In a post on Halock.com, auditor Chris Cronin writes that as insurers try to model cyber risk and brokers try to get the right information from their clients it may be better to focus on management behavior than on hacker tactics.
Using data from NetDiligence reports, Cronin breaks down costs of crisis services, legal defense, settlements, regulatory defense and fines between small/medium and large organizations. To summarize, SMEs can expect their insurers to pay about three times more in crisis costs than litigation costs, while large organizations can expect more payments for regulatory than for crisis costs. What this means according to Cronin is that we manage crisis and liability costs differently. Even with smart controls in place it is difficult to reduce crisis costs. Liability costs on the other hand are reduced when management plans their cyber security priorities and investments to reduce loss to others and themselves. Controls that reduce the likelihood of a breach will not reduce the cost of a breach when it happens. (To put it another way, frequency but not severity is reduced.) Administrative controls and risk assessments will not in themselves reduce the likelihood of a breach, but by demonstrating due care and responsibility they reduce regulatory and litigation costs.
If insurers can distinguish between their clients' cybersecurity controls and their risk management, organizations can properly present their controls noting how they fit the organization's budget, priorities and mission. Brokers can assist the process by showing their clients how to demonstrate they are managing their cyber risks.
For more information, Halock has a Duty of Care Risk Analysis (DoCRA) on its website, and a link to the Center for Internet Security's risk assessment method (CIS RAM).