One big question hangs over the NIST Framework for Improving Critical Infrastructure Cybersecurity: Will the operators of the nation's critical infrastructure use it?
The voluntary recommendations reflect industry's best cyber security practices, but self-interest and prudent risk management may not be enough to compel critical-infrastructure owners to adopt the framework. One incentive would be if compliance with the framework makes it easier and cheaper for companies to get insurance to cover cyber security incidents.
Various insurance industry sources estimate that cyber security insurance generates annual revenues of $1 billion to $2 billion -- most of it in the US. Double-digit growth is expected in coming years. But business requirements and government regulations, not insurance requirements, still are driving cyber security investments, says Thomas Reagan of the Beazley Group, which has been underwriting cyber security insurance policies since 2000. Beazley helps clients assess their exposure to cyber security risk, "but there is no bright line that is going to be a guarantee of security," he says. "The risk is going to be what it is."
Reagan has seen the market evolve over the past decade. Since the late 2000s, it became apparent that the risk from breaches isn't just in the lost data, but also in the recovery costs, including the costs of forensic and legal assistance, notification, and credit monitoring, as well as crisis management and public relations.
A common framework for evaluating a company's security status could streamline assessments for an insurance policy, Reagan says, and put a strong emphasis on response: "When a breach happens, it's not the end of the road. It's the beginning of another road. Protection is not enough. You have to be ready to respond."
William Jackson is writer with the <a href="http://www.techwritersbureau.com" target="_blank">Tech Writers Bureau</A>, with more than 35 years' experience reporting for daily, business and technical publications, including two decades covering information ... View Full Bio
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.