5. The Approach to Cybersecurity: Cyber Risk Management 113 The deductible is the insured party’s residual risk. Residual risk is the risk that remains after being mitigated or transferred. The point of insurance is to reduce the risk to an acceptable amount, not necessarily to eliminate it. The higher the deductible the lower the premium. It is up to the insured party to determine how much financial risk they want to accept and for what types of losses, and to choose deductible and policy coverages appropriately. Cyber insurance is a way to transfer cyber risks to an insurance company. Cyber insurance as an industry took decades to mature and for many experts to consider it a sound investment. Cyber insurers have to be experts at assessing cyber risks since they take on so much of it aggregately through their customers. They conduct research and detailed analyses of the available data, including the likelihood of incidents and their costs, performing calculations similar to the quantitative analysis assessment above. In the early days of cyberspace, making accurate assessments was difficult because of the ever-changing cybersecurity landscape and the dearth of reliable data. Also, the policies were not always clear about what types of incidents were covered and what exclusions applied. This made disputes over claims more likely, and disputes delay payments (if they come at all) and incur legal costs. One typical exclusion in insurance policies, including cyber insurance, is losses due to acts of war. Insurance policies may state that any loss caused by a nation state in an act of war is not covered. In a highly publicized cyber insurance dispute, a giant pharmaceutical company named Merck suffered over a billion dollars in losses due to the 2017 NotPetya cyber attack. NotPetya was a Russian wiperware virus that targeted Ukraine, but many private companies, including Merck, were caught up in the collateral damage. When Merck filed their insurance claims, their insurance companies cited the war exclusion and refused to cover the losses, and this resulted in a long legal battle that was eventually settled out of court. This incident illustrates some of the complexities involved in cyber insurance policies. The risk of a company being directly harmed by an act of war between two distant countries is unlikely in any world other than cyberspace. Cyber Insurance is now a major industry. Cyber insurers typically require their clients to comply with a checklist of cybersecurity best practices, whether from a well-known standards body like NIST or a custom checklist of their own. The assumption is that implementing cybersecurity best practices reduces the likelihood of cyber incidents, reducing the risk to the client and the insurance company. Failure to comply with the responsibilities may mean that a loss will not be covered. Another way to transfer cyber risks is by contracting with a third party for some business functions. Cloud computing has revolutionized the way business is conducted. Cloud computing is the practice of using third-party servers over the Internet for business purposes. One of its benefits is that it allows businesses to transfer some cybersecurity risk to their cloud computing provider. For example, the cloud computing provider is the
RkJQdWJsaXNoZXIy MTM4ODY=