Cybersecurity insurance is designed to mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and network damage. A robust cybersecurity insurance market could help reduce the number of successful cyber attacks by: (1) promoting the adoption of preventative measures in return for more coverage; and (2) encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection. Many companies forego available policies, however, citing as rationales the perceived high cost of those policies, confusion about what they cover, and uncertainty that their organizations will suffer a cyber attack.  In recent years, the Department of Homeland Security National Protection and Programs Directorate (NPPD) has engaged key stakeholders to address this emerging cyber risk area.

Cyber Risk Management and Cybersecurity Insurance

Traditional commercial general liability and property insurance policies typically exclude cyber risks from their terms, leading to the emergence of cybersecurity insurance as a “stand alone” line of coverage.  That coverage provides protection against a wide range of cyber incident losses that businesses may suffer directly or cause to others, including costs arising from data destruction and/or theft, extortion demands, hacking, denial of service attacks, crisis management activity related to data breaches, and legal claims for defamation, fraud, and privacy violations.  Few cybersecurity insurance policies, however, provide businesses with coverage for an area of growing private and public concern:  the physical damage and bodily harm that could result from a successful cyber attack against critical infrastructure.

Since 2012, NPPD has engaged academia, infrastructure owners and operators, insurers, chief information security officers (CISOs), risk managers, and others to find ways to expand the cybersecurity insurance market’s ability to address this emerging cyber risk area.  More broadly, NPPD has sought input from these same stakeholders on the market’s potential to encourage businesses to improve their cybersecurity in return for more coverage at more affordable rates.  NPPD is currently facilitating dialogue with CISOs, Chief Security Officers (CSOs), and insurers about how a cyber incident data repository could foster both the identification of emerging cybersecurity best practices across sectors and the development of new cybersecurity insurance policies that “reward” businesses for adopting and enforcing those best practices.

DHS Cybersecurity Insurance Working Sessions

From 2012 through 2014, DHS hosted four separate working sessions where cybersecurity professionals examined the existing cybersecurity insurance marketplace, described obstacles to expanding and improving it, and identified three key ideas for overcoming the most pervasive of those obstacles:

• Cyber incident information sharing.  An anonymized cyber incident data repository could foster the voluntary sharing of data about breaches, business interruption events, and industrial control system attacks needed for enhanced risk mitigation and risk transfer (insurance) approaches.
• Cyber incident consequence analytics.  The development of new cyber risk scenarios, models, and simulations – based on repository data – could help promote understanding about how a cyber attack might cascade across infrastructure sectors and where opportunities for risk mitigations might exist.
• Enterprise Risk Management (ERM).  An accepted approach for fusing cyber risk into traditional ERM programs could help organizations of all sizes better prioritize and manage their top business risks.

Additional information about the working sessions, including Readout Reports summarizing session discussions and findings, can be found on the Insurance Industry Readout Reports  webpage.

Benefits of a Cyber Incident Data Repository

Following the working sessions and based on the recommendations of the participants, NPPD continues to explore the benefits and feasibility of a cyber incident data repository that creates a trusted environment for enterprise risk owners to anonymously share sensitive cyber incident data.  Conceptually, that data, once aggregated and analyzed, will result in increased awareness about current cyber risk conditions and longer-term cyber risk trends.  New analytics products, rooted in rich repository data, in turn will help inform more effective cyber risk management investments by both private and public sector organizations as well as better cybersecurity insurance products.  As the culmination of this conceptual effort, NPPD will aim to find answers to three key questions:

• Do existing repositories meet the cyber incident data needs of cybersecurity stakeholder groups?
• Are owners and operators of existing repositories open to leveraging external cyber incident data and analysis knowledge and incorporating it into their existing structures?
• If not, should a new cyber incident data repository be developed?

Cyber Incident Data and Analysis Working Group

As a follow-on to the working sessions, NPPD established a Cyber Incident Data and Analysis Working Group (CIDAWG), comprised of CISOs and CSOs from various critical infrastructure sectors, insurers, and other cybersecurity professionals, to deliberate and develop key findings and conclusions about:

1. The value proposition of a cyber incident data repository;
2. The cyber incident data points that should be shared into a repository to support needed analysis;
3. Methods to incentivize such sharing on a voluntary basis; and
4. A potential repository’s structure and functions.

• The Value Proposition. Details how a cyber incident data repository could help advance the cause of cyber risk management and, with the right repository data, the kinds of analysis that would be useful to CISOs, CSOs, insurers, and other cybersecurity professionals.
• Cyber Incident Data Points and Repository-Supported Analysis.  Addresses the kinds of prioritized data points that should be shared among repository users to promote new kinds of needed cyber risk analysis.
• Overcoming Perceived Information Sharing Obstacles.  Identifies potential roadblocks to voluntary sharing into a repository and potential approaches for addressing those roadblocks.
• Repository Structure and Operations Requirements.  Will detail the requirements that a future repository must address in order to successfully meet the multiple needs of likely users.

At the completion of the CIDAWG’s work, NPPD will seek opportunities to solicit input on and promote understanding of CIDAWG ideas and recommendations to support the cyber risk management needs of both the private and public sectors.

Source: U.S. Department of Transportation, “Cybersecurity Insurance” http://www.dhs.gov/ website. Accessed February 10, 2016. http://www.dhs.gov/topic/combating-cyber-crime

© Copyright 2016. All rights reserved. This content is strictly for informational purposes and although experts have prepared it, the reader should not substitute this information for professional insurance advice. If you have any questions, please consult your insurance professional before acting on any information presented. Read more.