Does Cyber Insurance promote Cyber Security Best Practice? An Analysis based on Insurance Application Forms-Reference-Cited by-同舟云学术

Does Cyber Insurance promote Cyber Security Best Practice? An Analysis based on Insurance Application Forms

Published:2024-07-04 Issue: Volume: Page:
ISSN:2576-5337
Container-title:Digital Threats: Research and Practice
language:en
Short-container-title:Digital Threats

Author:

Adriko Rodney¹^ORCID,Nurse Jason R.C.¹^ORCID

Affiliation:

1. Institute of Cyber Security for Society (iCSS), School of Computing, University of Kent, Canterbury, UK

Abstract

The significant rise in digital threats and attacks has led to an increase in the use of cyber insurance as a risk treatment method intended to support organisations in the event of a breach. Insurance providers are set up to assume such residual risk, but they often require organisations to implement certain security controls a priori to reduce their exposure. We examine the assertion that cyber insurance promotes cyber security best practice by conducting a critical examination of cyber insurance application forms to determine how well they align with ISO 27001, the NIST Cybersecurity Framework and the UK’s Cyber Essentials security standards. We achieve this by mapping questions and requirements expressed in insurance forms to the security controls covered in each of the standards. This allows us to identify security controls and standards that are considered – and likely most valued – by insurers and those that are neglected. We find that while there is some reasonable coverage across forms, there is an underrepresentation of best practice standards and controls generally, and particularly in some control areas (e.g., procedural/governance controls, incident response and recovery).

Publisher

Association for Computing Machinery (ACM)

Link

https://dl.acm.org/doi/pdf/10.1145/3676283

Reference119 articles.

1. H. R. Skeoch. 2022. Expanding the Gordon-Loeb model to cyber-insurance. 112, (July 2022), 102533.

2. CISA. 2014. Cybersecurity Insurance Industry Readout Reports. Retrieved June 5, 2022. from https://www.cisa.gov/publication/cybersecurity-insurance-reports

3. HM Government & Marsh Ltd. 2015. UK Cybersecurity: The role of insurance in managing and mitigating the risk. Retrieved June 5, 2022 from https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/415354/UK_Cyber_Security_Report_Final.pdf

4. ENISA. 2012. Incentives and barriers of the cyber insurance market in Europe. Retrieved June 5, 2022 from https://www.enisa.europa.eu/publications/incentives-and-barriers-of-the-cyber-insurance-market-in-europe/at_download/fullReport

5. A. Cartwright E. Cartwright J. MacColl et al. 2023. How cyber insurance influences the ransomware payment decision: theory and evidence. 48 (July 2023) 300–331. DOI: https://doi.org/10.1057/s41288-023-00288-8