Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

Cyber security framework marches forward

Orders from the top trickle down

Reprints
Cyber security framework marches forward

The cyber security executive order issued by President Donald Trump in May is targeted at government agencies, but it is expected to have a much wider influence, which will benefit both policyholders and insurers.

Private companies seeking government contracts will likely be held to the same standards as the agencies they deal with, which will lead to the wider adoption of the cyber security framework proposed by the National Institute of Standards and Technology, say experts.

And the increased compliance with NIST will make the framework even more influential in businesses in all sectors of the economy.

The order requires agency heads to be guided by Gaithersburg, Marylandbased NIST’s Framework for Improving Critical Infrastructure Cybersecurity, issued in February 2014.

Meanwhile, although experts are keeping an eye on several proposed cyber security bills in Congress, a uniform data breach notification law is not expected.

“It’s an absolutely great first step, but it’s just that. It’s a first step,” said Dan Burke, San Francisco-based vice president and cyber product head at Hiscox USA. “I think that companies will be looking forward to partnering with government agencies.”

“They’ve tried to be pretty thoughtful about their approach to cyber security,” said Michael R. Overly, a partner with Foley & Lardner L.L.P. in Los Angeles, who added that the Trump administration had reached out to insurance industry and large-firm executives for their input before issuing the executive order.

“Let’s face it: The federal government has a lot of our data, and we’ve been spending time recently talking to all the federal agencies about how jointly we can protect that data,” said Doug Johnson, senior vice president for payments and cyber security policy at the Washington-based American Bankers Association.

“Overall, we see the advent of the executive order as being positive for companies and also being positive for the federal government’s ability to enhance cyber security themselves,” he said.

Observers say the executive order may encourage more firms to follow the NIST guidelines in their cyber security efforts.

Following up on its February 2014 guidance, NIST issued a draft update in January of this year that provided new details on cyber supply chain risks. In line with President Trump’s executive order, in May it also issued an implementation guidance for federal agencies.

“Speaking the same language regarding cyber security is very important,” said Mr. Johnson. A high degree of acceptance of the NIST framework is “a very valuable tool” for community banks as well as for larger financial institutions.

The executive order will lead federal government vendors and contractors to adopt the NIST framework, “which is a good thing, certainly,” said Mr. Burke.

“It’s also a good thing for companies to apply their own risk management against that framework, and see where they stand now and where they need to make their improvements,” he said.

“The NIST cyber framework is quickly becoming the de facto standard by which cyber security is going to be measured, at least on the minimum level,

and we’ve already seen that bleed into the private sector,” said Michael Born, dent and account executive of the global technology and privacy practice at Lockton Cos. L.L.C.

It requires federal agencies to comply with the NIST framework, “but many private companies are complying voluntarily, and many IT service vendors are basing their assessments on the NIST framework, and many insurance underwriters are using that to assess the exposure associated with cyber insurance applicants,” he said.

In addition, “There is some emphasis in the order on items that would require cooperation between the public and the private sector that is specifically associated with the critical infrastructure,” which includes utilities, banks and health care firms, Mr. Born said.

The executive order parallels information offered by the Small Business Administration on cyber security, which also points to the NIST guidelines, said Anthony Dagostino, global head of cyber for Willis Towers Watson P.L.C. in New York. “This is going to put more pressure on companies to allow those types of frameworks,” he said.

“There’ll be a trickle-down effect” said Mr. Dagostino. “Whoever is doing work on behalf of these federal agencies, I think, can expect to see them held to the same standard this order outlined, so the impact now is on having the right risk management approach,” he said. “There’s going to be more urgency and scrutiny for them to have better risk management.”

“I will refer my clients to it” because it is adaptable, said Timothy J. Toohey, a partner with law firm Greenberg Glusker Fields Claman & Machtinger L.L.P. in Los Angeles. “You don’t have to take this one giant indigestible series of standards.”

There are parallels between what the agencies are being asked to do and what senior executives are likely to be called upon to do to improve their information security measures, Mr. Overly said.

“A key part of the order is also the encouragement of transparency by critical infrastructure entities about their own vulnerability” and that they should be “more candid in exposing their cyber security risk management practices, said Matthew McCabe, Marsh USA Inc.’s critical infrastructure cyber leader in New York.

“That’s something that many publicly traded companies are going to have to grapple with as we have these large events,” he said.

In terms of cyber insurance, it will result in federal contractors, as well as small businesses, buying more insurance, Mr. Dagostino said. “This will help drive the (insurance) market, directly or indirectly,” he said.

“It’s going to make better insureds for the insurance community. It will lead to a more holistic approach to managing cyber risk,” better security defense around cyber risk, and better processes and strategies and the use of people resources, which is an area where many companies “fall short,” Mr. Burke said.

“One of the things that has always been a challenge associated with the cyber insurance market are the metrics,” said Mr. Johnson. “Nothing will drive an actuary more batty than trying to develop loss models around cyber security risks."

This has led the market’s high end to be forced to self-insure their cyber risks, he said.

“It remains to be seen” whether NIST will play a role in addressing this issue, he said.

 

 

Read Next

  • President's executive order sets the tone for cyber standards

    The cyber security executive order issued by President Donald Trump in May, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” calls for reports from various agencies on their cyber security risk management efforts.