By Ben Fidlow, FCAS, MAAA, Rachel Andvig and Michael Lester, RPLU, WTW
High profile incidents are also putting pressure on risk managers to take control of cyber vulnerabilities while also managing costs. Closer board-level scrutiny also means risk managers need robust evidence showing your cyberinsurance calls are the right ones to protect the business while delivering value.
This insight, based on our recent Outsmarting Uncertainty webinar How you can apply cyber risk analytics to inform risk management and insurance decisions, offers five ways you can use analytics to get ahead of both threats and board-level scrutiny of your recommended insurance strategies.
Through collaborative working across business functions, facilitated by analytics, better cyber risk cost management and more effective coverage are both within reach.
01 Use analytics for comprehensive cyber risk assessments
You can make better cyberinsurance decisions with a more thorough understanding of your cyber risk landscape. Conducting a comprehensive cyber risk assessment may involve breaking down silos between departments. This is so you can both gather all the relevant data and secure buy-in for your ultimate recommendations, plus the budget you’ll need to execute them.
Frameworks like MITRE ATT&CK can help you gain a fuller picture of potential threats while engaging various stakeholders across the organization, as well as external specialists, where required. For instance, collaborating with forensic accounting valuation services can help determine potential business interruption risks from cyber attacks.
A comprehensive evaluation of your cyber risks means you’ll be better equipped to provide robust answers to the c-suite’s critical questions. These might include questions on exactly what level of cyber risk the business faces, how far this aligns with your overall risk tolerance and how much insurance you should be buying.
Industry-specific scenario modeling can help assess your business interruption risks as they relate to your organization more fully. Here, analytics can help you accurately predict and quantify the financial implications of your industry-specific cyber risks in the context of your existing controls and coverages.
By using analytics, you can offer senior leaders’ insight that helps them make better, more informed decisions about cyber risk management and insurance.
02 Use analytics to evaluate your current cybersecurity and cyberinsurance
Do you have conflicting opinions on your cyber vulnerabilities? Perhaps your security team wants more insurance, your treasurer less. You can use data and analytics to move past subjective takes and inform more effective and efficient cyber risk management decisions and insurance strategies.
A proactive approach here involves running analytical assessments of your cyber risk, controls and vulnerabilities. For example, analytics can validate the value of your existing cyberinsurance coverage and determine if the current limits are appropriate. This data-driven approach lets you mediate between different stakeholders with conflicting views more easily.
A thorough, holistic analytical risk assessment should locate cybersecurity as part of your organization’s overall strategic risk management, treating cyber threats as business-critical risks, rather than simply technical or IT infrastructure issues. With this sort of approach, you can better assess the impact of cyber incidents on your business operations, reputation and revenue.
03 Use analytics to communicate cyberinsurance value and break down silos
By using analytics, you can communicate the value of your cyber risk management decisions to senior leaders like the CIO, treasurer and CFO. Analytics helps you speak their language and build consensus on the optimal way to allocate resources. You can present data-driven insights that move the business away from subjective budget allocations based on ‘who shouts the loudest,’ to a more objective approach based on auditable evidence.
04 Use analytics to optimize cyberinsurance coverage
To get the best from your cyberinsurance coverage, you need to craft strategies that align with your organization's cyber risk tolerance. This might involve some key focus areas:
Information gathering from data-driven analytics during the renewal process to create a more tailored insurance program that responds to your organization's specific needs and risk controls
Identifying your organization's true ‘crown jewels’ using cyber risk quantification models and crafting coverages more aligned with protecting what's most important. For example, quantification insight can help refine underwriting assumptions with key inputs on revenue streams that could validate decisions to adjust insurance coverage and keep premiums down
Checking policy wording and coverage using analytical insight to ensure they cover key risks crucial to your organization’s resilience, without leaving gaps and insurance shortfalls.
05Use analytics to explore alternative risk transfer for cyber risk
Analytics can help you interrogate whether alternative risk transfer options, such as captives, could be the most efficient way to respond to your cyber risks. You can work with analytical specialists to test strategies when considering whether to establish a new captive, or to see whether an existing captive might be extended to cover cyber risks.
|
