ISO Standard for Cyber Insurance gets one step closer to publication

ISO Standard for Cyber Insurance 27102
International Standards Organization (ISO) and its' technical committee for Information Security has been developing a new Cyber Insurance standard to help organizations better understand their exposure and identify how they might use Cyber Insurance as part of their Information Security and Risk Management activity.
 
This standard (ISO 27102) is part of the ISO 27000 family is now entering the consultation phase ahead of final publication.
 
Information Security and Cyber Risk have become extremely high profile over the past 5 years and the significance of this standard should not be underestimated. With increasing focus on how companies need to protect themselves and increasing pressure on what needs to be done to manage the potential impact of a cyber event, insurance is increasingly an important part of the mix, but there are problems. 
 
Cyber Insurance has to contend with a staggering range of potential scenarios. Users, brokers and underwriters are working hard to understand these, to develop approaches that can provide the right kind of support and provide good value while managing a complex range of potential issues.  For the user, insurance can appear to be very attractive, but how many really understand the scope, depth and cost of the measures that need to be embedded for them to get the best overall ‘solution’?
 
We also need to consider the danger of firms buying Cyber Insurance in the belief it'll cover the risks they face 'automatically' - and how can the insurance sector be sure that their clients are keeping up the work needed to meet the requirements of the cover provided?  Time and again, we are seeing reports of organizations who have failed to carry out the most basic of measures to preserve and maintain their security capabilities by buying insurance, particularly across the SME sector. 
 
ISO 27102 is trying to bring some structure to help with this situation, approaching the topic from the perspective of the insured, by explaining and detailing the various key stages and activities that should be addressed or be in place as part of the measures likely to be needed by insurers. Much of the content of ISO 27102 is based on the processes and recommended capabilities already found in within the wider ISO 27000 family of Information Security standards, and as a result there should be consistency with the current processes o many organizations. 
 
However, it is a concern that few in the insurance field are aware of ISO 27102 and the opportunities (or indeed issues) it might present. Even fewer have had the opportunity to review and comment on it in detail. This is especially worrying, given that while the IT dimensions are pretty clear, the broader connections across the business and regulatory, contractual and legal aspects all have considerable influence too, but are largely still in a state of flux.   
 
The complexity of these fields and a relative lack of maturity across the insurance sector in this new market suggests caution be exercised. Firms buying, or indeed writing, Cyber Insurance need to ensure that they fully understand their exposure and how events may impact more broadly on their activities.
 
This is the theme of another standard BS31111 from the BSI, published last year, that provides guidance to boards and top management on their responsibilities around Cyber Risk and how to meet them. Another aspect that needs to be considered is the different regulatory and legislative frameworks that need to be incorporated in the planning for Cyber Risk around the world that are far from consistent. This adds further to the complexity being faced. 
 
When approached with care, commitment and knowledge Cyber Insurance can be a highly effective tool that can support companies through a range of cyber events, but striking the right balance can be difficult. Creating a standard should be an inclusive process that brings all stakeholder together to develop a consensus on good practice actually in the field of the standard being developed. 
 
With the scale of growth seen over the past 5 years for Cyber Insurance, and predictions of even greater adoption of insurance to address the risks around Cyber in the future, there is a lot of industry discussion (and in some quarters, concern) on how best to manage the complexity without compromising the quality or integrity of the market.  It is important that there is diversity in the cyber insurance market, but there also have to be standards that are relevant and accessible for all stakeholders, ensuring transparency, quality and responsibility to protect the interests of all parties involved.
 
ISO Standards are hugely influential internationally with over 170 countries using them as the basis for their own national standards and even regulation. This means that for many governments and regulators who are struggling to come to terms with the complexity around Cyber Risk, a standard for Cyber Insurance is desirable and can provide another driver and an important option that may help improve action on cyber security in their regions. 
The consultation phase for ISO 27102 has just started. It is critical to the development of the sector that all those engaged in the business of Cyber Insurance - from users to brokers and through to underwriters and reinsurers - take some time to review, assess and feedback on the proposed standard.  
 
Time is short, and to help we will be holding a number of meetings and delivering briefings. If you would like to know more, and perhaps take part directly, please contact us as soon as possible. You can reach us at info@continuityforum.org or on +44 (0) 208 9931599.