I'm evaluating our response to a high-impact ransomware risk. The cost of a full "Zero Trust" architecture (Mitigation) is astronomical, but our Cyber Insurance premiums (Transfer) are also rising. For a CRISC-certified manager, what is the "tipping point" where you stop investing in technical controls and just buy more insurance? Is there a formula for this?
3 answers
The "formula" you're looking for is a thorough Cost-Benefit Analysis (CBA) compared against your ALE (Annualized Loss Expectancy). In 2023, I handled a similar scenario. We found that the Zero Trust project would cost $500k but only reduce our ALE by $200k. That’s a bad ROI. However, remember that Insurance (Transfer) doesn't cover "reputational damage" or "loss of customer trust." My advice is to mitigate the "High Likelihood" risks to a manageable level and then transfer the "Catastrophic" residual risk that you can't afford to fix.
Are you factoring in the "Requirements" from the insurance company? Many providers now won't even sell you a policy unless you've already implemented certain mitigation controls like MFA or EDR.
Risk Transfer is not "Risk Elimination." You still own the operational fallout; you just get a check for the financial part. Don't confuse the two.
Great distinction, Elizabeth. The CRISC exam emphasizes that the "Risk Owner" is still the business manager, regardless of who pays for the recovery.
Richard, you’re spot on. Our insurer just told us our policy won't renew unless we show proof of an active Incident Response plan. Jennifer, your point about the "residual risk" is what I needed to hear. We were trying to "eliminate" the risk, which is impossible. I’m going to re-run our numbers to see where we hit the point of diminishing returns for our security spending and use the insurance for the "Black Swan" events that our technical controls can't stop.