ISO/IEC 27103 — Information technology — Security techniques — Cyberinsurance [draft]
There is an expanding global market for ‘cyberinsurance’, providing options for the transfer of some information risks to commercial providers. At present, the focus is primarily on sharing risk and providing compensation for the business costs and consequences arising from ‘cyber incidents’ (such as serious privacy breaches caused by hacks and malware infections) that have not been entirely avoided, mitigated or simply accepted by the organization.
Scope and purpose
This standard development project is setting out to explain:
- Essential insurance concepts to information security professionals;
- Essential cybersecurity concepts to insurance professionals;
- What the providers and consumers of cyberinsurance typically expect or demand of each other;
- How to scope, determine, specify and procure appropriate insurance to managers, procurement and insurance sales professionals, and others involved in the negotiations and contracting process;
- The advantages and disadvantages, costs and benefits, constraints and opportunities in this area.
Status of the standard
The standard development project was approved in April 2017. The Study Period delivered an extensive template/donor standard that will soon become the first working draft. If everything goes well, the standard may be published in 2019.
‘Cyber incidents’ covers a subset of information security incidents. Some others such as frauds, intellectual property theft and business interruption can also be covered by insurance, and some such as loss of critical people may or may not be insurable. I am unclear at present on the scope of this standard, but that will undoubtedly be clarified as the standard is developed.
Part of the issue is that ‘cyber’ is not yet a clearly-, formally- and explicitly-defined prefix, despite being such a widely used buzzword. We each have our own interpretations and understandings of the meaning of cyber, some of which differ markedly e.g. I would argue that the information risks associated with cyberwarfare and critical national and international infrastructures (such as the Internet) are much more substantial than those associated with the activities of hackers, VXers and script kiddies generally. Even a massive privacy breach incident is trivial compared to, say, all-out global cyberwar. The range is huge, and yet people are using the term cyber without clarifying which part or parts of the range they mean.
If cyberinsurance follows the same approach as other forms of insurance, we should expect policies explicitly to exclude cyberwarfare ... but defining it may be tricky! Would the Iranians have been covered for the Stuxnet incident, for instance? I believe Sony was able to claim on its insurance following the 2014 hack allegedly involving the North Koreans, so without further information on the terms of their policy, the general position is far from certain. No doubt the loss adjusters and lawyers will be heavily involved, especially in major claims.