Does Cyber Insurance Promote Cyber Security Best Practice? An Analysis Based on Insurance Application Forms

Does Cyber Insurance Promote Cyber Security Best Practice? An Analysis Based on Insurance Application Forms

연구 분야: Analysis

학회: Digital Threats: Research and Practice, Volume 5, Issue 3

The significant rise in digital threats and attacks has led to an increase in the use of cyber insurance as a cyber risk treatment method intended to support organisations in the event of a security breach. Insurance providers are set up to assume such residual risk, but they often require organisations to implement certain security controls a priori to reduce their exposure. We examine the assertion that cyber insurance promotes cyber security best practice by conducting a critical examination of cyber insurance application forms to determine how well they align with ISO 27001, the NIST Cybersecurity Framework and the UK’s Cyber Essentials security standards. We achieve this by mapping questions and requirements expressed in insurance forms to the security controls covered in each of the standards. This allows us to identify security controls and standards that are considered—and likely most valued—by insurers and those that are neglected. We find that while there is some reasonable coverage across forms, there is an underrepresentation of best practice standards and controls generally, and particularly in some control areas (e.g., procedural/governance controls, incident response and recovery).