ISO/IEC 27102 — Information technology — Security techniques — Information security management guidelines for cyber insurance [DRAFT]
There is an expanding global market for ‘cyber insurance’, providing options for the transfer of some information risks to commercial providers. At present, the focus is primarily on sharing risk and providing compensation for the business costs and consequences arising from ‘cyber incidents’ (such as serious privacy breaches caused by hacks and malware infections) that have not been entirely avoided, mitigated or simply accepted by the organization.
Scope and purpose
This standard development project is setting out to explain:
- Essential insurance concepts to information security professionals;
- Essential cybersecurity concepts to insurance professionals;
- What the providers and consumers of cyber insurance typically expect or demand of each other;
- How to scope, determine, specify and procure appropriate insurance to managers, procurement and insurance sales professionals, and others involved in the negotiations and contracting process;
- The advantages and disadvantages, costs and benefits, constraints and opportunities in this area.
Status of the standard
The standard development project was approved in April 2017.
The Study Period delivered an extensive template/donor standard as the first working draft.
The standard is at WD stage, dealing with typos and some more substantive issues.
If everything goes well, the standard may be published (possibly as a Technical Specification?) in 2019.
There are differences in how cybe rinsurance is defined and used around the world, with legal and regulatory aspects too (e.g. compensation for ransomware payments may be prohibited in some countries). The standard will need to tread carefully, recommending that users take competent professional advice.
‘Cyber incidents’ covers a subset of information security incidents. Some others such as frauds, intellectual property theft and business interruption can also be covered by insurance, and some such as loss of critical people may or may not be insurable.
‘Cyber’ is not yet a clearly-, formally- and explicitly-defined prefix, despite being such a widely used buzzword. We each have our own interpretations and understandings of the meaning of cyber, some of which differ markedly e.g. I would argue that the information risks associated with cyberwarfare and critical national and international infrastructures (such as the Internet) are much more substantial than those associated with the activities of hackers, VXers and script kiddies generally. Even a massive privacy breach incident is trivial compared to, say, all-out global cyberwar. The range is huge, and yet people are using the term cyber without clarifying which part or parts of the range they mean.
If cyber insurance follows the same approach as other forms of insurance, we should expect policies explicitly to exclude cyberwarfare ... but defining it may be tricky! Would the Iranians have been covered for the Stuxnet incident, for instance? I believe Sony was able to claim on its insurance following the 2014 hack allegedly involving the North Koreans, so without further information on the terms of their policy, the general position is far from certain. No doubt the loss adjusters and lawyers will be heavily involved, especially in major claims.
I’d like to see the business case for using cyber insurance as a risk treatment option expanded, laying out the pros and cons, costs and benefits of so doing.