The federal government's recommendations to address cybersecurity risks target critical infrastructure industries such as utilities, but the voluntary standards can help any company potentially mitigate legal liability from data breaches or other cyber threats.
The U.S. Department of Commerce's National Institute of Standards and Technology's final framework for improving cybersecurity provides a flexible guide that is not unduly specific, experts say.
The guidelines released last month responded to President Barack Obama's executive order a year ago, citing “repeated cyber intrusions” that are “one of the most serious national security challenges we must confront.”
In another move regarding cyber threats, U.S. Attorney General Eric Holder last week called on Congress to establish a national standard to alert consumers whose information gets exposed by cyber breaches. Experts say it would be a major challenge to implement such a standard since there are 46 differing state laws on the issue.
Meanwhile, “the NIST standards are definitely a step forward because they're so broadly applicable and they're a standard set up by the government,” said Tom Reagan, New York-based large-risk underwriter of breach response insurance at Beazley P.L.C. The framework looks beyond prevention to how to respond to data breaches, he said.
“It's helpful that they're taking a risk-based approach, rather than imposing any kind of an inflexible and uniform set of standards that applies to all in the same manner,” said Oliver Brew, New York-based vice president of professional liability at Liberty International Underwriters, a unit of Liberty Mutual Holding Co. Inc.
With this federal cybersecurity framework, “an organization can ask itself a set of questions and start to see where they are,” where they aspire to be and “what they need to do to get there” to protect against cyber risks, said Toby Merrill, Philadelphia-based vice president of Ace Professional Risk, a unit of Ace Ltd.
It provides guidelines for companies to look at their cyber security structure critically, said Joe DePaul, managing director of cyber risk services at Arthur J. Gallagher Risk Management Services Inc. in Parsippany, N.J.
Ben Beeson, a London-based partner at Lockton Cos. L.L.P., said the NIST standards will help insurance buyers “get their arms around what is a very tricky new area of risk.”
The U.S. Department of Homeland Security in particular “has done a really nice job in engaging” in a dialogue with the insurance industry regarding the cybersecurity standards, said Catherine A. Mulligan, senior vice president and head of specialty errors and omissions at Zurich North America.
Experts say noncritical infrastructure firms also should adopt the NIST framework.
For companies that have made “a significant effort” to meet the government's recommendations and then have a data breach, courts are unlikely to find them negligent, said Richard J. Bortnick, a shareholder at law firm Christie, Pabarue & Young P.C. in Philadelphia.
George Allport, Warren, N.J.-based vice president and worldwide product manager for financial institution bond products at Chubb Corp., said while many organizations may not consider themselves part of the critical infrastructure, they may in fact be a smaller contractor dependent on such a firm. In the cyber world, “you have no way of knowing if you're below the radar,” he said.
Some experts think insurers will use the federal recommendations to evaluate risks in their cyber policy underwriting.
“I could see insurers using this as a yardstick,” said Michael R. Overly, a partner at Foley & Lardner L.L.P. in Los Angeles.
The NIST framework “will increase the need for insurance because it'll clarify a cybersecurity standard of care that more companies will have to fulfill,” said Matt McCabe, New York-based senior vice president at Marsh L.L.C.'s network security and privacy practice.
“I see this also as a period of almost a unique opportunity to have the insurance industry take a leadership role in driving the voluntary compliance,” said Alan E. Brill, senior managing director of secure information services at New York-based Kroll Associates Inc.
While the NIST framework may help insurers understand a company's cyber risk profile, this will not necessarily be transmitted directly into the underwriting process, Mr. Allport said.
Kevin Kalinich, Chicago-based global practice leader for cyber risk insurance at Aon Risk Solutions, said insurers generally price cyber coverage based on companies' business and size. Audit standards for cyber exposures also already are available, but insurers do not always use them in underwriting, he said.