I’m pleased to share with you a new white paper from the Cyber Incident Data and Analysis Working Group (CIDAWG) that addresses the kinds of data that should be shared into an anonymized and trusted cyber incident data repository to support the cyber risk analysis needs of insurers, chief information security officers (CISOs), chief security officers (CSOs), and other cybersecurity professionals.
Since 2012, the Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD) has been engaging a diverse group of private and public sector cybersecurity stakeholders—including insurers, risk managers, CISOs, critical infrastructure owners, and social scientists – to examine the current state of the cybersecurity insurance market and how to best advance its capacity to incentivize better cyber risk management. Through last spring, NPPD held four public workshops to examine the existing cybersecurity insurance marketplace, describe obstacles to expanding and improving it, and identify key ideas for overcoming the most pervasive of those obstacles.
One of those key ideas—which insurers described during NPPD’s fourth public workshop in April of 2014—was an anonymized and trusted cyber incident data repository which could foster the voluntary sharing of data about breaches, business interruption events, and industrial control system attacks needed for enhanced risk mitigation and risk transfer (insurance) approaches. As a follow-on to the workshops, NPPD accordingly established in February of this year the CIDAWG, comprised of insurers, CISOs and CSOs from various critical infrastructure sectors, and other cybersecurity professionals, to deliberate and develop key findings and conclusions about:
The white paper on Establishing Community-Relevant Data Categories in Support of a Cyber Incident Data Repository (click on the picture of the cover) is the second in the CIDAWG’s white paper series. It identifies 16 data categories that would support the kinds of analysis that could help insurers enhance their existing offerings while assisting CISOs, CSOs, and other cybersecurity professionals with their complementary cyber risk mitigation missions. The white paper builds on the CIDAWG’s previous white paper, released in June, on the Value Proposition for a Cyber Incident Data Repository.
Conceptually, such a repository would aid insurers in delivering policies, at lower rates, to “best in class” clients – thereby contributing to and effectively informing the overall corporate risk management strategies of those clients. Such a repository also would support a host of advances for cyber risk management professionals generally, including enhanced cyber risk data and trend analysis, bolstered in-house cybersecurity programs, and improved cybersecurity solutions, products and services.
I highly encourage you to explore our updated cybersecurity insurance webpage at: http://www.dhs.gov/cybersecurity-insurance. It provides access to both the Readout Reports from NPPD’s four initial workshops as well as the CIDAWG’s Data Categories andValue Proposition white papers. It also describes the CIDAWG’s planned future efforts which will focus on How to Incentivize Voluntary Data Sharing and Repository Structure and Operations Requirements.
Tom Finan is senior cybersecurity strategist and counsel at the US Department of Homeland Security. He provides strategic counsel to components of DHS’ National Protection and Programs Directorate (NPPD) regarding the department’s responsibilities under Executive Order 13636, “Improving Critical Infrastructure Cybersecurity.” Finan heads DHS’ engagement with private and public sector partners about the cybersecurity insurance market; serve as the federal interagency lead on related incentives discussions; and brief DHS/NPPD senior leadership on our progress.
