4th April 2019 – The Federation of European Risk Management Associations says an ISO cyber insurance guidelines is premature and inappropriate in its current form.
FERMA is concerned about the proposed standard ISO/IEC 27102 on information security management guidelines for cyber insurance. It says the proposed standard is “premature and inappropriate in its current form given the fast pace of technological development. No other insurance product is the subject of an ISO standard”.
FERMA members, the UK risk management association Airmic, French association AMRAE and Belgian association BELRIM, and insurance industry representatives have also expressed concerns about the project. FERMA has urged other member associations to help ensure their national standardisation body is aware of the concerns of the whole insurance market.
FERMA explains that ISO is currently in the final stages of approving guidelines for cyber insurance (ISO/IEC 27102 Information technology – Security techniques – Information security management guidelines for cyber insurance). The document is meant to help IT experts when considering cyber insurance.
This project began three years ago, under the leadership of the ISO Information Technology technical committee (ISO/IEC JTC 1) but “without sufficient and adequate involvement from the insurance industry” as mentioned by the Global Federation of Insurance Associations (GFIA) in a letter to the Secretary General of the International Organization for Standardization.
FERMA board president Jo Willaert, said: “Cyber insurance is evolving rapidly in the face of fast technological development. Insurance buyers are working out their needs and the insurance industry is analysing how it can provide cover without unquantifiable exposures. It is too early to agree a standard.”
“In any case, we are not clear why a standard for cyber insurance should be intended for IT security experts. As we have consistently argued, cyber security is an enterprise risk and its management, which includes insurance, requires the involvement of risk professionals.”
Said Philippe Cotelle, FERMA board member: “We appreciate the importance of a well-defined scope and intention for cyber insurance, including the insurers’ information requirements, but it must be agreed by all stakeholders. FERMA, Insurance Europe and broker representatives began this process last year with the publication of Preparing for Cyber Insurance. We believe it would be more effective in developing a sustainable cyber insurance market for us as stakeholders to continue working together. Our publications are accessible for free for IT security experts who have an interest in cyber insurance.”
