How regulatory standards and cyber insurance inform each other
Business Security
Should the payment of a ransomware demand be illegal? Should it be regulated in some way? These questions are some examples of the legal minefield that cybersecurity teams must deal with
21 Aug 2024
•
,
3 min. read
Governments create legislation and regulations primarily to protect public interests and keep order, ensuring society functions as it should. When related to cyber insurance and cybersecurity, regulation is aimed at ethical conduct, economic stability, and growth, providing a legal framework for organizations to abide by.
However, the complexities of regulations and legislation that need to be complied with as part of normal business operations can be tremendous.
There are many regulations, legislations, and standards, that affect the cybersecurity posture a company adopts, depending on where you or your business is in the world. Cyber insurance is intrinsically and indirectly linked to many of these regulations as policies often cover the payment of regulatory fines, such as those imposed by a privacy regulator due to a data breach, or the payment of an extortion demand by a ransomware gang.
Cyber insurance and incidents
In the unfortunate situation of a company dealing with a cyber incident, the insurer may, depending on policy, provide incident response and legal resources to assist the company. It’s these specialized services that uncover if there are mandatory disclosures that need to be made and whether paying an extortion demand to a particular ransomware group breaches government sanctions.
For example, the US Securities and Exchange Commission (SEC), now requires listed companies to disclose a cyber incident via form ‘8-K’. The incident needs to be deemed ‘material’ and the disclosure should include aspects of the incident’s nature, scope, and timing, as well as the likely impact on the company. In the last few weeks, a disclosure was made by a Luxembourg-based chemicals and manufacturing company, which may have just suffered the largest-ever business email compromise wire transfer fraud. The 8-K filing on August 10th states that a company employee was the target of a criminal scheme which resulted in multiple outbound fraudulent wire transfers to unknown parties, the result of which was a pre-tax charge of approximately $60 million (USD).
This type of incident is very different from a ransomware incident. Whilst there was no ethical decision on whether to pay or not, the incident still needed reporting and may be covered by a cyber insurer.
This blog is the fourth of a series looking into cyber insurance and its relevance in this increasingly digital era – see also part 1, part 2, and part 3. Learn more about how organizations can improve their insurability in our latest whitepaper, Prevent, Protect. Insure
Regulations overwhelming small businesses?
For smaller companies, the amount of regulation and legislation could be overwhelming. There needs to be significant consideration for smaller businesses when new regulatory requirements are proposed: the complexity of different regulators and complex legal environments are not conducive for a smaller business that really should be focusing on its operations and revenue.
Moreover, the landscape is likely to become more complex with the adoption of new technologies like AI. There are obvious ethical issues with the adoption of such technology, as well as significant operational improvements and competitive advantage that can be gained by businesses seizing the opportunity. It’s important to ensure that the use of advanced technologies is adopted within boundaries acceptable to society. Failing to regulate will open the gates for companies to maximize profit over responsible use, a situation that could end badly.
If I were running a small business today, I may subscribe to cyber insurance to gain access to experts on regulation. Alternatively, I would prepare my business to qualify for insurance as the checklist and requirements insurers demand would mean my risk is vastly reduced, both by ensuring compliance with regulations and by adopting an acceptable level of cybersecurity for my business. With this in mind, my cyber insurance premium cost would almost definitely be lower due to less risk of a claim.
Peter Warren, an award-winning investigative journalist, writer, and broadcaster, has conducted a series of interviews on the topic of the future threats businesses might face. The following podcast episode discusses how regulators are responding to the increased pace of digital transformation.
Learn more about how cyber risk insurance, combined with advanced cybersecurity solutions, can improve your chance of survival if, or when, a cyberattack occurs. Download our free whitepaper: Prevent. Protect Insure, here.