CYBER RISK INSURANCE: PREPARING TO OBTAIN COVERAGE WITH STANDARDS AND FRAMEWORKS
Tuesday, January 5, 2016 at 10:48AM 
Cyber attacks are getting bigger, costlier, and more frequent. They are gaining more and more media attention with each strike. The Lloyd’s Risk Index 2013, a global biennial survey of board-level and top-level executives, identified cyber risk as the third-highest risk that faces businesses. However, while a proactive defense against cyber risks is the first step in corporate risk management, government agencies and trade groups have also begun to devise post-attack protections for consumers and the companies that serve them.
The Rise of Cyber Risk Insurance
Organizations are increasingly acquiring insurance coverage to mitigate some of the financial burden of cyber attacks. The reinsurance company Swiss Re predicts “that by 2025, cybercoverage will be in every retail, commercial and industrial insurance policy.” Before acquiring any type of coverage, though, you should determine appropriate standards for data protection. Fault, which can negate coverage, stems from negligence. Insurers define negligence according to what they consider a reasonable effort to protect one’s assets. One of the foundational aspects of cyber risk management is having a set of security standards that organizations and courts can reference if negligence ever comes into question. Further, secure practices increase the likelihood of acquiring coverage, because high-risk organizations pose a financial burden to insurers.
As more companies brace against cyberthreats, common standards are emerging across enterprises in every industry. To respond to the mounting threat, the Obama administration accelerated standardization in 2013 with Executive Order 13636, Improving Critical Infrastructure Cybersecurity, which required “the Secretary of Commerce to direct the Director of the National Institute of Standards and Technology [NIST] to lead the development of a framework to reduce cyber risks to critical infrastructure.” A year after this directive was signed, NIST issued its first Cybersecurity Framework (CSF), a model for reasonable information security practices and a starting point for acquiring cyber risk insurance.
Apart from the government’s response, independent standards organizations have long established guidelines for organizational cybersecurity, especially where client data is of paramount importance. The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) jointly published sets of guidelines and created accreditation processes to further vet risk management strategies. On the most basic level, ISO-certification, which requires compliance with ISO/IEC 27001 and 27002, signals to insurers that a company is responsible and, thus, eligible for coverage. Financial institutions, which require even more secure policies, have industry-specific cybersecurity standards being developed, but nevertheless require ISO 27001 certification and CSF compliance of vendors as a best practice.
Like the ISO/IEC financial standards in development, guidelines are being developed in other industries by their own organizations. In the electric systems industry, there is the North American Electric Reliability Corporation (NERC), from which the most widely recognized standard is NERC 1300. The insurance industry recently adopted “Principles for Effective Cybersecurity,” standards created by the cybersecurity task force of the National Association of Insurance Commissioners (NAIC). Cybersecurity standards are evolving and are, to some extent, industry-specific. When acquiring cybersecurity insurance, it is important to remember that an insurer’s duty to provide coverage will depend on your company’s ability to meet the appropriate standard of care. You should familiarize yourself with the standards in your industry as well as the guidelines required by your insurers.
Given the near-certainty that a breach will occur, even with the best cybersecurity policies and practices, post-breach loss management is and will be essential. In addition to the increase in cybersecurity standards, Congress is contemplating mandating cybersecurity insurance requirements in order to mitigate risks to companies and consumers. Breaches are occurring at a highly accelerated pace, and governments and industries are promoting, and in some cases requiring, cyber insurance. It is incumbent upon you to familiarize yourself with the cyber insurance market and decide how to integrate such policies into your enterprise risk management programs.
Reader Comments