Regulatory Developments

Last updated: 
3 months 3 weeks ago
Blog Manager
Log in to request membershipHide blog description
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Recent members:

Thinking about Cyberinsurance

Wednesday, April 8, 2015 - 11:06

A couple of discussions at Networkshop this week have raised the question of cyber-insurance, and whether this might be useful to universities and colleges. To think about that I split the question into three:

  • What sort of risks does insurance cover, and are they things that are high on your risk register?
  • If an incident of that kind does happen, is a money payment (which is what insurance policies generally provide) going to be useful in making your position better?
  • Are there other ways you could deal with those risks, and how to their costs/benefits compare?

For example a couple of recent reports have looked at cyber-insurance from the perspective of businesses [] and law firms. Those suggest that insurance is most commonly used to cover the costs incurred under data breach notification laws, where organisations are required to notify individuals if their personal data have been exposed as a result of an incident. In those cases there are obvious money costs – for example postage and perhaps paying for credit reports – so an insurance payout might well be helpful. And it is possible that universities might suffer that kind of breach, though preventive approaches such as PCI-DSS might be a more effective way to reduce the risk.

However the articles also suggest that insurance can be used to cover liability to third parties when paid hosting services suffer incidents such as website defacement. That's an area where I suspect damage to universities is more likely to be reputational than financial, so an insurance payment might be less help in solving the problem. And, as the articles note, some of these may already be covered by existing liability and professional indemnity insurances anyway. Having an effective incident response plan to minimise the damage from such incidents may be an effective alternative approach.

The other issue with cyber-insurance seems to be that, although products have existed for a decade, there haven't been many policies taken out or claims made under tham. That probably means that neither purchasers nor insurers have much data on what the actual risks are, so policy prices are less likely to reflect the true risk/benefit balance than for other, better understood, areas of insurance [Sarah Clarke has an excellent discussion of this]. That situation may be even worse for universities, as insurers' data are likely to reflect commercial businesses where IT operations and risk calculations may be very different to ours. If you are considering such insurance, you may get a better deal by limiting it to areas of operation that are most similar to businesses, where the pricing is more likely to be accurate.

risk management
cyberinsurance
  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo