Essentials of Cyber Risk Management: The Difference between Cyber Protection and Cyber Insurance
Cybersecurity, as an industry, has become indispensable, owing to the recurrent bouts of ransomwares, rising estimates of cyberthreats, and transformation of the global digital economy in a post COVID era. The average cost of a successful cyberattack which causes data breach is currently pegged at INR 12.8 Crores in India. This was most recently demonstrated by the $ 750,000 ransomware attack on the information systems of Haldiram’s India, a reputed Indian food manufacturing company. While having a secure information system that is resilient against every data breach and cyberattack is the ideal outcome, there is no cybersecurity service in the world that can guarantee a 100% success rate in conserving the integrity of an organization’s IT system and sensitive data after a cyberattack.
In this background, it becomes important for organizations to have a cyber risk management plan. Cyber risk management is an organizational strategy to manage the reputational, operational, and financial risks that have manifested themselves with our increasing dependence on digital technology. This is done through a plethora of protective and mitigative measures. Two distinct but essential measures for cyber risk management are (i) Cyber Protection; and (ii) Cyber Insurance. This article briefly discusses the differences between these two concepts by setting out their respective role in managing cyber risks.
Both Cyber Protection and Cyber Insurance mitigate cyber risks, but the difference lies in how they seek to protect an organization against these risks. The single most important focal point for cyber protection is the organization’s data. By employing measures to prevent data breach, through administrative measures (such as data privacy policy, standard operating procedure for providing data access, password strength etc.), and technology (software solutions to prevent encryption, alteration, unauthorized access, and corruption of data), cyber protection prevents the incident of data breach, and defends the information system in the event of a cyberattack. In simple terms, cyber protection measures are operative before and during a cyberattack. In stark contrast to this, cyber insurance indemnifies or makes good financial losses after a cyberattack.
Cyber insurance mitigates the risk by identifying specific financial costs arising from a cyber threat beforehand, and transferring the risk of bearing these costs to the insurer. Unlike cyber protection measures which relates specifically to the information system and data of an organization, cyber insurance covers various costs arising out of the damage dealt by a cyberattack on an organization’s computing environment, and overall infrastructure. Broadly, cyber insurance covers damages of two categories: (i) direct losses to the organization due to data breach or first-party losses; and (ii) third party costs due to the cyber incidents. These costs are incurred by the third parties, such as customers, and service providers, as a direct consequence of the cyberattack. However, like every insurance product in the market, the cover provided by every insurance company for cyber threats varies. Generally, the cyber insurance products in the market cover (a) legal and regulatory costs incurred by the organization for any regulatory penalty or suit arising out of the cyber incident; (b) PR costs incurred to manage the reputational damage to the organization due to a large scale cyberattack; and (c) costs incurred for forensic analysis of a cyberattack.
Cyber risks are inevitable due to the human discretion involved in handling data. While this element cannot be dispensed with, cyber risk management can reduce the costs and risks that an organization incurs owing to cyber threats. In a post COVID era, cyberattacks worldwide are mapping an exponential curve. Hence, cyber insurance is a realistic and essential ask of anyone running an organization, especially smaller organization such as start-ups and SMEs as a cyberattack can be debilitating when an organization is in its incubation period, and its costs cannot realistically be paid by such victim organization alone.
_20240910142100_original_image_39.webp)
