Pascal Lointier AIG Europe
download slides (PDF)
Based on a non-profit French survey, most SMI-SMB don't conduct a risk assessment even though they are more and more dependent on information systems. Furthermore, and this applies to large corporates too, they have very limited dashboards to measure the financial impact of security incidents: virus infection, data sabotage, business interruption or lack of suppliers due to IT issues.
As a result, impact is much more damaging as they have not been able to do any (financial) risk transfer using cyber-insurance. CISOs will thus know how to be refunded for their crisis management costs.
This presentation will explain the basics of cyber-insurance (data and computer resources) and the various direct and indirect losses that could be refunded: lack of profit, investigation costs, ransom, extra hours, penalty fees, reputation restoration, etc. This insurance analysis could be a possible contribution to RoSI assessment too and will be detailed through some scenarios.