ISA Insurance Sector Specific Recommendations and the Presidential Commission on Enhancing National Cybersecurity

June 7, 2017

ISA Insurance Sector Recommendations

Source: Chapter 14 of The Cybersecurity Social Contract: Implementing a Market-Based Model for Cybersecurity

Presidential Commission on Enhancing National Cybersecurity

Tax Incentives for Cybersecurity Investment

“Companies should be incentivized to invest in cybersecurity. Investments will benefit all citizens—they will ensure that data and networked physical assets are kept safe and secure. The federal government should consider economic incentives that accelerate company investment in security. This could take the form of tax incentives for such investments or the purchase of cyber insurance. The latter would ensure that more companies are subjected to an independent review of their cybersecurity framework.” Commission Foundational Principle 10: The right mix of incentives must be provided, with a heavy reliance on market forces and supportive government actions, to enhance cybersecurity. Incentives should always be preferred over regulation, which should be considered only when the risks to public safety and security are material and the market cannot adequately mitigate these risks.

Commission Action Item 1.4.5: The government should extend additional incentives to companies that have implemented cyber risk management principles and demonstrate collaborative engagement. (SHORT TERM)

Commission text: Incentives must play a more substantial role in building a cybersecure nation. To accomplish this goal, the next Administration and Congress should pass legislation that provides appropriate liability protections for businesses that engage in cyber risk mitigation practices that are consistent either with the Cybersecurity Framework or with common industry segment practices, and that engage in cyber collaboration with government and industry. … Additional benefits to encourage enhanced cybersecurity might include tax incentives …

Commission Action Item 1.4.1: NIST, in coordination with the NCP 3, should establish a Cybersecurity Framework Metrics Working Group (CFMWG) to develop industry-led, consensus-based metrics that may be used by (1) industry to voluntarily assess relative corporate risk, (2) the Department of Treasury and insurers to understand insurance coverage needs and standardize premiums, and (3) DHS to implement a nationwide voluntary incident reporting program for identifying cybersecurity gaps. This reporting program should include a cyber incident data and analysis repository (CIDAR). (SHORT TERM)

Commission text: The CFMWG would develop meaningful metrics for better understanding and quantifying the benefits that use of the Framework brings to organizations that adopt it. … The metrics developed must also be useful for insurers seeking to understand evolving coverage needs. The discrete risks associated with insurance coverage must be measurable, so that insurers can have a stronger basis for making coverage decisions and standardizing insurance premiums.


Scenario Planning Workshops

“The insurance industry is prepared to facilitate cross-industry cyber scenario workshops. These would involve federal government agencies, universities, corporations, and other participants. The workshops would focus on designing and implementing scenario analysis to better understand the types of attacks that could impact the private and public sector. Scenarios could range from data theft and destruction, to extortion, hacktivism, terrorism, and other such events. The workshop content could be shared with companies and individuals to better inform them of the risks and take steps to prevent against such attacks.” Commission Foundation Principle 4: Private sector and government collaboration before, during, and after an event is essential in creating and maintaining a defensible and resilient cyber environment.

Commission Recommendation 1.2: As our cyber and physical worlds increasingly converge, the federal government should work closely with the private sector to define and implement a new model for how to defend and secure this infrastructure. To prevent destruction and degradation of infrastructure, the private sector and government must jointly and continuously address cybersecurity risk. To date, much of this effort has been focused primarily on cybersecurity incident response. Moving forward, our collective effort must focus also on all stages of operations to protect and defend networks, as well as to ensure resilience and swift recovery through joint planning and training and coordinated responses. This collaboration must occur continuously as threats are discovered, and information must be exchanged throughout the prevention and detection of, and the response to, an incident. The private sector and government must team up to plan, exercise, and otherwise prepare in a way that takes advantage of their respective capabilities and their real-time information about malicious actors, adversaries, threats, and vulnerabilities.

Commission Action Item 1.2.2: The private sector and Administration should launch a joint cybersecurity operation program for the public and private sectors to collaborate on cybersecurity activities in order to identify, protect from, detect, respond to, and recover from cyber incidents affecting critical infrastructure (CI). (MEDIUM TERM)

Commission text: Key aspects of any collaborative defensive effort between the government and private sector include coordinated protection and detection approaches to ensure resilience; fully integrated response, recovery, and plans; a series of annual cooperative training programs and exercises coordinated with key agencies and industry; and the development of interoperable systems.


