If I am ISO 27001 certified, am I getting a premium cut for Cyber Insurance?

india_insurance_logo_2

Cyber Insurance is a means of transferring the risk that an organization is unable to avoid,  mitigate or absorb.

However when a company approaches a Cyber Insurer or a Cyber Insurance Broker, and a question of the cost of insurance crops up, an Information Security Professional is bound to ask a question if his company is considered as a “Standard Risk” or a “Sub Standard Risk” or a “Super Standard Risk”?. The expectation is that if a Company has undertaken more than average measures to secure itself and reduce the risks, it should get some advantage in the premium front.  For example, if a Company has spent money in getting itself certified for ISO 27001, it is a natural expectation that the risk levels in that company should be lower than other comparable entities. Hence it should be considered as a “Super Standard Risk” and a corresponding reduction in premium. Conversely, if the information security preparedness of an organization is low, then the insurance company is entitled to consider the subject as a “Substandard Risk” and charge a risk premium.

In practice however, companies may not know how much of value benefit its ISO 27001 certificate would provide. Alternatively, it may not know what  a COBIT audit or a PCI DSS or multiple audits are worth. Many times an entity would have undergone a security audit from its client though not certified by an ISO or COBIT. In such cases, the company would like to know if there is any difference in the premium charged by an Insurance company.

This is also a very important aspect for Information Security professionals since any reduction in Cyber Insurance Premium on the consideration of the Information Security implementation status of a subject company would directly determine the Return on Investment for investments made on the CISO or the ISMS.

Well, it is time that we the potential buyers of Cyber Insurance or the Information Security professionals know what benefit that a Cyber Insurance Company attributes to our Information Security initiatives.

We expect that some light will be thrown on this issue in  the Indian Cyber Insurance Survey 2015 presently being undertaken in India. The survey will capture what the industry expects in this regard and hopefully we will also capture if there is any gap in perception between what we think it should be and what it actually is.

On your part, please participate in the survey and let your views be recorded.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.