ISO/IEC 27102:2019 — Information security management — Guidelines for cyber-insurance
There is an expanding global market for ‘cyber-insurance’, providing options for the transfer of some information risks to commercial providers. At present, the focus is primarily on sharing risk and providing compensation for the business costs and consequences arising from ‘cyber-incidents’ (such as serious privacy breaches caused by hacks and malware infections) that have not been entirely avoided, mitigated or simply accepted by the organization.
Scope and purpose
This standard explains:
- Essential insurance concepts to information risk and security professionals;
- Essential cybersecurity concepts to insurance professionals;
- What the insurers and customers of cyber-insurance typically expect of each other;
- How to scope, determine, specify and procure appropriate cyber-insurance to managers, procurement and insurance sales professionals, and others involved in the negotiations and contracting process;
- The advantages and disadvantages, costs and benefits, constraints and opportunities in this area.
Status of the standard
The standard was published in August 2019.
Note that unlike other published ISO27k standards, the title has “Information security management” in place of the usual “Information technology - Security techniques”.
This standard flew through the drafting process in record time thanks mostly to starting with an excellent donor document and a project team focused on producing a standard to support and guide this nascent business market.
‘Cyber’ is not yet a clearly-, formally- and explicitly-defined prefix, despite being scattered throughout but unfortunately not actually defined in this standard.
The standard concerns what I would call everyday [cyber] incidents, not the kinds of incident we might see in a cyberwar or state-sponsored cyber attack. I believe [some? most? all?] policies explicitly exclude cyberwarfare ... but defining that is tricky.
Likewise, depending on how the term is defined and interpreted, ‘cyber-incidents’ covers a subset of information security incidents. Incidents such as frauds, intellectual property theft and business interruption can also be covered by various kinds of insurance, and some such as loss of critical people may or may not be insurable. Whether these are included or excluded from cyber-insurance is uncertain and would depend on the policy wording and interpretation.
The standard offers sage advice on the categories or types of incident-related costs that may or may not be covered - another potential minefield for the unwary.
No doubt the loss adjusters and lawyers will be heavily involved, especially in major claims. At the same time, the insurance industry as a whole is well aware that its business model depends on its integrity and credibility, as well as its ability to pay out on rare but severe events. Hopefully this standard provides the basis for mutual understanding and a full and frank discussion between cyber-insurers and their clients leading to appropriate insurance policies.
Meanwhile both insurers and insured share a common interest in avoiding, preventing or mitigating all kinds of incident involving valuable yet vulnerable information, which is where the remaining ISO27k standards shine. Insurance is an option to treat the information risks we choose or are forced to accept. It has its place, but beware the small print.
< Previous standard ^ Up a level ^ Next standard >