As discussed in a recent blog post, NIST SP 800-171 is a compliance requirement intended to improve the overall security posture of the 65,000 or so organizations that do work for the federal government. Currently, there are 110 NIST SP 800-171 security requirements that are distributed across the following 14 categories:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and information Integrity
The federal government requires organizations to self-assess against these security requirements and develop action plans, i.e., remediation plans, for any requirements they do not meet. Non-compliance with the 800-171 process can render an organization ineligible to do work for the federal government.
800-171 a Model for the Cyber Insurance Industry
The insurance industry is obviously a different environment than the federal government, but the security motivations are similar: improve overall security and reduce risk for the respective ecosystem.
The 800-171 security model might also help the cyber insurance industry establish consistent underwriting security requirements industry-wide. Absent such a standard it is difficult to establish a reliable set of actuarial data over time because each insurance carrier is defining what it means to be “secure” in their own way.
So how would it work? I can imagine the cyber insurance industry using the 800-171 requirements, or some subset, as “table stakes” needed simply to be eligible for cyber insurance coverage.
Various security requirement overlays, based on the 800-171 security requirements, could be created for each industry. This would allow for unique combinations of security requirements that are most meaningful to specific industries. For example, online retailers that are dependent on their websites to generate revenue might have more rigorous requirements in the Incident Response category.
Enhanced requirements, like those described in the recently-released DRAFT NIST SP 800-171b, might be used to offer increased coverage, lower premiums, lower deductibles, fewer carve outs, etc. These enhanced requirements could be used to incentivize insureds to do more than just basic security.
Benefits to the Insurance Industry
Just to be clear, I am not an insurance expert. However, I have been working in the information security field for nearly 30 years and have extensive experience with NIST frameworks. Based on that, here are some thoughts I have about 800-171 that could benefit the insurance industry over time:
- Underwriting Consistency: If carriers agreed to standardize on the 800-171 security requirements it would give the insurance industry a standard way of defining what it means for a particular company to demonstrate that it is reasonably secure. A standards-based approach should help with the underwriting process.
- Establish Actuarial Data: As there is loss experience, this standardization would allow carriers and the broader insurance industry to conduct analyses to determine things like: which requirements are effective, which are not, which combinations of requirements are most effective, where there are gaps and new requirements are needed, etc.
- Fewer Claims to Pay Out: More reliable actuarial data will help carriers avoid costly underwriting mistakes, making cyber insurance profitable into the future as cyber incidents are likely to continue to skyrocket.
Why should the cyber insurance industry consider NIST, and more specifically, NIST SP 800-171? There are many reasons. Here are just a few:
- Reputation: NIST is the best in the business. Their frameworks are being adopted by highly regulated organizations around the world.
- Economics: NIST frameworks and content are free.
- Friendly: NIST wants to work with industry to adopt their security frameworks.
- Focus: NIST 800-171, by definition, is designed for non-federal systems and organizations. The requirements contained in 800-171 are logical and can be applied to any system or organization to enhance security posture and manage risk.
- Support: As evidenced by the recent release of DRAFT NIST SP 800-171b, NIST plans to maintain and enhance 800-171 over time.
The security requirements that NIST has created for organizations that do work for the federal government are completely capable of managing portfolio risk in other industries, like the cyber insurance industry. NIST has already done the heavy lifting. The standards just need to be applied in a way that’s meaningful to the insurance industry.
If you are in the insurance industry and are interested in discussing in more detail, I’d love to hear from you.
The Empower and Protect Blog brings you cybersecurity and information technology insights from top industry experts at Telos.