Depending on which section of the media you read, these are dark times. Brexit negotiations are not exactly reaching any kind of consensus or conclusion while over in the US, Donald Trump and the US government have reached something of an impasse on the Mexican wall. What the world is really crying out for is for a hero to swoop in, solve all of this, and leave us with the Hollywood happy ever after ending.
Who doesn’t like heroes? We all have them, super or otherwise. Welsh chanteuse Bonnie Tyler was holding out for one – as that song was in 1984, one can only hope she has now found one! And who can disagree with David Bowie for wanting to be one, even if just for one day?
While we need (more) heroes, what the world does not need is another cyber standard. Just to list a few that are already out there, we have ISO, NIST, CREST, CCM, PCI-DSS, ISF SOGP, NERC, ETSI, ABC, XYZ and QWERTY.
OK – I might have made the last few up. However, given that the above list shows what can happen when you ask a 3 year old to play with their Alphabetispaghetti, what are companies to make of this?
Into this already overcrowded marketplace has ventured the International Standards Organisation (“ISO”), who have taken it upon themselves to develop a standard on cyber insurance – ISO27102. Why anyone thought this was a good idea when the ISO have no equivalent standard for any other class of insurance is anyone’s guess. However, it’s not unreasonable to think that the ISO might have thought to involve the insurance market in this process…
It seems that the ISO started their deliberations on this topic sometime during 2014. However, it wasn’t until mid-2018 that any insurance market forum in London became aware of it, and that was by the Association of British Insurers (“ABI”) and the International Underwriting Association (“IUA”) being notified by some of their own members, not by the ISO! As things stand, a draft wording was published for consultation just prior to Christmas 2018 with comments due back to the ISO by mid-February 2019.
Cyber, as most insurance market participants will know, is a new class of business that is still developing its product, its policy wordings, policy response (in the event of a claim) and case law in a marketplace where there is a shortage of talent on both the buy and sell sides of the fence. As a standalone product that has only been a major proposition for the last 4 to 5 years, and is therefore still developing from being a toddler to starting at infant school, does the market really need to have to deal with yet another standard?
Furthermore, standards are usually seen as a form of regulation and most regulations are implemented when the market itself is failing. However, what evidence is there that the market is failing? The market is growing, policies are being written, larger towers are being developed to meet the demands of policyholders and claims are being paid. That seems like a success story of which all cyber market participants can be proud.
That said, the standard itself reads as an introduction to cyber insurance that, to be perfectly honest, any competent cyber broker will already have drafted and given to their clients. Consequently, it is unclear a) what value the standard adds and b) why, therefore, it took the ISO the best part of 4 years to draft it.
What ISO 27102 does do, however, is reference ISO 27001 (the ISO’s standard on information security requirements) by setting out how an Information Security Management System (“ISMS”) can be used to collate information that may be useful for a cyber underwriter. Problem is, for an organisation to implement ISO 27001 and develop an ISMS requires a significant time and resource commitment by IT, HR and Compliance staff to plan and audit processes, data flows and business operations as a whole. However, the SME marketplace, who need the most help in understanding cyber security, do not have the finances to fund such an exercise, either by creating their own internal team or by using external consultants. Which means that, for most companies, ISO 27001 is largely ignored, or never fully implemented.
So, is this new standard a hero or villain – Superman or Lex Luthor? I suspect that it is neither, given that it doesn’t really say anything new or include practical advice to an audience that will actually take notice. This increases the probability of it being greeted with total apathy by the cyber community.
Is there still scope for a hero? Being the optimist, I would say yes – anyone who can find a way of educating the SME sector on cost effective cybersecurity solutions to a standard that is acceptable to cyber insurers will have found the cyber equivalent of the Holy Grail. Let’s just hope that we are not holding out for a hero for as long as Bonnie Tyler has been…