Value Based Risk Management

Session Leader: Grace Crickette

Recently the U.S. Federal Cybersecurity & Infrastructure Security Agency (CISA) of the Department of Homeland Security began recommending that cybersecurity insurance firms encourage the implementation of best practices by basing premiums on an insured’s level of self-protection.

Elevating Cyber Risk Management

In both the Advisen Cyber Conferences and at the National RIMS Conferences, insurance brokers, carriers and risk managers are talking about the need to elevate the Risk Management of Cyber Risk.

  • “Better cyber coverage and better pricing for going beyond the application and demonstrating what improvements you have made and what you have planned.” (Global Broker)
  • “Brokers should be helping Clients to demonstrate improvement” (Global Broker)

One big problem is that the solutions available currently from insurance brokers and carriers are primarily reactive. Those that are proactive are just brushing the surface by offering consulting services that focus on improving their clients’ reactive tactics, namely, breach response and company policy review. While these are important – they do not add enough risk mitigation value.

A leading executive at a major broker in this space recently advocated that their clients should invest more in IT security improvements, like “DLP, end-point security, malware . . .”, but when asked if he could help his clients with deciding on what improvements invest in and the return on investment, his answer was, “. . .well that is really difficult to do . . . so no.”

Relating Risk to Business Value

IT security controls and best practices aren’t implemented in a vacuum – their context is Risk Management – which generates the understanding of what controls and best practices to apply based on the value to the business and the execution of its mission.

What that major broker executive did not know is that there is an existing methodology that delivers a superior IT Security and Risk Management solution that is proactive and ensures that the risk, controls and business value are all understood.

This applies not just to information system and IT infrastructure deployments, but to IoT deployments as well, including electronic physical security systems.

As insurance carriers transition from their currently very low competitive insurance rates, and begin setting their coverage and rates based on their clients’ security profiles, any manager or executive with responsibility for information-based systems must have – or be part of – a cyber risk management program that addresses the full spectrum of cyber liability risk.