There are four ways of handling a risk, such as the failure of one of your IT systems. The first is to accept it, for example, if it is a non-critical system that you can fix next week. The second is to eliminate it, using mirrored systems and storage in a hot standby scenario.
The third is to mitigate it, using disaster recovery planning and management to get your IT system working again in a way that meets your DR objectives, such as your RTO and RPO.
The fourth is to transfer the risk, by handing it off to some other entity, outside your organization, which is the basis of any insurance contract. But is insurance really an alternative to disaster recovery?
Some insurance companies now offer cyber insurance that covers IT disasters ranging from fires in the data centre to cyber-attacks on mobile devices, depending on the insurance policy.
Protection can include coverage for your organization for direct losses and damages (first party coverage). It may also cover you against claims made against your organization by others affected by your IT incident or accident (third party coverage). But thinking you can just “throw your recovery problem over the wall” to your insurance provider is wishful thinking.
To start with, insurance companies may not even consider insuring you until they are satisfied that your IT processes and security arrangements meet their standards. Next, coverage will only be up to a certain maximum overall, possibly with lower limits for each specific category of IT-related loss or damage.
Moreover, there are likely to be initial levels of damage or loss that you will have to fund yourself, up to a certain minimum. These minima may be defined in terms of financial loss or in terms of the time for which a system is out of action (the first eight hours, for example).
So, in summary, cyber insurance is better considered as an additional measure of risk management, not as a replacement of your current disaster recovery strategy.