The Role of Cyber Insurance in promoting Cybersecurity
Insurance exists to help companies and individuals manage the financial impact of unexpected events. Demand for cyber insurance is rapidly increasing, but take-up rates vary on the basis of company size, industry sector, value of data assets, and regulatory requirements. Companies that purchase cyber insurance generally are buying modest limits. A recent survey of risk managers suggests that nearly 60 percent buy less than $20 million of coverage.
CYBER INSURANCE—PRODUCT AND SERVICE
The insurance industry has created a system to help companies plan, prepare for and respond to incidents. Insurers frequently conduct in-depth reviews of company cybersecurity frameworks during the underwriting process. Insurers also offer a suite of ex-ante and ex-post services that minimize the likelihood and impact of a breach.
While the market is advancing quickly, there are several inhibiting factors that constrain its full capacity:
• Disparate company preparedness and investment.
• Lack of suitable data for modeling.
• Challenges of risk aggregation and correlation.
• Weak public understanding of cyberattack importance.
• Competing priorities and opportunity costs of insurance purchases.
• Shortage of qualified talent to address the risk.
• Rapid growth of the Internet of Things and resultant risks.
TAX INCENTIVES FOR CYBERSECURITY INVESTMENT
This could take the form of tax incentives for such investments or the purchase of cyber insurance. The latter would ensure that more companies are subjected to an independent review of their cybersecurity framework. Companies that partner with cyber insurers also have strong economic incentives to continually improve security practices that raise the overall level of national preparedness.
GOVERNMENT INTELLIGENCE SHARING
Some Information and Security Analysis Centers are more effective than others, and it would be beneficial to enhance all of them to ensure a consistent level of information and engagement across industry sectors. While participation in such groups is voluntary, the federal government can incentivize strong participation by using these forums to deliver timely and highly valuable intelligence on emerging cybersecurity threats.
SCENARIO PLANNING WORKSHOPS
The insurance industry is prepared to facilitate cross-industry cyber scenario workshops. These would involve federal government agencies, universities, corporations, and other participants. The workshops would focus on designing and implementing scenario analysis to better understand the types of attacks that could impact the private and public sector.
The government’s program to certify universities and provide loan forgiveness to students who major in cybersecurity and work for the government is a very good start. We recommend continuing to invest in such programs to ensure that a suitable pool of talent is filled and that companies can draw on this pool. Federal funding for research at nonprofits and universities would also dramatically improve the level of knowledge in the field.
PUBLIC SERVICE CAMPAIGN
We also recommend creating a public campaign similar to the “Say No to Drugs” campaign. Additionally, educational materials should be developed and delivered to midsized and small businesses through various channels such as the Small Business Administration and other governmental programs.
GEOPOLITICAL RISK MANAGEMENT
Companies are incapable of protecting against sophisticated, well-funded nation-state attacks. As such, the DHS, FBI, and NSA need to take the lead in protecting the country against such attacks through appropriate offensive and defensive means. Further, intelligence gained from such actions should be shared openly with the private sector to enhance understanding of threats and allow for preparedness.
CLARIFY THE TERRORISM RISK INSURANCE ACT
Large-scale terrorist attacks launched by cyber means should qualify as certified acts of terrorism and trigger TRIA for covered lines. Additionally, greater clarity on what constitutes an act of cyber war would be helpful to ensure that all parties are clear if, and when, an event occurs.
LEGAL AND REGULATORY IMMUNITY
The federal government should consider legal or regulatory immunity for companies that develop products to prevent and address cyberattacks. The federal government should also consider extending the SAFETY Act to include liability limitations for certified products and services that are designed to prevent or mitigate loss from cyber terrorism and cyber-criminal activity.
SOFTWARE AND HARDWARE SECURITY STANDARDS
The insurance industry also supports the creation of an independent organization that would be tasked with certifying the security of commonly used software and hardware devices. This initiative would be equivalent to standards developed under the Underwriter Laboratories for the introduction of new electronic devices and components.