This leads us to ask a number of questions:
- How much does a security incident cost the company?
- What is the probability of a security incident?
- Are there operational resources that can cover this risk?
- What are its implications for organisation and governance?
How much does a security incident cost?
Estimating the cost is quite complex, and must be done for each individual company. According to the Ponemon1 study, a security incident in France involving the theft of personal data costs €4.34M. Note that direct costs represent 54% and indirect costs related to decreased activity 46%. This decrease is not caused only by unavailable service, but above all, by loss of customers. The same study estimates the lost customer rate at 5.4% in France. This is the highest level of all countries examined in the study.
What is the probability of a security incident?
Again, according to the Ponemon study, the probability is estimated at 22% for an incident involving 10 000 files, and 1% for an incident involving 100 000 files, for the next 24 months. This probability is much higher than that of an accident affecting data centres, for example. Despite this, companies and organisations invest primarily in resources to guarantee business continuity rather than in security measures. Even though the impact of an accident is potentially greater, it is essential to consider investments based on probability and impact.
Are there operational resources that can cover this risk?
When discussing cyber insurance, we must underscore the convergence between the business continuity plan (BCP) and the response and remediation plan in the event of a security incident. The BCP provides for the establishment of means necessary to deal with a variety of accident scenarios. These means can also be used to address a security incident. Unfortunately, few companies include security incident scenarios in their BCP. Yet, including cyberattacks in the business continuity plan is the second leading factor, after employee training, that can significantly limit the impact of such an attack.
What are its implications for organisation and governance?
Although cyber security is now included in corporate operational risks analysis, discussing cyber insurance helps to evaluate and quantify the company's exposure to risks. It also helps to support the dialogue between risk managers and those responsible for defining policies and operational resources to deal with cyberattacks. Last, this discussion also helps to establish priorities based on the impacts on business, and to make budget decisions.
Finally, cyber insurance discussions can be seen as an opportunity for CISOs, operational security managers and everyone worried about cyberattacks on a daily basis. It gives the issue the business dimension it deserves to attract management's attention and help it take necessary investment decisions to improve the company's level of security.