Launched in February 2013 by the Cybersecurity Strategy of the European Union, the public-private Platform on Network and Information Security (NIS) is looking to develop secure and effective risk management practices for information and
communication technology.

The result is a guidance document that was presented at the 3rd NIS Platform plenary meeting of 30 April 2014 in Brussels, and FERMA has been asked to give an “outsider’s” view on the guidance and whether it could be of use when assessing the maturity of organisations for cybersecurity insurance coverage purposes.

To promote the use of cyber insurance, the NIS Platform guidance is suggesting ideas such as:

  • incentives to develop harmonised metrics for calculating insurance risk premiums;
  • development of cyber security insurance schemes (tax incentives, public reinsurance, linking the premium to the implementation of risk management best practices);
  • schemes to cover cyber risk that provide reduced insurance costs if best practice code is adopted.

For FERMA, coverage needs to be matched to the exposure which varies considerably with the type of business. The same program or metrics may not suit organizations with high value financial data, personal consumer data, hi-tech businesses, professional services and others with valuable intellectual property, and critical infrastructure.

The process of completing a cyberinsurance application form for insurance may in itself be a very useful exercise for an organization but whatever the approach, cyber insurance will never be a substitute for effective and efficient risk management.

To understand what cover is needed; a gap analysis of existing insurance programmes is a first step. Some cyber risks will probably already be covered, and the residual risk will have to be evaluated. A cyber insurance policy may be suitable for the residual risks if it is available at a worthwhile level and a realistic price.

One of the greatest incentives to take out cyber insurance could be driven by market forces. Indeed, organisations in the supply chain are increasingly being asked if they have cyber insurance as a “risk control“. Whilst this is a trend in the US, it is now becoming a condition of doing business elsewhere.

Cybersecurity is also a matter of corporate governance. Top management and the board need to be able to deal with
technology issues. The involvement of IT is essential, but it also requires a redefinition of the communication and reporting lines within the organisation with the right people to coordinate and adapt the cross-use of standards, kite marks and insurance products to match the needs of their organisation. For the risk manager, there is a central role as facilitator.

Here is FERMA’s presentation: slideshare/cyber-presentation