Connect with us

Hi, what are you looking for?

Cyber Security

ISO/IEC 27102

ISO/IEC 27102:2019 – Information security management — Protocols for cyber-insurance

Introduction

The cyber-insurance market is expanding globally, offering options for transferring some information risks to private companies. The current focus is primarily on sharing risk and compensating the business where the organization has not entirely avoided, mitigated or simply accepted a cyber incident (for instance serious data breaches caused by a hack or a malware infection).

Scope and objectives

According to this standard:

– Professionals involved with information risk and security need to understand the fundamentals of insurance;
– Security concepts essential to insurance professionals;
– The types of expectations insurers and clients of cyber insurance typically have;
– For managers, procurement and insurance sales professionals, and other parties involved in the negotiation and contracting process, how to scope, determine, specify, and procure appropriate cyber-insurance;
– The advantages and disadvantages of implementing such a program, the costs and benefits, and the constraints and opportunities of doing so.

The standard’s status

2019 marked the publication date of the standard.

Commentary

Thanks to the excellent donor document and a dedicated team focussed on producing a standard to guide and support the development of this new market, the drafting process was completed in record time.

While cyber is scattered throughout the standard, it has yet to be defined clearly, formally, and explicitly.

Rather than focusing on cyberwar or nation-state attacks, the standard concentrates on everyday cyber incidents. There are many insurance policies that, if not all, explicitly exclude cyberwarfare… However, defining it is difficult.

Similarly, a cyber-incident is a subset of an information security incident, depending on how the term is defined and interpreted. Fraud, theft of intellectual property, and business interruption are some of the other incidents that are covered by insurance, and some, like loss of critical personnel, might not be insurable.
Cyber-insurance may or may not cover these entities, depending on the policy stipulations.

The standard offers sage advice on the categories or types of incident-related costs that may or may not be covered – another potential minefield for the unwary.

In the case of major claims, loss adjusters and attorneys will be involved. While acknowledging this, the industry as a whole is well aware that it relies on its reputation as well as its ability to respond to an extreme, but rare, circumstances. It is hoped that this standard will lead to a greater understanding and a more open discussion between cyber-insurers and their clients to offer appropriate insurance policies.

As an insurer or insured, you have a mutual interest in preventing, minimizing or avoiding all types of attacks involving valuable, yet vulnerable, data, which is where ISO27k standards excel. Insurance is a method of reducing the risks associated with information. However, be careful of the small print.

Advertisement Advertisement
  • solutions-inc
  • solutions-inc
  • solutions-inc
  • solutions-inc

Latest Post

Advertisement Advertisement
  • solutions-inc
  • solutions-inc
  • solutions-inc
  • solutions-inc

You May Also Like

Compliance

The task to be performed ISO 27001 Clause 10.1 Nonconformity and corrective action, Clause 10 which includes sections 10.1 and 10.2 covers the “Act”...

Compliance

ISO/IEC 27034:2011+ – Information technology – Security techniques – Application security (all published except part 4) Introduction Business and IT managers, developers and auditors,...

Cyber Security

ISO/IEC TS 27110:2021 — Information security, cybersecurity and privacy protection — Cybersecurity framework development instructions Introduction As a Technical Specification, the standard (an architecture...

Compliance

The article discusses Compliance with Legal and Contractual Requirements, Identification of Applicable Legislation and Contractual Requirements and Intellectual Property Rights accordingly controls.A.18.1 Compliance with...