Lately I’ve seen an increase in presentations about cyber-insurance. Cyber-insurance makes sense as a risk transfer mitigation if used for umbrella insurance or when its cost is lower than the cost of “self-insurance” through other mitigations. This can be calculated during risk assessment if probabilities and impacts are measured, not just valued as low/medium/high or scales of 1 to 5.

This approach can be done quickly and provides a business friendly option for putting cyber-risk into a business context.