Cyber security bill passes Senate musterReprints
Passage of long-awaited cyber security legislation will be a limited but still-useful tool that encourages businesses and the government to share data by providing liability protection.
However, experts are divided on the legislation's ultimate effect on rates for cyber insurance.
In a 74-21 vote in late October, the U.S. Senate approved The Cybersecurity Information Sharing Act of 2013 — S. 754 — which protects businesses against liability if they share information with governmental agencies.
Earlier this year, the House of Representatives approved two cyber security bills: the National Cybersecurity Protection Act, H.R. 1731, and the Protecting Cyber Network Act, H.R. 1560.
Industry observers say they are encouraged about the prospects for ultimate passage of the legislation after numerous failed attempts.
“The fact that we got something through the House and Senate is a big deal,” said Matt McCabe, New York-based senior vice president in Marsh L.L.C.'s cyber and technology practice.
Despite their differences, experts believe the three bills are close enough that a compromise version is feasible. If the House and Senate do approve a compromise version, President Barack Obama is expected to sign the measure.
Factors that led to the legislation's passage include the hackers stealing the data of some 22.1 million people from the U.S. Office of Personnel Management, which was discovered earlier this year.
“That was the straw that broke the camel's back,” said Ben Beeson, vice president of cyber security and privacy at Lockton Cos. L.L.C. in Washington. The federal government is now “under huge pressure to show it is doing something about cyber security.”
Cyber legislation is a good first step, but “we shouldn't get carried away” about what it can and cannot accomplish given that cyber attackers “are changing what they're doing in milliseconds,” said Scott L. Vernick, a partner at Fox Rothschild L.L.P. in Philadelphia.
Organizations applauding passage of the Senate bill include the Washington-based American Insurance Association. The bill would “allow the federal government and private sector to defend itself against and mitigate malicious cyber threats,” AIA Associate Counsel Angela Gleason said in a statement.
Opponents include the San Francisco-based Electronic Frontier Foundation, which said in a statement that the Senate cyber security bill is “fundamentally flawed due to its broad immunity clauses, vague definitions and aggressive spying authorities.”
The Senate bill would protect a company that followed federal guidelines on information sharing, yet accidentally disclosed personal information.
Although privacy advocates oppose sharing such information, many industry observers believe it will be an effective first step in addressing cyber risks.
The good thing about the Senate bill is “it allows for comparing notes and provides liability protection for companies” that share risk information and “fosters a sense of working together among companies,” said Scott N. Godes, a partner at Barnes & Thornburg L.L.P. in Washington.
“It puts another tool in the box to work more closely on the issue,” said Larry Clinton, president and CEO of the Arlington, Virginia-based Internet Security Alliance, a trade association that includes multiple industries.
It is not expected, however, to have any immediate effect on the cyber insurance market.
Information sharing is “becoming an important piece of an enterprise risk management strategy for any enterprise,” and the legislation can provide an incentive for organizations “to do more of that than they are already doing,” Mr. Beeson said.
He said underwriters “increasingly want to see” that firms are sharing information as a way to reduce risk and may decide to provide some sort of premium relief if policyholders participate in this process. “If it is not done tomorrow, I think it will happen over time,” he said.
Companies' participation in information sharing, though, “might just be another question” insurers ask on the application form, said Nadia Hoyt, New York-based vice president of FINEX North America, a unit of Willis Group Holdings P.L.C. “I don't think it will have a direct impact on the actual rates.”
“You need a multifaceted, sustainable effort on many fronts,” said Mr. Clinton.
Among other steps, the federal government, which annually spends just about $13 billion on cyber security, more than half of which is spent by the Department of Defense, “needs to get its own act together” with respect to cyber security, Mr. Clinton said.