Congress looks to insurance industry for cyber guidance

The cybersecurity dialogue at the congressional level has ramped up in recent weeks, with the passage of one controversial information-sharing bill by a key Senate committee, but lawmakers have acknowledged that they are looking to the insurance industry, among others, for guidance on the right steps to take to improve the nation’s security posture.

Cybersecurity legislation currently being considered in Congress reflects both a view toward increasing the threat data provided by private businesses to the federal government, as well as implementing a single federal standard for data breach notification to replace a wide variety of state requirements.

The Senate Select Committee on Intelligence approved in a 14-1 vote a bill known as the Cybersecurity Information Sharing Act of 2015 (CISA), intended to streamline the process for the private sector to alert the government to cyber threats, and vice versa. For proponents, the measure offers liability protection for organizations to share information on threat vectors, and could improve the available data for the cyber insurance marketplace. For opponents, this bill and others like it seem to merely allow the government new tools for surveillance of citizens.

For the members of the Commerce Committee’s Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security, the correct course of action remains to be seen, the budding cyber insurance market offers great potential to be of assistance in propelling better risk management among the nation’s businesses.

“While an insurer’s primary function is to mitigate financial losses – not defend against cyber threats – cyber insurance may be a market-led approach to help businesses improve their cybersecurity posture by tying policy eligibility or lower premiums to better cybersecurity practices,” stated Sen. Jerry Moran (R-Kansas), subcommittee chairman.

According to ranking member Sen. Richard Blumenthal (D-Conn.), there is “no topic of greater importance” than cybersecurity. It is “inextricably linked” to both private business security and national defense. He said Congress intends to learn how insurance can be used as an incentive.

On that point, representatives of the insurance industry agreed. Ben Beeson, vice president of cybersecurity and privacy at Lockton Companies, offered an explanation of the development of the cyber insurance market and the key concerns for underwriters, brokers, and their customers.

“We believe that cyber insurance is an important market force that can drive improved cyber security for companies—and thus improve protection to consumers and the nation as a whole. It should not just be seen as another insurance transaction. As the cyber insurance market develops, it will provide incentives for companies to understand and mitigate their risks,” Beeson told the Senate committee. “For example, forward-thinking companies invest in workplace safety to reduce their workers’ compensation costs. In the same way, sophisticated companies are investing in stronger cyber security, and those companies ultimately will experience fewer losses, insurers will see fewer claims, and their premiums will be lower. However, we’re not there today. The cyber insurance market is still nascent and developing.”

Finding a way to house and anonymize threat data could “accelerate” the development of the market, particularly on the key issue of underwriting cyber-related physical damage. The insurance industry would “welcome” the introduction of legislation that would reduce barriers to data sharing in this area where there is currently a “dearth” of information, Beeson added.

Catherine Mulligan, vice president for Zurich North America, noted that the industry faces coverage and aggregation challenges, since the potential for losses extends beyond the current scope of coverage and pricing abilities. She advocated data repositories as well, for both threat vectors and cyber insurance data.

“More comprehensive information could help the insurance industry develop broader coverage and broader risk management solutions,” she told the Subcommittee.

Among insurance shoppers, there is consternation over both coverage options and pricing. Representing the small business perspective, Ola Sage commented that there appears to be “very little consistency” in both the questions asked for the cyber underwriting process and the coverage offered. Her company, an IT services firm, sought coverage and found that “comparing the policies was virtually impossible.” Her ultimate purchase cost over $10,000 and the process took over four months. Upon renewal this year, after her business used the voluntary National Institute for Standards and Technology (NIST) framework and other tools to mitigate its cyber risk, the insurance premium went up 12 percent.

Moran quizzed speakers on the panel about the appropriate parties to run a data repository, as well as whether good public policy would impel the use of ISACs across industry sectors and possible tax credits for businesses that follow the NIST framework. These are details that need to be “ironed out,” according to Zurich’s Mulligan.

The NIST framework offers a way to explain “in laymen’s terms” the need for security to boards of directors, noted Beeson.

“Cyber has now entered the governance dialogue,” he said.

An increasingly prominent view toward Congress’ appropriate action on cybersecurity includes the chance that a federal data breach notification law could reduce the compliance costs for organizations that suffer an attack.

According to attorney Michael Menapace of Wiggin and Dana LLP, the real driver of data breach claim costs have become the price tag attached to notifying affected consumers. Upon experiencing a breach, businesses must comply with the data breach notification laws in 47 different states, requiring 47 different legal analyses.