Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
June 2 — Establishing security standards for the Internet of things (IoT) might help shape the cybersecurity insurance market as an extra benefit to boosting consumer confidence in using those devices, attorneys and insurance specialists told Bloomberg BNA.
However, any resulting standards are likely years from completion and the standards could provide consumers with a false sense of security concerning their connected devices, they added.
The Commission on Enhancing National Cybersecurity, established Feb. 9 by President Barack Obama (See previous story, 02/10/16), is looking into ways cybersecurity insurance might mitigate the cyberattack exposure of individual companies and U.S. industries generally, Kiersten Todt, commission executive director, told Bloomberg BNA.
Specifically, the commission is considering what role, if any, a voluntary or government-mandated security standard for IoT devices might play in developing the cybersecurity insurance market. The commission is interested in exploring whether it makes sense to use a cybersecurity standards approval mark, similar to the UL mark for products following standards set by Underwriters Laboratories Inc.
The implications for the IoT and cybersecurity insurance markets is enormous. Some estimates see 24 billion connected IoT devices by 2020, and nearly $6 trillion spent on IoT solutions over the next five years.
Meanwhile, the number of companies purchasing cybersecurity insurance increased 250 percent between 2013 and 2015 and is continuing that rapid growth (See previous story, 04/29/16).
Companies adopting the standard could place a mark on their products, akin to the UL mark, to indicate the product's manufacturer conforms to the envisioned security standards. The mark and affiliated standards could help the cybersecurity insurance mature, with companies meeting the standards perhaps qualifying for reductions in their cybersecurity.
Analogs outside the insurance industry exist, including the Payment Card Industry Data Security Standard (PCI DSS), mandated by branded payment cards on merchants and administered by the PCI Security Standards Council.
The Online Trust Alliance, a nonprofit industry group whose aim is to enhance online trust and empower users, recently issued its IoT Trust Framework, a voluntary standard companies can satisfy by meeting certain security, privacy and sustainability benchmarks.
Behnam Dayanim, Paul Hastings LLP partner and co-chairman of the law firm's privacy and security practice, told Bloomberg BNA that it may be worthwhile to allow companies to show that they meet a particular security standard, but such a regime might have negative consequences.
“If you end up having a number of different standards, consumers may not really understand what they mean and might be induced to over-rely on a standard or, conversely, discount the standards altogether thinking they're not sufficiently reliable,” Dayanim said. “That would be a challenge that would need to be addressed, but conceptually it could certainly work,” he said.
Other industry professionals agreed.
A self-regulatory body developing a standard could be valuable for consumers and the cybersecurity insurance industry, and could be “worth investigation,” Amy Mushahwar, Zwillgen PLLC counsel and chief information security officer, told Bloomberg BNA. The standard could be much more complicated, however, than the UL standard and its completion is “very far on the horizon,” she said.
Any cybersecurity safety standard would need broad industry approval plus certified individuals who could test a repeatable standard on a multitude of different products, Mushahwar said.
Another option may be for companies to feature the mark of for-profit proprietary enterprises that have developed their own cyber security safety standard, Dayanim, who opposes a government mandate for companies to adopt any security standard, said.
Such a security standard might also add discipline to the evolving cybersecurity insurance market. Even though the market for cybersecurity insurance is growing rapidly, policy premiums as well as contract language and coverage materially vary among policies, and the creation of the standard could help create a more stable market while perhaps providing premium discounts for firms adopting any concluded standard, industry specialists said.
“Creating standards across particular industry segments and having that be factored into how underwriters view that risk, I think, makes a lot of sense,” Sanford Crystal, executive vice president of Crystal & Co., an insurance broker, told Bloomberg BNA.
Crystal said he opposes placing some sort of identifiable mark on products representing their manufacturer conforms to a particular safety standard because the mark could provide consumers with a false sense of security their devices were virtually hack-proof.
Although the UL analog is an easy way to think about establishing security standards, the degree to which insurers could rely on them remains uncertain, Catherine Mulligan, Zurich North American Insurance Co. senior vice president, told Bloomberg BNA.
“We would encourage the research and development of such cyber security standards for connected devices but the degree to which we could depend upon them to remain secure, before they were eventually compromised by a motivated hacker, would continue to be a challenge,” Mulligan said.
To contact the reporter on this story: Stephen Joyce in New York at email@example.com
To contact the editor responsible for this story: Jimmy H. Koo at firstname.lastname@example.org
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)