As companies continue to come under fire from hackers, many corporate security officers are turning to the insurance sector to understand what constitutes good cybersecurity.
For industries that are not highly regulated like the health care sector is, there is “relatively little official guidance on security and ideas about best practices tend to be fragmented. The government and a couple of industry organizations provide some assistance but for the most part organizations are left to make their own way through the digital world. Although this may be a benefit for a few companies that thrive off of the lack of regulations by being flexible and innovative, the majority of companies are looking for standards that ‘help strengthen defenses, improve risk management, and make it easier to defend against accusations of negligence in the event of a major breach.'”
Insurance companies are gaining expertise in cybersecurity arena by hiring lawyers to monitor the regulatory environment and actuaries to monitor and handle risk, while partnering with security firms to offer robust security systems to prevent or recover from cyber attacks. Insurance companies can use a framework similar to the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (NIST), “to evaluate risk in corporate cyber insurance policies. Experts claim that insurance companies could use the NIST framework to “score companies based on the dozens of safeguards or countermeasures known as control objectives outlined” in the framework. They would then use this score to set premiums, determine the level of deductible and “how much coverage a company would receive.”