The National Institute of Standards and Technology (NIST) hosted a workshop April 5-7 on the NIST Cybersecurity Framework (CSF). The workshop allowed industry representatives to provide the collaborative input needed to improve the use and utility of the CSF.
There were about 900 registrants from various industry sectors, including international representation — the largest event NIST has ever hosted. The turnout for this event and the extensive interaction among all of the participants show that the CSF has changed the nature of cyber risk management in a positive way.
One of the highlights of this workshop was the panel discussion on cyber liability insurance and how insurance companies are using the CSF to help better understand and underwrite cyber risk. The panel, moderated by Matt Shabat with the DHS Office of Cybersecurity and Communications, consisted of:
- Erica Davis, Zurich Insurance NA
- Tom Finan, Ark Network Security Solutions
- Ryan Gibney, Lockton
- Steve Horvath, Telos Corporation
- Marcin Weryk, XL Catlin Insurance
Early in the session, the panel discussed whether they are now any better able to glean from their customers the information they need about their cyber security posture. The panelists confirmed that they can get more information today than in the past, with the CSF helping in that effort.
Erica Davis with Zurich Insurance said that a security engineer walks the customer through each of the five steps of the CSF to ensure everyone involved understands its requirements and expectations. She also described the thorough underwriting meetings her firm holds with all insurers involved in a cyber insurance policy.
The panelists also agreed that one of the key benefits of the CSF is that it provides a common vocabulary for risks and controls, facilitating deeper cyber risk conversations among brokers, underwriters, and companies who are seeking cyber coverage. The CSF helps to break down siloes within companies and helps security and risk specialists to communicate with the C-suite and board room in a “business-friendly” way.
Underwriting the “Security Culture” of an Organization
Marcin Weryk with XL Catlin Insurance further observed that the CSF has allowed insurance companies to move beyond just looking at IT risks, allowing them to underwrite the “security culture” of an organization. Tom Finan with Ark NSS suggested four things that help to create a more effective risk culture: (1) executive leadership; (2) education and awareness; (3) role of technology and (4) information sharing.
The notion of security culture is very important, as managing cyber risk is not strictly limited to IT. Panelist Ryan Gibney with Lockton noted that a holistic approach to risk management encompasses people and processes as well as technology.
In fact, about 75 percent of NIST security controls are non-technical in nature. The CSF actually addresses a broad set of issues beyond technical security controls that can contribute to the accumulation of cyber risk, such as roles and responsibilities, awareness and training, security process and procedures, incident response and recovery planning, and communication.
A Common Framework Leads to Better Insurance Products and Pricing
The panel also acknowledged that the CSF allows cyber insurance underwriters to put out better products and price them with greater precision. For example, the panel discussed the challenges of rating customers and pricing policies in the absence of historical actuarial data concerning cyber-related events.
Calling the CSF “a Rosetta Stone for talking about risk,” our own Steve Horvath noted that the CSF supports the development of a common frame of reference for sharing and analyzing claims data in order to create actuarial tables for cyber liability policies. That opinion comports with the U.S. Department of Treasury’s position that “adoption of the Framework could lead to the creation of more standardized information-sharing practices and policies,” helping organizations to more effectively mitigate cyberthreats and improve the ability of insurers to price and underwrite cybersecurity policies.
Cyber Insurance: An Incentive for Adopting the CSF
One concern often expressed about the CSF is that its use in industry is voluntary. The panel observed that cyber insurance creates incentives for organizations across industry sectors to adopt the CSF, echoing comments from the U.S. Commerce Department that cyber insurance “may be an effective, market-driven way of increasing cybersecurity because it can…encourage the adoption of best practices.”
With the CSF in place, enterprises can also better determine cyber security budgetary priorities at the micro and macro level so they can move from their current security posture to their target profile. They can also move beyond “static” measurement to a more continuous way to monitor and improve risk with improved data sharing.
Cyber insurance and the NIST Cybersecurity Framework have a symbiotic relationship, in which one enables and reinforces the other. Solutions and services from companies like Telos support companies that need to adhere to the CSF in order to assess and attest to their current security profiles; facilitate internal communication “from the server room to the board room;” justify and prioritize budget decisions; and continually monitor progress towards targeted goals. The rewards are lower premiums and lower risks for an improved security posture.