Information security and cyber risk have risen to prominence in recent years, and their potential impact should not be overlooked. With increased emphasis on how businesses must defend themselves and increased scrutiny on what must be done to handle the future effects of a cyber incident, insurance is becoming an increasingly valuable component of the solution. However, there are issues.
For instance, businesses purchase cyber insurance under the expectation that it will automatically protect them against the risks they face, but how will the insurance industry be certain that their customers are playing their part to maintain the cover provided?
We continue to hear stories of organisations failing to take even the most minimal of compliance steps to protect and sustain their security capability. This is what ISO 27102 is here to achieve.
What is ISO/IEC 27102?
“ISO 27102 provides guidelines for adopting cyber insurance as a risk treatment option to manage the impact of a cyber incident within the organisation’s information security risk management framework,” according to ISO/IEC JTC 1/SC27 DIS 27102 – Information security management guidelines for cyber insurance. What this means is that:
ISO 27102 attempts to structure the cyber insurance situation by focusing on the insured and outlining the different main procedures that can be handled or implemented as part of the measures that insurers are likely to need.
The standard examines the types of losses that are insured and the safeguards that must be in effect to accommodate insurance companies.
According to ISO/IEC 27102, an ISMS “will provide the insured and insurer with information, records, and paperwork that can be used during the implementation, extension, and life of the cyber-insurance policy.”
Many of the content of ISO 27102 is built on the procedures and proposed capabilities contained in the broader ISO 27000 family of information security standards, and as a result, there may be some degree of compatibility with certain organisations’ existing processes.
What is Cyber Insurance?
Cyber insurance is a type of insurance that protects against both direct losses and indirect costs caused by a cyber incident.
This includes covering the cost of notification, credit monitoring, identity theft protection, regulatory defence costs and public relations costs among other things. Cyber insurance also covers a wide variety of risks including, but not limited to: data breach, denial-of-service attacks, extortion, distributed denial-of-service attacks and ransom demands, and access to subscriber data stored on your servers by a third party.
These can quickly add up to tens of thousands of pounds if your site is hacked or some of your user data falls into the wrong hands. It’s impossible to underestimate the importance of cybersecurity today. Years ago, the biggest worry for individuals or businesses was fire, flood and accidental damage to records.
Today it’s hackers who are constantly trying to get into your systems. Just like no one could afford to be without fire insurance some years ago, it doesn’t make sound economic sense for any business or individual to try and operate without cyber insurance today.
NOTE: Cyber insurance will not resolve any of your cybersecurity concerns immediately, and it will not protect you from a cyber breach/attack. Much as homeowners with homeowner’s insurance is required to have appropriate protective procedures in effect, organisations must strive to take steps to safeguard their most valuable assets.
Cyber insurance will only assist your organisation with gaining back its footing in the event that anything cyber-related goes wrong. Apart from mitigating business interruption and offering financial security in the event of an incident, cyber insurance can assist with any subsequent legal and regulatory actions.
ISMS.online was the only tool we found that hit the sweet spot of providing a comprehensive and proven ISMS, ‘out of the box’, at a reasonable price for a mid-sized organisation. And unlike many other solutions, a complete ISMS and data privacy were integrated well in one package.
Risk and Compliance Director, REPL
Understanding the Potential Impact of a Cyber Incident
A cyber incident may have a number of negative consequences for an organisation.
For instance, ransomware can render your systems or computers inaccessible, or you may lose data (or the data of your customers) as a result of a virus or malicious attack. It is important to have a thorough understanding of how you are affected and the ramifications to your organisation.
This covers the financial effects of market disruption and the response and recovery costs associated with it. Of course, if you’ve taken any precautions (such as keeping the backup isolated from your network or using a storage provider specifically designed for this purpose), cyberattacks would have a lesser effect.
In contrast to physical accidents such as fires or thefts, cyber incidents are often not limited to a particular location. Understanding how your organisation functions and the interdependence of its various components is critical for assessing the scope of a cyber incident that could have far-reaching effects.
What is the Scope and Purpose of ISO/IEC 27102?
ISO 27102 establishes guidance that an organisation can adopt when considering buying cyber insurance as a risk control option for mitigating the effects of a cyber-incident within the information technology risk management system.
The purpose of ISO 27102 is to suggest recommendations for organisations to:
- Consider purchasing cyber-insurance as a risk mitigation strategy for cyber-risk sharing;
- Using cyber-insurance to aid in mitigating the effects of a cyber-incident;
- The exchange of data and information between an insured and an insurer in order to facilitate the underwriting, reporting, and claims processes for a cyber-insurance policy;
- Incorporating an ISMS when exchanging pertinent data and information with an insurer.
This standard is compatible with organisations of all forms, sizes, and type in order to support them in preparing for and purchasing cyber insurance. ISO 27102 also seeks to address the following:
- Security and insurance concepts essential to information risk professionals.
- Essential cybersecurity topics for insurance professionals;
- A typical relationship between an insurer and a cyber-insured;
- The role of managers, procurement and insurance sales personnel, and other participants in the negotiations and contracting process pertaining to cyber-insurance scoping and selection;
- Advantages and shortcomings, costs and benefits, costs and opportunities in cyber insurance.
Implementing Cyber Insurance ISO 27102 Standard
According to the World Economic Forum’s 2015 Global Risk Study, technological threats such as data theft, cyber-attacks, and technology failures rate among the top ten global economic risks.
Given the magnitude of these threats, it is critical that we begin exploring market-driven strategies for enhancing the protection of organisations that hold all of the personal information. One such approach is cyber insurance. However, a set of guidelines or framework will help organisations speak the same language when it comes to cyber insurance regardless of industry or location. This one of the core benefits of adopting the ISO 27102 standard for cyber insurance.
At ISMS.online, we leverage our expertise and cutting-edge technology to provide a cloud-based platform that enables you to demonstrate compliance with the cyber insurance standard. Our platform can help you demonstrate that your ISMS meets the basic requirements to complement your cyber insurance checklist.
ISMS.online also provide a Virtual Coach that offers 24/7 context-specific support. You can chat with us from within our platform and you’ll never take the wrong step or lose your way. Call ISMS.online on +44 (0)1273 041140 to find out more about how our platform can help you run an integrated management system that works well with your cyber insurance framework.
What kind of help do you need from us?
New to information security?
We have everything you need to design, build and implement your first ISMS.
Ready to transform your ISMS?
We’ll help you get more out of the infosec work you’ve already done.
Want to unleash your infosec expertise?
With our platform you can build the ISMS your organisation really needs.
We make it simple for infosec newcomers
Our Adopt / Adapt / Add Policies
Preloaded content giving you a 77% head start on your ISMS documentation
Our Assured Results Method
Our tried-and-tested path to first time ISO 27001 compliance or certification
Take a deep dive into some of our more advanced features
- 1Policies and controls management
- 2Risk management tools
- 3Information asset inventory management
- 4Interested parties management
- 5Measurement and automated reporting
- 6ISO 27001 Statement of Applicability
- 7Audits, actions and reviews
- 8HR security lifecycle frameworks
- 9Compliance policy packs for staff and suppliers
- 10Supply chain management
- 11Security incident management
- 12ISO 27001 business continuity plan
- 13Mapping and linking work
- 14Our Platform
- 15Pre-configured to Adopt, Adapt or Add to
- 16Virtual Coach
- 17Getting Started
- 18Assured Results Method