Insurers could hold key to managing cyber risksReprints
Could private industry provide at least a partial answer to one of the United States' most critical national security problems? The answer may well be “yes,” if the problem is cyber security and the industry in question is the insurance industry.
This doesn't mean that the feds will suddenly flood underwriters' offices from California to London and everyplace in between with applications for cyber coverage. The federal government isn't in the market for cyber insurance, and even if it were, nobody would be rushing to sell cyber to the government given its rather spotty record on data protection.
But cyber insurance might enhance national security in an indirect yet crucial way — by encouraging ever more effective risk management for exposures involving such matters as critical infrastructure.
A few weeks ago, Tom Finan — a former Department of Homeland Security official who is now chief strategy officer for Ark Network Security Solutions L.L.C., a Dulles, Virginia-based consultant — appeared before a House Homeland Security Committee subcommittee and noted that cyber insurance could one day promote the same kind of risk management for cyber that fire insurance has provided against fire perils. While at DHS, Mr. Finan headed the agency's cyber insurance initiative.
“We knew that insurers had been very successful in identifying specific fire safety controls that today are not only conditions for coverage within fire insurance policies but also prerequisites for obtaining a building permit,” said Mr. Finan in his testimony. “Our hope was that brokers and underwriters together could help identify the cyber security equivalents of sprinkler and other fire suppression systems. What we discovered is that while they may get there one day, they are not there yet.”
That's hardly surprising. After all, it's taken fire insurers a couple of hundred years to create the risk management tools they advocate and require of their policyholders. And loss control technologies against fire loss constantly evolve.
Evolution is the hallmark of cyber threat — the good guys are always playing catch-up with the bad guys, and the speed at which the threat evolves is far faster than any threat posed by fire. The nation's critical infrastructure such as the power grid and its various components is particularly vulnerable to cyber attacks. Only a few weeks ago, the administration publicly accused Iranian hackers of launching a cyber attack against a dam in New York.
While no catastrophe occurred, the attack was a potent reminder of how much is at risk. That's where insurance comes in. Although it will take time to achieve penetration, the industry can begin encouraging enhanced cyber risk management through both carrots such as premium breaks for sound risk management, and sticks such as refusing to write coverage for accounts that don't practice adequate risk management. The faster they begin, the sooner a gap in national security will be at least partially filled.