Recently I’d been helping a customer negotiate their cyber security insurance – which turned out to be trickier than I expected. This got me thinking about the role that insurance played in cyber security. Then – coincidentally – I was reading a book on security (Paul Martin’s great “The Rules of Security”) and came across this sentence: “Insurance is sometimes described as a means of transferring risk, but it is really more of a mechanism for softening the financial impact of a loss.” (p 73). It got me wondering – at Axenic have we been thinking about insurance all wrong?
Conventional wisdom in cyber security is that insurance is the example of risk transfer. And that risk transfer is opposed to risk treatment. What Paul Martin is saying here is that the conventional wisdom is all wrong. Firstly he is sceptical about the notion of risk transfer in general: “Transferring security risk may sound attractive to lawyers and senior managers but it seldom works in practice…If things go badly wrong, the problem usually returns to haunt the original owner” (p 73)
Secondly, he sees insurance as a form of risk treatment that reduces the (financial) impact of a risk.
Convinced by the argument in the book, and thinking that this was rather straight-forward, I flicked Ahmed an email and suggested that we add insurance to our list of cyber security controls, and remove risk transfer as a form of risk management activity. So, I was quite surprised to see a quick response in the negative from Ahmed. He disagreed: insurance is a kind of risk transfer, and doesn’t belong on a security controls list.
Ahmed’s argument (sympathetically reconstructed) is this:
- We really are transferring the financial aspect of the risk to the insurer. If things go wrong they take the financial hit and not us. So this works quite differently from impact reducing controls – which actually reduce the impact. In one sense the financial impact is reduced for us. But the overall financial impact is not reduced
- Insurance is owned and managed by the CFO usually – and is based on the overall financial risk position. Cyber insurance may make no sense for example if you are flush with cash and could weather the costs of an event. This is very different, then from other kinds of control.
Now, Ahmed is in good company. The Certified Information System Security Professional (CISSP) is the premier cyber certification. Its study guide says:
Risk Assignment Assigning risk or transferring risk is the placement of the cost of loss a risk represents onto another entity or organisation. Purchasing insurance and outsourcing are common forms of assigning or transferring risk.
A quick look at a bunch of other enterprise risk management books and sites shows that many people share this view.
But for me, the notion of transferring risk only makes sense if we can transfer all of the consequences. If we can transfer (some of) the financial consequences, but other consequences (e.g. loss of reputation, loss of confidence, harm to individuals) remain – there is no meaningful sense in which the risk itself has been transferred.
Interestingly, the international standard for risk management (ISO 31000:2018) doesn’t talk of risk transfer as opposed to risk mitigation. It describes risk sharing as one method for managing risk along with other forms of mitigation. From what I can tell, the idea of risk transfer comes from financial risk management. In that context risk transfer makes sense – as the only consequences of their risks are financial.
Does this question really matter? Partly it is an argument between two security geeks. But I also think that it makes a practical difference. Firstly, and most importantly, we take risk transfer off the table. It’s just a management mirage, and should be discarded as a real option. Secondly, by noting insurance as a control we can look at it holistically alongside the other measures we put in place to reduce the impact of events and ask whether it makes sense and represents value for money.
Which side of the insurance fence do you sit on, risk transfer or security control? Check out our poll on LinkedIn, vote and help us settle the argument.