ISO/IEC 27102
ISO/IEC 27102:2019 — Information security management — Guidelines for cyber-insurance
(first edition)
Abstract
ISO/IEC 27102 "provides guidelines when considering purchasing cyber-insurance as a risk treatment option to manage the impact of a cyber-incident within the organisation's information security risk management framework. ...”
[Source: ISO/IEC 27102:2019]
Introduction
There is a global market for ‘cyber-insurance’, providing options for the transfer of some information/commercial risks to commercial providers. At present, the focus is primarily on sharing risk and providing compensation for the business costs and consequences arising from ‘cyber-incidents’ (such as serious privacy breaches caused by hacks and malware infections) that have not been entirely avoided, mitigated or simply accepted by the organisation.
Scope
This standard explains:
Essential insurance concepts to information risk and security professionals;
Essential cybersecurity concepts to insurance professionals;
What the insurers and customers of cyber-insurance typically expect of each other;
How to scope, determine, specify and procure appropriate cyber-insurance to managers, procurement and insurance sales professionals, and others involved in the negotiations and contracting process;
The advantages and disadvantages, costs and benefits, constraints and opportunities in this area.
Structure
Main sections:
5: Overview of cyber-insurance and cyber-insurance policy
6: Cyber-risk and insurance coverage
7: Risk assessment supporting cyber-insurance underwriting
8: Role of ISMS in support of cyber-insurance
Annex A: Examples of ISMS documents for sharing
Status
The first edition was published in 2019.
The second edition is at first Working Draft stage.
The standard may be refocused on how cyber insurance can both support and draw upon an ISMS, and updated to reflect the current 2022 versions of ISO/IEC 27001 and 27002.
A new title has been approved (“Guidelines for the use of ISMS in support of cyber insurance”) plus a revised scope (“This document provides guidelines when considering purchasing cyber-insurance as a risk treatment option to manage the impact of a cyber-incident within the organization’s information security risk management framework, as well as leveraging the organization’s ISMS when sharing relevant data and information with an insurer. This document gives guidelines for:
a) considering the purchase of cyber insurance as a risk treatment option to share cyber risks;
b) leveraging cyber insurance to assist in managing the impact of a cyber incident;
c) sharing of data and information between the insured and an insurer to support underwriting,
monitoring and claims activities associated with a cyber insurance policy;
d) leveraging an ISMS when sharing relevant data and information with an insurer.
This document is applicable to organizations that intend to purchase cyber insurance, regardless of type, size or sector.”).
Commentary
The standard offers sage advice on the categories or types of incident-related costs that may or may not be covered. It concerns what I would call everyday [cyber] incidents, a subset of information security incidents. Incidents such as frauds, intellectual property theft and business interruption can also be covered by various kinds of insurance, and some such as loss of critical people may or may not be insurable. Whether these are included or excluded from cyber-insurance depends on the policy wording and interpretation.
Insurers are well aware of their dependence on integrity and credibility, plus the ability to pay out on rare but severe events. This standard is a basis for mutual understanding, supporting full and frank discussions between cyber-insurers and their clients on the terms and conditions leading to appropriate insurance cover.
Meanwhile both insurers and insured share a common interest in avoiding, preventing or mitigating all kinds of incident involving valuable yet vulnerable information (including the digitals), which is where the remaining ISO27k standards shine.