The control room inside the Paks nuclear power plant in Hungary. Photo: Bloomberg/Contributor
To insure or self-insure?
Self-insurance for most large corporates often involves the creation of a ‘risk captive’ – a subsidiary devoted to handling the risks of the parent company – without resorting to commercial insurance. Another option is to work with other organizations that share a similar profile of risk in mutual non-profit cooperative risk groups, via what are known as ‘risk swaps’ (wherein a company or organization trades risks with another that has similar exposures). In relation to cybersecurity, risk swaps can be useful because participants receive independent and mutual evaluations of their cyber risk posture.
Regardless of whether an organization chooses to buy external insurance or to self-insure (i.e. by putting aside revenues in preparation for costly incidents), the approach to cyber risk calculation should be the same. Prevention is one part of the equation, but each organization also needs to consider what resources will be needed should prevention strategies fail. Can the likelihood of a hacker’s success be balanced against the maximum potential cost to the organization, and can enough capital and manpower be set aside to get the organization through a crisis? A useful first step is for an organization to ask its chief information security officer (CISO) what resources are set aside and available for incident mitigation as opposed to incident prevention.