Underwriting cyber exposure – the business case for certifying

Last week I attended an event hosted by the IT Sector Coordinating Council (IT-SCC) where the Minister-Counsellor for Digital Economy Policy for the Delegation of European Union to the United States of America highlighted the European Union’s (EU) near term goals and objectives for cybersecurity and policy were highlighted. As many of you know, in a little over a month, the General Data Protection Regulation (GDPR) will go into effect.  While a lot of hype is being marketed in a variety of media outlets, including this forum, what the EU is looking to accomplish is not limited to the GDPR.

If you are not familiar with the European Union Agency for Network and Information Security (ENISA), it is worthy of your review. ENISA works with Member States and the private sector to deliver advice and solutions on technology related matters that impact products and services that have inherent cyber risk exposure and includes the development of National Cyber Security Strategies.

Our esteemed guest highlighted a programmatic objective to have a formal certification process for products and services.  The program is designed to be voluntary and to instill consumer confidence in the product and/or services.

Much like GDPR, where the ultimate goal is to protect EU resident data with the ability to implement mechanisms allowing the data subject (individual) the right to be expunged from the data custodian/retainer’s (company using the individual’s data) computing resources, ENISA desires safeguards to be implemented into technology products and services and it is envisioned this will be accomplished with a EU certification Framework.

If you think about how many blogs or articles have been written about Internet of Things (IoT) devices and their lack of inherent security, this is a prime example of what ENISA looks to resolve.

Under their authority the EU foresees new tasks for ENISA in terms of:

• Drawing up cybersecurity schemes within the EU certification framework;
• Support the European Commission in the European Cybersecurity Certification Group.
• Until the Cybersecurity Act comes into force, some of ENISA’s objectives in certification include compiling a list of prospective schemes based on the current ones and seeking to transition to an EU certification framework, as well as prospective schemes based on new application areas e.g. consumers, classes of products e.g. IoT and types of services e.g. Cloud

While not one certification framework has been ratified, it is important to note that positive economic impacts could be obtained through such efforts. More specifically, for cyber insurance or technology errors and omissions premiums. One concern I hear from the insurance industry over and over again is how dynamic cyber is and lack of having a unified standard to draw conclusions of an applicant’s cyber hygiene from.  What ENISA is looking to accomplish may very well position the insurance industry to have some semblance of its wish list. 

The ability to have an independent and agnostic organization provide a certification of a product or service has more upside than down. Granted there remains questions about who should provide the assessment to certify and how often remain in debate. There is a valid question as to “is the certification a one-time deal?” Given the speed in which capabilities evolve, there is a justification to support that such a certification process should follow models where re-certification should be engaged every few years or when a product has a significant update (change is operating system, etc.). 

Regardless of the cadence in review, the insurance sector can benefit from such processes. An organization that invests in independent validation and verification (IV&V) exercises should demonstrate to underwriters and inherent leg up when compared to other applicants. To date, insurance applications do not yet incorporate such modeling as the closest resemblance resides with determination of a Report of Compliance (ROC) predicated upon Payment Card Industry (PCI) Data Security Standard, the Health Insurance Portability and Accountability Act (HIPAA), or Sarbanes Oxley (SOX).

Given IoT devices are forecasted to be highly pervasive in the global supply chain, there is a business and cost justification to insurers that products and services have a certification. While the certification should be a trigger for “insure” or “don’t insure”, the option to provide improved policy offerings does exist.  Examples of how to improve the value of policies may include higher limits, reduced retention rates, or perhaps longer periods of coverage. 

During this same session, I asked the question if ENISA was currently working with any carriers and the response was, “it is unknown if ENISA stakeholders are engaging the insurance sector.”

To accommodate the goals and objectives of implementing a voluntary program in which a manufacturer of IoT devices or technology service providers are to be certified, once the certification framework is codified, there must be incentives for businesses to participate and one benefit is likely going to reside in the form of improving operational expenditures via insurance premiums. 

Over here in the United States, there have been numerous discussions of applying similar requirements consistent with Underwriters Laboratories (UL). To date, only ten companies have obtained this certification from UL and is limited to software evaluations only. According to UL, the benefits include unplanned downtime, costly harm to assets, and reputational harm. There is nothing advertised to support insurance considerations.

As ENISA certification program moves forward, perhaps there are lessons learned from UL’s approach to certification and identify opportunities to continuously improve — not only their process but in marketing the “business value proposition” to first adopters of ENISA’s proposed certification process. If the value proposition can be conveyed in a manner that demonstrates cost reduction for insurance premiums, the more likely a business entity is to consider being a first adopter.