Cyberinsurance is one way to treat some cyber risks. Which ones?
That disarmingly simple question has taken next month's management seminar down a couple of interesting avenues.
The first concerns the nature of cyber risks that one might reasonably expect to fall within the remit of cyberinsurance. Most don't. Insurers are particular about the kinds of risks they accept, actively managing their own risks and businesses.
Second is the distinction between insurance customers' 'reasonable expectations' and the reality of how policy terms and conditions are actually interpreted by the insurance companies and industry, the legal profession including the courts, and the regulators.
We can explain the first issue quite easily using the PIGs (Probability Impact Graphs) that we provide in the awareness materials most months. Thanks to repeated prior exposure, we don't need to explain the PIG graphic to the audience laboriously, from first principles: we can leap directly into discussing distinct areas or groups of risks on the PIG. In other words, we are building upon the foundations of information risk and security awareness laid down in previous months, making reasonable assumptions about the audience's knowledge and understanding of the underlying concepts and taking them up a level.
That's cool! It applies very broadly, not just in this specific case. A security-aware workforce starts at or above the ground floor in knowledge terms, not down in some cold, dark, damp and smelly basement.