scope:

This Recommendation establishes guidelines for acquiring cyber insurance from an insurer to manage the impact of a cybersecurity incident within the information security risk management framework of an organization.

These guidelines apply in managing cybersecurity risks, sharing relevant data and information with insurers, leveraging security risk assessment results and managing the impact of cybersecurity incidents. This Recommendation also provides guidelines to select an insurer and manage contracts based on the organization's information security risk management.

These guidelines apply to organizations that either wish to purchase or use cyber insurance as a result of a risk assessment. This Recommendation also applies to insurers that provide cyber insurance.

Cyber insurance is no substitute for robust cybersecurity and effective incident response plans, along with rigorous training of all employees, but it is considered as an important component of an organization's overall cybersecurity risk treatment plan.