Insurance sector supports re-use of existing standards for cyber incident reporting

The insurance sector supports convergence and the re-use of existing standards for cyber incident reporting, including with ongoing initiatives, Insurance Europe said in its response to a consultation conducted by the Financial Stability Board on cyber incident reporting.

Any new initiatives should aim to encourage best practices and refrain from establishing new requirements, such as additional information channels or multiple layers of reporting.

According to insurers’ European federation, FSB initiative does not take account of existing standards for cyber reporting such as MITRE, Traffic Light Protocol, Information Exchange Policy etc. which are already used by cyber emergency risk teams (CERT).

Cybercrime has catastrophic consequences in today’s corporate environment, including revenue and profit loss, brand ruin, erosion of consumer loyalty, competitive disadvantages, and, among other things, crippling lawsuits.

Insurance Europe maintains its position that consistency in the terminology used across different legislation and texts will facilitate greater convergence in cyber incident reporting.

Cyber risk has undergone several episodes of change in its relatively short history, but escalating ransomware frequency and severity in 2021 and 2022 was unlike anything experienced previously.

The accompanying retrenchment of insurance capacity, coupled with a wave of demand globally, caused a supply and demand imbalance of such extremity that the average cost of cover more than doubled (see 5 Key Benefits of Ransomware Insurance).

The cybercriminal therefore demands a ransom to free the locked system, threatening to publish the data, including personal information and company data, if the ransom is not paid.

The insurer’s annual review of the cyber risk landscape also highlights the emerging threats posed by the growing reliance on cloud services, an evolving third-party liability landscape that means higher compensation and penalties, as well as the impact of a shortage of cyber security professionals.

Following recent cyber attacks, organizations worldwide are beginning to see the crucial need for lifesaving protections that warn when risk is there. They understand that they need “risk sensors” to prevent dangerous scenarios from occurring and prevent inevitable cybercrime from becoming tragic when it appears (see Cybersecurity and the Cyber Insurance Market).

by Peter Sonner