Cyber coverage seen as security incentiveReprints
Congressional interest in promoting cyber insurance as a market-based way to manage business and critical infrastructure risks is growing.
That was evident when a subcommittee of the House Homeland Security Committee, which does not oversee insurance issues, convened a hearing on the role of cyber insurance in risk management. At the outset, Rep. John Ratcliffe, R-Texas, said that while the cyber insurance market is in its infancy, “it's easy to envision its vast potential.”
Rep. Ratcliff, also the chairman of the Cybersecurity, Infrastructure Protection and Security Technologies Subcommittee, said insurers provide incentives to get homeowners to invest in locks, smoke detectors and other loss-control devices. “The same could be true for companies seeking to obtain cyber insurance,” he said.
“We must explore market-driven methods for improving the security of the companies that store our personal information,” Rep. Ratcliffe said. “I believe cyber insurance may be one such solution.”
Just applying for and maintaining such coverage would require “entities to assess the security of their systems and examine their own weaknesses and vulnerabilities,” he said
Tom Finan, a former Department of Homeland Security official who testified before the panel, said afterward that just holding the hearing about cyber security insurance shows members of Congress appear very interested in what the cyber insurance market can do.
Mr. Finan, now chief strategy officer of Dulles, Virginia-based Ark Network Security Solutions, L.L.C., was a senior cyber security strategist and counsel with the Department of Homeland Security's National Protection and Programs Directorate until late last year. There, he launched and led DHS' cyber security insurance initiative.
During his appearance before the panel and in an interview, Mr. Finan said insurers eventually could play the same role in promoting cyber security risk management as fire insurers have in promoting fire safety, although doing so will take some time.
While fire is a fairly well-understood phenomenon, “cyber is a much more complicated risk area because of the human element, and you never know what the human motivations will be,” Mr. Finan said.
While a fire can be contained to a few buildings, cyber threats present a much larger problem, he said. Still, some of the “fundamentals from the fire context still apply.” The challenge is identifying which controls actually work and, as the “risk evolves, what controls evolve with that risk,” he said.
“The history of the insurance industry is promoting good risk management,” said Howard Mills, global insurance regulatory leader at consultant Deloitte L.L.P. in New York. “You can go back to fire prevention, product safety and electric appliances. It's logical to expect that insurance companies by providing cyber coverage will require good cyber risk management that will benefit companies, individuals and society at large.”
Government interest in cyber insurance has “continued to ratchet up” for several years, said Ben Beeson, Washington-based cyber risk practice leader at Lockton Cos. L.L.C.
“I think that will continue,” said Mr. Beeson. “The insurance industry has a role to play to incentivize good risk management.”
As cyber insurance has evolved, “I think it's been the stick approach today, and I hope we're about to move into the carrot area” Mr. Beeson said. “The stick approach has been, “implement best practices and we will give you cyber insurance.' ”
“The carrot approach will be a more prescriptive approach, which will say, 'Adopt XYZ controls, and we will offer you lower premiums or broader coverage,' ” he said.
“It has not happened today because the insurers have not had the ability to understand how specific controls move the needle on risk exposure to the policyholder,” Mr. Beeson said, although he added that he does expect something along those lines in the near future.
“I do think that both Congress and the executive branch officials as well as state regulators do see the importance of cyber risk management as a top-tier issue both for the government and also for the private sector,” said Nat Wienecke, senior vice president in the Property Casualty Insurers Association of America's Washington office. “In many cases, the soft underbelly of our cyber security environment can come through companies that haven't matched their cyber risk management programs to the threats we are facing.”
Government can play a role in encouraging cyber risk management, he said.
When it comes to a data breach, “we think it's very, very important that there be state and federal harmonization of data breach (notification) requirements,” he said. “This will allow more even management of this risk across the economy.”
Regarding cyber insurance itself, anything state and federal regulatory bodies as well as Congress could do to help develop clear and consistent uniform standards or protocols “would be very helpful to push these products out to the broadest of audiences,” Mr. Wienecke said.