October 22, 2015

Last Updated on January 13, 2024

Mosi Platt, our ISO 27001 Service Area Manager sent me an interesting email yesterday about a thought-provoking article on a hot topic: cyber liability insurance (CLI).  The crux of the article was that insurance is a data-driven business and that there is a real lack of information available to support the underwriting process:

“One of the reasons that the costs of cyber liability insurance can skyrocket is the insurance industry’s own ambivalence and the unknown risks associated with cyber security. The insurance industry is one of the most data-driven industries there is, and cyber security is still relatively new, volatile and unpredictable, with very limited data to understand impact and frequency.”

The article was intriguing to me because I am spending an increasing level of time dealing with CLI on multiple fronts. On one side, we are working with insurance funds to develop risk characterization programs to better identify critical information security risks across their members so that these risks can be addressed. We are also developing educational programs to ensure that risks are managed on an ongoing basis.

iso-27001-and-soc2-certificationOn the other side, we are working with our clients to better leverage CLI as a risk management tool.  A key part of this is helping to ensure that their information policies / standards / procedures match up to the insurance companies’ requirements (potentially detailed by the cyber liability insurance application).

I have advocated to clients, brokers, and insurers alike that insurers should consider ISO 27001 certification as a strong indicator that a company is managing information security related risk effectively and that the costs and exclusions of the policy should reflect that. The article notes that:

“…the Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD) brought several insurance carriers, risk managers and security experts together to examine the current state of the cyber liability insurance market and how to best advance its capacity to incentivize better cyber risk management.  They identified four pillars of an effective cyber risk culture that carriers had identified as particularly attractive from an underwriting perspective:

  1. Engaged executive leadershi
  2. Targeted cyber risk education and awareness
  3. Cost-effective technology investments
  4. Relevant information sharing

Mosi “connected the dots” in his email by outlining how ISO 27001 does a strong job of addressing those pillars:

  • Engaged executive leadership is addressed by ISO-27001 Clause 5 “Leadership.”
  • Targeted cyber risk education and awareness is addressed by Clauses 7.2 “Competence,” 7.3 “Awareness” and A.7.2.2 “Information Security Awareness and Training.”
  • Cost-effective technology investments is addressed by Clauses 7.1 “Resources” and 9.1 “Monitoring, Measurement, Analysis and Evaluation.”
  • Relevant information sharing is addressed by Clauses 7.4 “Communication,” ‎A.6.1.3 “Contact with Authorities” and A.16.1 “Information Security Incident Management.”

Two pieces of data that I would like to see are how the number of “notable” security incidents and the net impact of these incidents differs in ISO 27001 certified companies versus non-certified companies. In thinking through the 50+ companies that we have helped achieve ISO 27001 certification, I am not aware of any one of them having a breach of note.
In thinking through the several hundred other companies we regularly work with that are not ISO 27001 certified, I can think of a pretty fair number… with several of those breaches exceeding $20 million in impact. Given that perhaps as many as 10% of the companies that we work with become new customers after having had a breach, my off-the-cuff comparison might not be fair. But it is still interesting (and hopefully telling) that the absence of any breaches among our ISO 27001 certified clients is  a promising sign and a good argument for my assertion that ISO 27001 certification should be a consideration during the CLI underwriting process.