Ashley Hyde posted an update in the group ORM for IT 9 years, 3 months ago
The answer to your question Edward, in my opinion and from my so far brief venture in to Op Risk from Info Sec, is a clear yes. Insurance is a valid risk treatment in certain circumstances, but I dont believe Cyber Risk is one of them, not entirely anyway. And, you need to know precisely the ‘nitty gritty’ of insurance cover, too many opportunities to not meet the pay-out requirement otherwise.
Better to bolster prevention, detection and intel gathering aspects of risk mitigation. Depending on the industry sector, there are various opportunities to share intel and best practise, but its important to know that this is a persistent risk and constantly changing and evolving.