Cybersecurity Education

“The government’s program to certify universities and provide loan forgiveness to students who major in cybersecurity and work for the government is a very good start. We recommend continuing to invest in such programs to ensure that a suitable pool of talent is filled and that companies can draw on this pool. Federal funding for research at nonprofits and universities would also dramatically improve the level of knowledge in the field.” Commission Action Item 4.1.8: In order to attract more students to pursue cybersecurity degree programs and enter the cybersecurity workforce in both the public and private sectors, incentives should be offered to reduce student debt or subsidize the cost of education through a public–private partnership. (MEDIUM TERM)

Commission text: The increase in the cost of college and in student debt is an enormous public policy challenge. The private sector should structure a program that provides financial support (i.e., scholarships, loan forgiveness, tuition reimbursement) for students who earn vocational, polytechnic, or master’s degrees in related cybersecurity fields. Specifically, in exchange for a period of service within the federal government, followed by a period of employment at a sponsoring company, that company will cover education expenses (e.g., student aid). The program would help the federal government to address a significant talent deficit and would provide the private sector with a pool of experienced cybersecurity professionals who possess federal government relationships and experience.


Public Service Campaign

“We also recommend creating a public campaign similar to the “Say No to Drugs” campaign. This would be highly effective in raising the general level of awareness for cybersecurity and raising the issue to national attention. Additionally, educational materials should be developed and delivered to midsized and small businesses through various channels such as the Small Business Administration and other governmental programs. We recommend that the federal government partner with leading universities to develop the content for the campaign and the release of such materials.” Commission Action Item 3.1.2: Within the first 100 days of the new Administration, the White House should convene a summit of business, education, consumer, and government leaders at all levels to plan for the launch of a new national cybersecurity awareness and engagement campaign. (SHORT TERM)

Commission text: There have been many public and private cybersecurity awareness campaigns during the past few years that have not achieved the anticipated results. Future awareness campaigns should build on these efforts and the knowledge gained about what approaches work most effectively. New initiatives should be undertaken at an even more ambitious scale aimed at reaching a larger audience and delivering a small number of clear and consistent messages on specific cybersecurity issues more frequently and across a wider variety of communications channels. Campaigns can have greater impact if they are informed by the experiences of awareness campaigns in domains other than cybersecurity.


Geopolitical Risk Management

“It is essential that government take an aggressive stance on protecting the nation against attacks from geopolitically motivated sources. Companies are incapable of protecting against sophisticated, well-funded nation-state attacks. As such, the DHS, FBI, and NSA need to take the lead in protecting the country against such attacks through appropriate offensive and defensive means.” Commission Action Item 6.1.4: Congress should provide sufficient resources to the Department of Justice (DOJ) to fully staff and modernize the Mutual Legal Assistance Treaty (MLAT) process, including hiring engineers and investing in technology that enables efficiency. It should also amend U.S. law to facilitate transborder access to electronic evidence for limited legitimate investigative purposes, and should provide resources for the development of a broader framework and standards to enable this transborder access. (MEDIUM TERM)


Legal and regulatory immunity

“The federal government should consider legal or regulatory immunity for companies that develop products to prevent and address cyberattacks.” Commission Action Item 1.4.5: The government should extend additional incentives to companies that have implemented cyber risk management principles and demonstrate collaborative engagement. (SHORT TERM)

Commission text: The next Administration and Congress should pass legislation that provides appropriate liability protections for businesses that engage in cyber risk mitigation practices that are consistent either with the Cybersecurity Framework or with common industry segment practices, and that engage in cyber collaboration with government and industry. Safe harbors would be particularly appropriate to consider in the context of providing business certainty for companies that operate in regulated sectors.


Software and Hardware Security Standards

“The insurance industry also supports the creation of an independent organization that would be tasked with certifying the security of commonly used software and hardware devices. This initiative would be equivalent to standards developed under the Underwriter Laboratories for the introduction of new electronic devices and components. The development of standards and testing would uncover security weaknesses and dramatically improve the overall state of cybersecurity.” Commission Action Item 3.1.1: To improve consumers’ purchasing decisions, an independent organization should develop the equivalent of a cybersecurity “nutritional label” for technology products and services—ideally linked to a rating system of understandable, impartial, third-party assessment that consumers will intuitively trust and understand. (SHORT AND MEDIUM TERM)

Commission text: A standard cybersecurity label for technology products and services should be developed. This label should include privacy-related information and be informed by the Cybersecurity Framework. It should capture cybersecurity-related risks for a particular product or service, be user-friendly, and convey how easy the technology is for the consumer to secure properly. Each label should display reliable, quantifiable information for a technology product in a format easily understood by the product’s consumers. Properly designed and deployed, a standard label would enhance consumer decision making. … A rating system based on an impartial assessment of a product’s cybersecurity risk could be incorporated into the label or provided in associated literature as a further guide to consumers.