer all cyber risk to the insurance companies, the data provided above does indicate that most organizations may have significant cyber insurance coverage gap.
Questions for industry players:
For enterprise cyber security leaders:
- How much cyber insurance does an organization require?
- There may not be a one size fits all.
- There are likely to be industry differences.
- Organization risk appetite should come into play.
- For leaders that have provided cyber insurance coverage for their organizations, what is / was the coverage ratio? (Enterprise Asset value to coverage?) or are there other approaches used?
- In your experience, what role do the rest of the organization’s stakeholders (Legal, Audit business Operations) play in deciding the size (scale) of cyber risk to be insured?
- For organizations that choose to be self-insured, what are your key criteria for adopting this strategy?
For policy makers:
- Is there a role for government mandate as part of the tool suite to advance cyber resiliency?
- Should governments (at each level) introduce a mandate for cyber insurance coverage?
- Will mandating cyber insurance coverage become an incentive for cyber criminals?
For Insurance Cyber risk underwriting advisors and leaders:
- Are there an adequate skillset to properly evaluate cyber risk and to ensure appropriate risk pricing?
- What is the underwriting advisory that you provide to organizations regarding cyber risk insurance?
- There may not be one size that fits all.
- There are likely to be industry differences.
- Organization risk appetite should come into play.
- Do you evaluate organizations’ maturity against any of the standard risk frameworks (NIST, ISO, etc), and do you factor any of these in cyber risk underwriting and premium calculation?
Share your feedback and thoughts on this topic.
Cyber resiliency and cyber risk management must be multi-faceted to meet each organization’s unique cyber risk profile.
This write-up is not AI generated.
