ISO/IEC 27102 — Information security management — Guidelines for cyber insurance [DRAFT]
There is an expanding global market for ‘cyber insurance’, providing options for the transfer of some information risks to commercial providers. At present, the focus is primarily on sharing risk and providing compensation for the business costs and consequences arising from ‘cyber incidents’ (such as serious privacy breaches caused by hacks and malware infections) that have not been entirely avoided, mitigated or simply accepted by the organization.
Scope and purpose
This standard development project is setting out to explain:
- Essential insurance concepts to information security professionals;
- Essential cybersecurity concepts to insurance professionals;
- What the suppliers and customers of cyber insurance typically expect or demand of each other;
- How to scope, determine, specify and procure appropriate insurance to managers, procurement and insurance sales professionals, and others involved in the negotiations and contracting process;
- The advantages and disadvantages, costs and benefits, constraints and opportunities in this area.
Status of the standard
The standard is at Committee Draft stage with numerous comments being processed.
It may be published (possibly as a Technical Specification?) at the end of 2019.
The title may be shortened from “Information technology -- Security techniques -- Information security management guidelines for cyber insurance” to “Information security management -- Guidelines for cyber insurance”.
There are differences in how cyber insurance is defined and used around the world, with legal and regulatory aspects too (e.g. I gather compensation for ransomware payments may be legally prohibited in some countries). The standard will need to tread carefully, recommending that users take competent professional advice.
Depending on how the term is defined and interpreted, ‘cyber incidents’ covers a subset of information security incidents. Incidents such as frauds, intellectual property theft and business interruption can also be covered by insurance, and some such as loss of critical people may or may not be insurable.
‘Cyber’ is not yet a clearly-, formally- and explicitly-defined prefix, despite being such a widely used buzzword. It is used but not defined in the CD versions of this standard. We each have our own interpretations and understandings of the meaning of cyber, some of which differ markedly e.g. I would argue that the information risks associated with cyberwarfare and critical national and international infrastructures (such as the Internet) are much more substantial than those associated with the activities of hackers, VXers and script kiddies generally. Even a ‘massive’ privacy breach incident is trivial compared to, say, all-out global cyberwar. The range is huge, and yet people are using the term cyber without clarifying which part or parts of the range they mean. Worse still, some (even within the profession) evidently don’t appreciate that there are materially different uses of the term.
If cyber insurance follows the same approach as other forms of insurance, we should expect policies explicitly to exclude cyberwarfare ... but defining it may be tricky! Would the Iranians have been covered for the Stuxnet incident, for instance? I believe Sony was able to claim on its insurance following the 2014 hack allegedly involving the North Koreans, so without further information on the terms of their policy, the general position is far from certain. No doubt the loss adjusters and lawyers will be heavily involved, especially in major claims. At the same time, the insurance industry is well aware that its business model depends on its integrity and credibility: if clients are dubious about being compensated for losses, why would they pay for insurance? Is there a market for insurance insurance?
As drafted, the standard concerns what I would call everyday cyber incidents, NOT the kinds of incident we can expect to see in a cyberwar or state-sponsored full-on cyber attack.
The working draft muddled risk terms, for instance describing the potential impacts of cyber incidents as examples of cyber risks. That said, the outline of potential impacts is quite useful.
I’d still like to see the business case for using cyber insurance as a risk treatment option expanded, laying out the pros and cons, costs and benefits of so doing.
< Previous standard ^ Up a level ^ Next standard >