In the first half of 2024, the frequency and value of large cyber insurance claims increased by 14% and 17%, respectively, compared to 2023; according to government reports, global costs associated with cybercrime are expected to grow to $10.5 trillion annually by 2025. As a result of the increasing number of cyber-attacks, businesses are purchasing cyber-insurance to cover all existing financial and operational risks. INCITS/ISO/IEC 27102:2019 (2020) Information security management — Guidelines for cyber-insurance sets forth guidelines when considering purchasing cyber-insurance.
What Is Cyber-Insurance?
Cyber-insurance is a risk treatment option that protects businesses from financial losses caused by cyber-attacks. This type of issuance can compensate the insured against potentially significant financial losses associated with a cyber-incident. According to INCITS/ISO/IEC 27102:2019 (2020), the adoption of cyber-insurance can assist the insured to:
- Minimize the impact of a cyber-incident
- Provide funding mechanisms for recovery from major losses
- Assist the return to normal operations
- Increase resilience of the insured business to cyber-incidents
Specifically, cyber-insurance can help cover the costs of data breaches, business interruptions, network damage, ransomware attacks, and other cyber incidents. For this reason, it is paramount in mitigating the financial impact of a cyber incident, allowing business to continue operations after an attack.
What Is INCITS/ISO/IEC 27102?
INCITS/ISO/IEC 27102:2019 (2020) provides guidelines when considering purchasing cyber-insurance as a risk treatment option to manage the impact of a cyber-incident within the organization’s information security risk management framework. This standard gives guidelines for:
- Considering the purchase of cyber-insurance as a risk treatment option to share cyber-risks
- Leveraging cyber-insurance to assist manage the impact of a cyber-incident
- Sharing of data and information between the insured and an insurer to support underwriting, monitoring, and claims activities associated with a cyber-insurance policy
- Leveraging an information security management system when sharing relevant data and information with an insurer.
INCITS/ISO/IEC 27102:2019 (2020) is applicable to organizations of all types, sizes, and nature to assist in the planning and purchase of cyber-insurance by the organization. It is an American National Standard adoption of ISO/IEC 27102:2019 by INCITS (InterNational Committee for Information Technology Standards).
What Are the Types of Cyber-Insurance Coverage?
Root causes for cyber-security incidents can usually be attributed to failure of people, systems, or processes. Each of these incident types can be covered by cyber-insurance. INCITS/ISO/IEC 27102:2019 (2020) details that cyber-insurance can cover primary categories of business impacts including the following:
- Liability
- Incident response costs
- Cyber-extortion costs
- Business interruption
- Legal and regulatory fines and penalties
- Contractual penalties
- Systems Damage
Why Get Cyber-Insurance?
Cyber-insurance provides financial cover for businesses suffering from a cyberattack and protects organizations from the cost of internet-based threats. It is critical for helping businesses recover from the following:
- Financial Losses—Cyberattacks can lead to lost revenue, higher insurance premiums, and other financial losses
- Reputation Damage—A cyberattack can severely damage a company’s reputation, leading to a loss of trust among customers, partners, and investors.
- Operational Disruptions—Cyberattacks can cause significant operational disruptions, such as systems downtime or loss of critical data, such as the theft of corporate information.
Essentially, cyber-insurance is important because it helps businesses financially recover from the costs associated with a cyber-attack, including data breaches, by covering expenses like data recovery, legal fees, customer notification, crisis management, and potential lawsuits (which could arise from compromised sensitive information).
INCITS/ISO/IEC 27102:2019 (2020) Information security management — Guidelines for cyber-insurance is available on the ANSI Webstore.