The NIST Cybersecurity Framework is already helping underwriters to assess cyber risk and may provide a standard of care for negligence-based cases going forward.
That was the consensus of industry experts discussing standards and guidelines for managing cyber risk at Advisen’s Cyber Risk Insights Conference in New York this week. The voluntary guide for nationally critical industries on improving cyber security and resiliency was released by the National Institute of Standards and Technology earlier this year.
In the “morass” of laws in the US that address data security, the NIST framework was emerging as a “very important” tool, said Lisa Sotto, chair of privacy and cybersecurity practice at Hunton & Williams.
“It will form a baseline in this country” and possibly internationally for assessment, Sotto said. “Insurers will ask, how do you consider the NIST framework?”
John Coletti, chief underwriting officer at Cyber & Technology, XL, who said he was skeptical at first of the value of a voluntary guide now felt it would “help the underwriting community, who are disadvantaged when assessing” cyber risk.
The framework is based on risk management principles and best practices, and allows organizations to rate their preparedness in cybersecurity.
“The corporate culture of the company we’re underwriting is key to assessing risk,” said Coletti. “The question of whether they are enforcing risk management protocols is more important than who they’re using to manage their vulnerabilities.”
Indeed, the fact that the framework is “technologically neutral” and doesn’t prescribe specific actions or remedies makes it more valuable in an environment that is as rapidly changing as cyber technology, said Ira Hunt, president and CEO of Hunt Technology.
“NIST creates a common vernacular,” said Shane McGee, chief privacy officer at FireEye Inc. But he cautioned that “compliance does not equal security.”
Recent data breach “headlines are all about compliant companies,” he said, and focusing on compliance can drain resources from finding technological solutions to problems.
“Real security depends on good people, technology and intelligence,” he said. We need to be “exchanging actionable threat intelligence between government and industry,” and between industry and industry. This would help prevent instances in which the same malware can continue to work.
Insurance carriers can’t collude and avoid sharing information, Coletti said, but “the problem we’re facing is so large, companies may be forced to do things they’re not comfortable with.”
When asked if insurers were referencing the NIST framework in customer applications, Coletti responded, “I don’t see why we wouldn’t.”