We are delighted to announce the birth of another ISO27k standard:
ISO/IEC 27102:2019 — Information security management —
Guidelines for cyber-insurance
The newest, shiniest member of the ISO27k family nearly didn't make it into this world. Some in the insurance industry are concerned about this standard muscling-in on their territory. Apparently, no other ISO/IEC standards seek to define categories of insurance, especially one as volatile as this. Despite some pressure not to publish, this standard flew through the drafting process in record time thanks mostly to starting with an excellent ‘donor’ document and a project team tightly focused on producing a standard to support and guide this emerging business market. Well done I say! Blaze that trail! This is what standards are all about.
‘Cyber’ is not yet a clearly-, formally- and explicitly-defined prefix, despite being bandied about willy-nilly, a solid-gold buzzword. It is scattered like confetti throughout but unfortunately not defined in this standard, although some cyber-prefixed conventional common-or-garden information risk and security terms are defined by reference to “cyberspace” which is - of course - the “interconnected digital environment of networks, services, systems, and processes”. Ah, OK then. Got yer.
We each have our own interpretations and understandings of the meaning of cyber, some of which differ markedly. The information risks associated with cyberwarfare and critical national and international infrastructures (such as the Internet), for example, are much more substantial than those associated with the activities of hackers, VXers and script kiddies generally. Even a ‘massive’ privacy breach or ransomware incident is trivial compared to, say, all-out global cyberwar. The range is huge ... and yet people (including ISO/IEC JTC1/SC27) are using 'cyber' without clarifying which part or parts of the range they mean. Worse still, some (even within the profession) evidently don’t appreciate that there are materially different uses of the same term. It’s a recipe for confusion and misunderstanding.
The standard concerns what I would call everyday [cyber] incidents, not the kinds of incident we can expect to see in a cyberwar or state-sponsored full-on balls-out all-knobs-to-eleven cyber attack. I believe [some? most? all?] policies explicitly exclude cyberwarfare ... but defining that may be tricky for all concerned! No doubt the loss adjusters and lawyers will be heavily involved, especially in major claims. At the same time, the insurance industry as a whole is well aware that its business model depends on its integrity and credibility, as well as its ability to pay out on rare but severe events: if clients are dubious about being compensated for losses, why would they pay for insurance? Hopefully this standard provides the basis for mutual understanding and a full and frank discussion between cyber-insurers and their clients leading to contracts (confusingly termed “policies”!) that meet everyone’s needs and expectations.
There are legal and regulatory aspects to this too e.g. compensation for ransomware payments may be legally prohibited in some countries. Competent professional advice is highly recommended, if not essential.
Depending on how the term is (a) defined and (b) interpreted, ‘cyber incidents’ covers a subset of information security incidents. Incidents such as frauds, intellectual property theft and business interruption can also be covered by various types of insurance, and some such as loss of critical people may or may not be insurable. Whether these are included or excluded from cyber-insurance is uncertain and would again depend on the policy wording and interpretation.
Likewise the standard offers sage advice on the categories or types of costs that may or may not be covered, depending on the policy wording. I heartily recommend breaking out the magnifying glasses and poring over the small-print carefully. Do it during the negotiation and agreement phase prior to signing on the dotted line, or argue it out later in court - your choice.
Personally, I’d like to see the business case for using cyber-insurance as a risk treatment option expanded further (beyond what the standard already covers), laying out the pros and cons, the costs and benefits of so doing, in business terms. It is a classic example of the risk treatment now known as ‘sharing’, formerly ‘transferral’. Maybe I will write a paper on that very topic. Watch this space.