There is an expanding global market for \u2018cyber-insurance\u2019, providing options for the transfer of some <\/em>information risks to commercial providers. At present, the focus is primarily on sharing risk and providing compensation for the business costs and consequences arising from \u2018cyber-incidents\u2019 (such as serious privacy breaches caused by hacks and malware infections) that have not been entirely avoided, mitigated or simply accepted by the organization.<\/p>\n\n\n\n This standard explains:<\/p>\n\n\n\n The standard was published in August 2019<\/strong>.<\/p>\n\n\n\n Note that unlike other published ISO27k standards, the title has \u201cInformation security management\u201d<\/em> in place of the usual \u201cInformation technology – Security techniques\u201d.<\/em><\/p>\n\n\n\n This standard flew through the drafting process in record time thanks mostly to starting with an excellent<\/em> donor document and a project team focused on producing a standard to support and guide this nascent business market.<\/p>\n\n\n\n \u2018Cyber\u2019 is not yet a clearly-, formally- and explicitly-defined prefix, despite being scattered throughout but unfortunately not actually defined in this standard.<\/p>\n\n\n\n The standard concerns what I would call everyday [cyber] incidents, not<\/em> the kinds of incident we might see in a cyberwar or state-sponsored cyber attack. I believe [some? most? all?] policies explicitly <\/em>exclude cyberwarfare … but defining that is tricky.<\/p>\n\n\n\n Likewise, depending on how the term is defined and interpreted, \u2018cyber-incidents\u2019 covers a subset of information security incidents. Incidents such as frauds, intellectual property theft and business interruption can also be covered by various kinds of insurance, and some such as loss of critical people may or may not be insurable. Whether these are included or excluded from cyber-insurance is uncertain and would depend on the policy wording and interpretation.<\/p>\n\n\n\n The standard offers sage advice on the categories or types of incident-related costs that may or may not be covered – another potential minefield for the unwary.<\/p>\n\n\n\n No doubt the loss adjusters and lawyers will be heavily involved, especially in major claims. At the same time, the insurance industry as a whole is well aware that its business model depends on its integrity and credibility, as well as its ability to pay out on rare but severe events. Hopefully this standard provides the basis for mutual understanding and a full and frank discussion between cyber-insurers and their clients leading to appropriate insurance policies.<\/p>\n\n\n\n Meanwhile both insurers and insured share a common interest in avoiding, preventing or mitigating all kinds of incident involving valuable yet vulnerable information, which is where the remaining ISO27k standards<\/a> shine. Insurance is an option to treat the information risks we choose or are forced to accept.<\/p>\n\n\n\nScope and purpose<\/h3>\n\n\n\n
<\/li><\/ul>\n\n\n\nStatus of the standard<\/h3>\n\n\n\n
Personal comments<\/h3>\n\n\n\n