I hadn’t considered implications of InfoSec standards compliance from the business-side like insurance. Yet another topic I want to read up on.
If NIST came up with a new standard for cybersecurity, would your organization be insurable for cyber risks when measured against that standard? This was a leading topic of discussion in Dallas last week at the latest in a series of workshops attempting to fine tune the proposed NIST cybersecurity framework (we have discussed previous CSF meetings on We Live Security here and also here, plus a podcast here).
Of course, NIST is a standards agency, not an insurance or enforcement agency. But NIST is within Commerce, and it does purport to provide standards which are widely accepted across an industry by, for example, insurance companies who are looking for some way to measure whether your business stacks up to the “gold standard” and charge you premiums accordingly. At the moment, many companies should be able to qualify for policies (according to at least one panelist), but insurance companies seem keenly interested in certain key indicators, like whether your corporate culture is proactive or reactive with respect to emerging security issues. Do you stay on top of change, or take a more passive stand-back-and-watch approach when it comes to security? The answers to these questions could factor into the rates you pay for cyber insurance (here’s an example of such insurance, offered by AIG, and by ACE USA).
What are your thoughts? Do you have reliable resources for more information?