We can see that we’re able to see where we are carrying risk. Now, only a portion of this risk is insurable. We also need to be sensitive to the fairly extensive set of exclusions present in many of the typical insurance policies today. So, what we really need is a way to position the company’s available insurance arrangements in reference to the acceptable levels of “unremediated risk” (in other words, the remaining risk after all our best efforts at remediation through people, process and technology solutions).

Then we can use these analyses in Thrivaca to intelligently have an informed process that defines an acceptable level of self-insured risk, and as a result the remaining risk we need to look to a conventional underwriter for, where we can buy a properly configured policy that will allow us to transfer our exposure to these remaining risks, as measured by self-insurance cost. We can additionally see how different levels of cyber insurance impact risk, as represented by the yellow portion.

and the self-insurance costs that are currently accruing from these top risks. Now when we are presented with a policy, we can evaluate the terms in reference to the exclusions and levels of coverage to choose the right policy. Three additional dimensions of this particular use case that we often see companies missed before Thrivaca are that:

a.) We can now use Thrivaca to target the precise types, areas and levels of coverage needed

b.) we can use Thrivaca to adjust coverage over time as capabilities and risk exposure shifts and changes

c.) We now have the documentation that properly illustrates the mitigation efforts and risk effects in our cybersecurity program, to allow the company to claim a preferred rate based on reduced actual risk accompanied by the accepted level of documentation for the insurance provider.