We've started working on August's NoticeBored module, covering cyberinsurance - a new security awareness topic.
As with all cyber-things, our first task is to define what we mean - easier said than done, given that cyberinsurance is a neologism, a newly-coined term that means different things to different people and organizations (not least the insurers!). It is often used informally without much effort to clarify the meaning, or in distinctly biased and narrow terms by insurance companies promoting their particular products - smoke and mirrors maybe.
For the module, we'll explain cyberinsurance in the business context of commercial insurance ... which means we also need to describe the various forms of commercial insurance, so I've been exploring the web to find out more about that. It's quite confusing so one of our tasks this month is to simplify and structure things for the awareness audiences.
It looks as if management will be the primary audience for this topic. Some managers may already know about cyberinsurance and have it in place, but I suspect it will be new to most. There are strategic, policy, risk management, governance and compliance aspects to draw out, as well as the commercial side and more practical angles (such as the possibility to draw on insurers' expertise for assistance in times of cyber-crisis).
For professionals, aside from describing what cybersecurity is about, we will probably discuss the need to put other controls in place to reduce the probability and impact of cyber incidents, taking care to fulfill obligations stated or implied by the policies in order to treat the risk of cyberinsurers refusing to pay claims in full. We'll make the point that those things ought to be done anyway and should not be perceived as a burden imposed by the insurance.
For the general employee stream, as well as outlining commercial cyberinsurance, we can describe those forms of cyberinsurance aimed at individuals and families. Taking it back to basics, we might also need to explain the concept of insurance as a whole, in terms likely to resonate with the audience.
So, as you see, the scope and purpose of the module is emerging from the mist and should become crystal clear in the next week or so.