S 6.16 Taking out insurance
Initiation responsibility: Top Management
Implementation responsibility: Top Management
Every organisation must decide how it will handle the residual risks remaining even after the implementation of security safeguards. Taking out an insurance policy can help lower the financial damage incurred. It is also possible in part to take out corresponding insurance policies against the consequential damage (e.g. insurance against business interruptions caused by fire) resulting from the failure of the business processes affected by the damage. It must be noted, though, that there are some types of residual risks that cannot be insured. This includes damage to your reputation, for example. For this reason, any special terms and disclaimers should be taken into account before signing an insurance policy. It must also be taken into account that there may be a long time to span financially before the insurance company pays compensation for the damage.
German government agencies are not normally required to take out insurance.
Insurance policies can be divided into the following types:
- third party damage (liability insurance)
- Personal injury, material damage, damage to the environment, and property damage
- first-party insurance (property insurance, including insurance against software damage)
- Building insurance
- Contents insurance
- Loss of revenue insurance (insurance against business interruptions)
- Electronic equipment insurance
- Fidelity insurance (e.g. insurance against computer abuse)
- legal protection insurance
There is a table in Resources for IT-Grundschutz containing a brief overview of which types of insurance can help in which areas to reduce the financial impact of the potential damage.
Review questions:
- Has it been examined if insurance needs to be taken out against the residual risks to cover potential damage?
- Was the scope of the protection to be provided by the insurance also determined with regard to the amount?
- Are the existing insurance policies checked regularly to ensure they are still appropriate for the current situation?