I’m pleased to share with you some recent activities that I’ve been leading for the Department of Homeland Security’s National Protection and Programs Directorate (NPPD) to promote resilience through enhanced cyber incident data sharing and analysis.
Since 2012, NPPD has been engaging a diverse group of private and public sector cyber security stakeholders – including insurers, risk managers, chief information security officers (CISOs), critical infrastructure owners, and social scientists – to examine the current state of the cybersecurity insurance market and how to best advance its capacity to incentivize better cyber risk management.
During four initial workshops, conducted between 2012 and 2014, participants examined the existing cybersecurity insurance marketplace, described obstacles to expanding and improving it, and identified key ideas for overcoming the most pervasive of those obstacles. One of those key ideas was an anonymized cyber incident data repository which could foster the voluntary sharing of data about breaches, business interruption events, and industrial control system attacks needed for enhanced risk mitigation and risk transfer (insurance) approaches.
As a follow-on to the working sessions, NPPD established in February of this year a Cyber Incident Data and Analysis Working Group (CIDAWG), comprised of CISOs and CSOs from various critical infrastructure sectors, insurers, and other cybersecurity professionals, to deliberate and develop key findings and conclusions about:
The white paper available below, The Value Proposition for a Cyber Incident Data Repository, addresses how a cyber incident data repository could help advance the cause of cyber risk management and, with the right repository data, the kinds of analysis that would be useful to CISOs, CSOs, insurers, and other cybersecurity professionals.
Conceptually, such a repository would aid insurers in delivering policies, at lower rates, to ‘best in class’ clients – thereby contributing to and effectively informing the overall corporate risk management strategies of those clients. Such a repository also would support a host of advances for cyber risk management professionals, including enhanced cyber risk data and trend analysis, bolstered in-house cybersecurity programs, and improved cybersecurity solutions, products and services.
I highly encourage you to explore our new cybersecurity insurance webpage, launched June 25. The webpage provides access to the Readout Report from NPPD’s initial workshops as well as the new Value Proposition white paper. It also describes our planned future efforts which will focus on Cyber Incident Data Points and Repository-Supported Analysis; How to Incentivize Voluntary Data Sharing; and Repository Structure and Operations Requirements.
I welcome any feedback that you and your colleagues may have on the Value Proposition white paper and DHS’ cyber risk management efforts.
READ THE WHITE PAPER: The Value Proposition for a Cyber Incident Data Repository
Tom Finan is senior cybersecurity strategist and counsel at the US Department of Homeland Security. He provides strategic counsel to components of DHS’ National Protection and Programs Directorate (NPPD) regarding the department’s responsibilities under Executive Order 13636, “Improving Critical Infrastructure Cybersecurity.” Finan heads DHS’ engagement with private and public sector partners about the cybersecurity insurance market; serve as the federal interagency lead on related incentives discussions; and brief DHS/NPPD senior leadership on our progress.
