ISO guidelines for Cybersecurity insurance

1. ISO 27102: Information
Security Management
Guidelines for Cyber
Insurance.
Keith Spencer
Certified Lead Auditor for ISO 41001 and
45001 Management System Standards
Principal Consultant & Trainer, Cerebrii
Solutions Global

2. Current state of Cyber-threats and the insurance sector
Overview of ISO 27102: 2019 Guidelines for Cyber-insurance
01
02
03 Questions & Answers
04

3. Current State of Cyber-threats and the Insurance Sector

6. Latin America &
Caribbean Experience
• Cyberattacks in the region have been increasing,
mainly targeting LAC financial institutions.
• The COVID-19 pandemic and the increase in digital
activity that has been generated in the region, has
further exposed the vulnerabilities of the digital
space in LAC.
• The ThreatMetrix Cybercrime Report identified Latin
America as a focus for account creation fraud, with
around 20 percent of the total volume against an
industry average of 12.2 percent.

7. Internet Penetration in Selected Territories -2021
Territory Residents Internet Users Penetration
Antigua and Barbuda 98,731 79,731 80.8%
Barbados 287,711 234,659 81.6%
Dominica 72,167 51,992 72.0%
Grenada 113,021 74,000 65.5%
Jamaica 2,973,463 1,600,520 53.8%
SVG 111,263 78,900 70.9%
Trinidad and Tobago 1,403,375 1,063,630 75.8%
Source: https://www.internetworldstats.com/carib.htm. Accessed March 31, 2022

9. Information Security Plan
01.
Rigorous Employee Training
03.
Incident Response Plan
02.
Cyber-insurance
04.
Business Continuity Plan

10. Overview of ISO 27102 Guidelines for Cyber-insurance

11. Cyber-insurance Moment of Truth
Will cyber-insurance automatically
protect against the risks?
How can we be certain that
customers are playing their part to
maintain the cover provided?
For Insureds For Insurers

12. The cyber-insurance Dilemma
• Most insurance products are based on decades of
aggregated and actuarial data
• Assessing cyber risks and pricing cyber-insurance
products is difficult because of the evolving cyber
landscape and lack of historical data available to
actuaries
• In the absence of an appropriate analysis of the cyber
risk exposure, organisations can either end up with
insufficient insurance cover, or paying additional
premium for a larger cover which may not be required.
[KPMG]

13. What is ISO 27102?
“ISO 27102 provides guidelines for
adopting cyber-insurance as a risk
treatment option to manage the impact
of a cyber incident within the
organisation’s information security risk
management framework”

14. Purpose of ISO 27102
To structure the cyber insurance
situation by focusing on the insured
and outlining the different procedures
that can be implemented by insureds
as part of the measures that insurers
are likely to need.

15. Approach of ISO 27102
Examines the types of losses that are
insured and the safeguards that
insureds should implement to
accommodate insurance companies.

16. Main Clauses of ISO 27102: 2019
07 08
05 06
Provides information
and a general
description of cyber-
insurance
Cyber-insurance
Generic risk assessment
an insurer typically
undertakes as part of
its cyber-insurance
underwriting
Risk Assessment
Cyber-risks that can be
covered under a cyber-
insurance policy.
Cyber-risks
Information security
management system
data, information,
and documentation
to be shared with
insurer
Information Security Management System

17.  Defines cyber-insurance as a risk treatment
option
 Outline purpose/benefits of Cyber-insurance
 Provides examples of typical losses covered
 Insured to demonstrate compliance with
conditions imposed by the cyber-insurance
policy in relation to on-going management of
the covered cyber risks.
5. Overview of cyber-insurance and
cyber-insurance policy

18. Examples of Cyber-incidents
Data breaches Business Interruption Network Damage

19. Cyber-insurance Policy
Policy can be either stand-alone or be included
as special endorsements to a general liability,
property, or other insurance policy
Policies are not standardized and depends on
the circumstances
Examples of impacts covered [loss of
confidentiality/integrity/information/systems]
5. Overview of cyber-insurance and
cyber-insurance policy

20. Cyber-insurance Policy
Covers additional costs:
 Evaluating impact of the attack
 Implementation of response and recovery
plans
 Legal expertise
 Forensics expertise
 Public relations and communications
support
 Customer notification
 Post incident business restoration.
5. Overview of cyber-insurance and
cyber-insurance policy

21. Expands on Clause 5
Risk management processes for cyber-
insurance
Gives more details on cyber-incident types
Expands on business impact and insurable
losses
Expands on the types of coverage, liability,
incident response costs, loss, theft or damage
to information.
Reputational damage and additional cost
covered
6. Cyber-risk and insurance coverage

22. Operational cost to manage incidents
Cyber-extortion costs
Business interruption
Legal and regulatory penalties
Contractual penalties
System damage
6. Cyber-risk and insurance coverage

23. >
Supplier risks
Silent or non-affirmative coverage
Vendors and counsel for incident response
Cyber-insurance policy exclusions
6. Cyber-risk and insurance coverage
Coverage amount limits

24. >
Clause 7 provides guidelines on underwriting of
the Cyber-insurance policy and pricing
Information collection
Cyber-risk assessment of the insured
Review of prior loss
7. Risks assessment supporting cyber-
insurance underwriting

25. >
Clause 8 provides guidelines on how the
Information Security Management System
can support Cyber-insurance
Linkage to ISO/IEC 27001 – Information
Security Techniques – Information Security
Management Systems Requirement
ISO/IEC designed to establish, implement,
maintain, and continually improve
information security
ISMS provides information for the cyber-
insurance cover
8. Role of ISMS in support of cyber-
insurance

26. >
Clause 8 provides guidelines on how the
Information Security Management System
can support Cyber-insurance
Planning – the insured determines what
risk to address
Support activities – awareness and training,
Information security policy, communication
Operation – plan and control, documented
information, change control, vendor
management
8. Role of ISMS in support of cyber-
insurance

27. >
Clause 8 provides guidelines on how the
Information Security Management System
can support Cyber-insurance
Performance evaluation – provides data on
the effectiveness of the ISMS
Improvement – addressing non-conformities
Sharing information about risks and
controls
8. Role of ISMS in support of cyber-
insurance
Meeting cyber-insurance policy obligations

28. Questions & Answers
This is a sample text. Insert your desired text
for this label of data.
This is a sample text. Insert your desired text
for this label of data.

29. (868) 498-9930
info@cerebriisolutions.global
www.cerebriisolutions.global/