Cybersecurity Insurance, Internet-of-Things Standards Linked

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Joyce

June 2 — Establishing security standards for the Internet of things (IoT) might help shape the cybersecurity insurance market as an extra benefit to boosting consumer confidence in using those devices, attorneys and insurance specialists told Bloomberg BNA.

However, any resulting standards are likely years from completion and the standards could provide consumers with a false sense of security concerning their connected devices, they added.

The Commission on Enhancing National Cybersecurity, established Feb. 9 by President Barack Obama (See previous story, 02/10/16), is looking into ways cybersecurity insurance might mitigate the cyberattack exposure of individual companies and U.S. industries generally, Kiersten Todt, commission executive director, told Bloomberg BNA.

Specifically, the commission is considering what role, if any, a voluntary or government-mandated security standard for IoT devices might play in developing the cybersecurity insurance market. The commission is interested in exploring whether it makes sense to use a cybersecurity standards approval mark, similar to the UL mark for products following standards set by Underwriters Laboratories Inc.

iot

The implications for the IoT and cybersecurity insurance markets is enormous. Some estimates see 24 billion connected IoT devices by 2020, and nearly $6 trillion spent on IoT solutions over the next five years.

Meanwhile, the number of companies purchasing cybersecurity insurance increased 250 percent between 2013 and 2015 and is continuing that rapid growth (See previous story, 04/29/16).

UL, Other Standards

Companies adopting the standard could place a mark on their products, akin to the UL mark, to indicate the product's manufacturer conforms to the envisioned security standards. The mark and affiliated standards could help the cybersecurity insurance mature, with companies meeting the standards perhaps qualifying for reductions in their cybersecurity.

Analogs outside the insurance industry exist, including the Payment Card Industry Data Security Standard (PCI DSS), mandated by branded payment cards on merchants and administered by the PCI Security Standards Council.

The Online Trust Alliance, a nonprofit industry group whose aim is to enhance online trust and empower users, recently issued its IoT Trust Framework, a voluntary standard companies can satisfy by meeting certain security, privacy and sustainability benchmarks.

Sufficiently Reliable?

Behnam Dayanim, Paul Hastings LLP partner and co-chairman of the law firm's privacy and security practice, told Bloomberg BNA that it may be worthwhile to allow companies to show that they meet a particular security standard, but such a regime might have negative consequences.

“If you end up having a number of different standards, consumers may not really understand what they mean and might be induced to over-rely on a standard or, conversely, discount the standards altogether thinking they're not sufficiently reliable,” Dayanim said. “That would be a challenge that would need to be addressed, but conceptually it could certainly work,” he said.

Other industry professionals agreed.

A self-regulatory body developing a standard could be valuable for consumers and the cybersecurity insurance industry, and could be “worth investigation,” Amy Mushahwar, Zwillgen PLLC counsel and chief information security officer, told Bloomberg BNA. The standard could be much more complicated, however, than the UL standard and its completion is “very far on the horizon,” she said.

Any cybersecurity safety standard would need broad industry approval plus certified individuals who could test a repeatable standard on a multitude of different products, Mushahwar said.

Another option may be for companies to feature the mark of for-profit proprietary enterprises that have developed their own cyber security safety standard, Dayanim, who opposes a government mandate for companies to adopt any security standard, said.

Possible Impact on Insurance

Such a security standard might also add discipline to the evolving cybersecurity insurance market. Even though the market for cybersecurity insurance is growing rapidly, policy premiums as well as contract language and coverage materially vary among policies, and the creation of the standard could help create a more stable market while perhaps providing premium discounts for firms adopting any concluded standard, industry specialists said.

“Creating standards across particular industry segments and having that be factored into how underwriters view that risk, I think, makes a lot of sense,” Sanford Crystal, executive vice president of Crystal & Co., an insurance broker, told Bloomberg BNA.

Crystal said he opposes placing some sort of identifiable mark on products representing their manufacturer conforms to a particular safety standard because the mark could provide consumers with a false sense of security their devices were virtually hack-proof.

Although the UL analog is an easy way to think about establishing security standards, the degree to which insurers could rely on them remains uncertain, Catherine Mulligan, Zurich North American Insurance Co. senior vice president, told Bloomberg BNA.

“We would encourage the research and development of such cyber security standards for connected devices but the degree to which we could depend upon them to remain secure, before they were eventually compromised by a motivated hacker, would continue to be a challenge,” Mulligan said.

To contact the reporter on this story: Stephen Joyce in New York at correspondents@bna.com

To contact the editor responsible for this story: Jimmy H. Koo at jkoo@bna.com