If cyber risks appear regularly in surveys of things that might keep the CEO awake at night, they undoubtedly give risk managers some uncomfortable moments, too. The first things do to manage this risk is not to ask – What insurance solutions are available? There is a three stage process to go through before reaching for the broker.

Step 1: Identify what “cyber risk” is – more properly a discipline of information security. The first step is to understand the risks and conduct a risk and risk treatment assessment. This is a well understood process, but I find it quite surprising how many businesses for some reason go straight to Step 3 when considering this suite of risks.


Julia Graham Vice-President of FERMA

Julia Graham Vice-President of FERMA

There is a wealth of knowledge available to help the risk and insurance manager understand these exposures, which are not solely the domain of the IT manager and department. Take time to look at the many excellent publications offered by ISO, insurers, underwriters and trade associations. If you are responsible for risk financing for a larger organisation, ask your head of IT whether your business is a member of the Information Security Forum (ISF) and if not, why not. ISF is a group of thought leaders in all things information management. I commend you to take a look – there is no assumption that you are an “IT geek”, and many publications are clear, easy to read and designed for managers in general, not just the IT manager.

Step 2: Consider what insurance you already have. Conduct a gap analysis to appreciate what covers are already in place and for what scope and limits. Are there any scenarios identified by the risk management process that the business might find of value to transfer?

Step 3: Complete an insurer/broker risk assessment and application – a useful process in itself. Documents often follow closely the structure of the information security standard ISO27001. While not the panacea to managing information security, the standard provides a logical structure – the difference is, however, that the underwriter will be interested in how a business manages this exposure at an entity level and not just the part of the part of the organisation certified.

This is the point to start considering risk transfer. Many cyber risk policies are still evolving, but more than 25 insurers now offer products, and the capacity available has improved considerably over the last 12 months. However, many of these solutions remain new and many are US-focussed, and we know little about how they will perform under pressure.

Once we have reached our conclusions, we have to look at the products on the market and how they match our needs. Cover varies as regards scope, limits and inner limits. Take care. This is not generally an “off the shelf” purchase.

The board and senior management will want to know how the treatment and insurance we are recommending will protect the business and whether it is good value for the additional cost. One of the best ways of raising awareness is to get a subject matter expert who communicates in board-friendly language in front of the board. Ask insurers and brokers for this. They have some great people and materials for us to use. Adding value like this, rather than simply selling a product, helps differentiate one broke