ISO/IEC 27102

ISO/IEC 27102:2019 – Information security management — Protocols for cyber-insurance

Introduction

The cyber-insurance market is expanding globally, offering options for transferring some information risks to private companies. The current focus is primarily on sharing risk and compensating the business where the organization has not entirely avoided, mitigated or simply accepted a cyber incident (for instance serious data breaches caused by a hack or a malware infection).

Scope and objectives

According to this standard:

– Professionals involved with information risk and security need to understand the fundamentals of insurance;
– Security concepts essential to insurance professionals;
– The types of expectations insurers and clients of cyber insurance typically have;
– For managers, procurement and insurance sales professionals, and other parties involved in the negotiation and contracting process, how to scope, determine, specify, and procure appropriate cyber-insurance;
– The advantages and disadvantages of implementing such a program, the costs and benefits, and the constraints and opportunities of doing so.

The standard’s status

2019 marked the publication date of the standard.

Commentary

Thanks to the excellent donor document and a dedicated team focussed on producing a standard to guide and support the development of this new market, the drafting process was completed in record time.

While cyber is scattered throughout the standard, it has yet to be defined clearly, formally, and explicitly.

Rather than focusing on cyberwar or nation-state attacks, the standard concentrates on everyday cyber incidents. There are many insurance policies that, if not all, explicitly exclude cyberwarfare… However, defining it is difficult.

Similarly, a cyber-incident is a subset of an information security incident, depending on how the term is defined and interpreted. Fraud, theft of intellectual property, and business interruption are some of the other incidents that are covered by insurance, and some, like loss of critical personnel, might not be insurable.
Cyber-insurance may or may not cover these entities, depending on the policy stipulations.

The standard offers sage advice on the categories or types of incident-related costs that may or may not be covered – another potential minefield for the unwary.

In the case of major claims, loss adjusters and attorneys will be involved. While acknowledging this, the industry as a whole is well aware that it relies on its reputation as well as its ability to respond to an extreme, but rare, circumstances. It is hoped that this standard will lead to a greater understanding and a more open discussion between cyber-insurers and their clients to offer appropriate insurance policies.

As an insurer or insured, you have a mutual interest in preventing, minimizing or avoiding all types of attacks involving valuable, yet vulnerable, data, which is where ISO27k standards excel. Insurance is a method of reducing the risks associated with information. However, be careful of the small print.