A lot of progress has been made in educating the private sector about the need to incorporate cyber risk into overall business strategy, according to an official from the Department of Homeland Security, but multiple problems remain before insurers will offer more robust cyber insurance.
Tom Finan, senior cybersecurity strategist and counsel for DHS’ National Protection and Programs Directorate, said at a cybersecurity event Thursday that multiple sectors are interested in contributing to a “cyber incident data repository,” which would give private companies a chance to swap, aggregate and analyze information related to cyber attacks.
Finan spoke about how the agency’s Cyber Incident Data and Analysis Working Group (CIDAWG) has primarily been working with insurers over the past two years to figure out a way to boost private cyber insurance plans. Over the course of those meetings, chief information security officers from a number of critical infrastructure sectors along with cybersecurity professionals have also gotten involved.
The idea for such a database comes from the lack of actuarial data needed for insurers to price policies that better serve private companies. According to Finan, very few insurers provide coverage today for the kind of property damage and bodily injuries that could results from cyberattack on infrastructure, let alone the costs associated with breaches.
“Unlike fire insurance, insurers just don’t have access to over 100 years of cyber loss data that they could use to build policies,” Finan said. “This has inhibited them from providing more than the $10-15 million in primary coverage that they’ve historically made available.”
But outside of insurers, risk management professionals are interested in a database to better understand the impacts and frequencies of breaches and attacks, as well as the controls that should be considered best-in-class for mitigating particular kinds of cyber risk. Cybersecurity professionals have also shown interest in the database for the purpose of developing new products and services.
“If the men and women on the front lines of cybersecurity have not bought in on the idea, then all the talking in the world about a repository will ultimately be for nought,” Finan said.
Despite the growing interest, a number of challenges still remain when it comes cyber insurance. Outside of a lack of data, Finan said a lack of concrete best practices leads to problems when trying to assess a company’s risk. He says the National Institute of Standards and Technology framework has been “a huge positive,” but companies are looking for frameworks that are tailored more toward their individual sectors.
He also said a general lack of understanding of how a breach affects businesses across sectors is preventing insurers from upgrading their policies.
“Until [insurers] have a better idea of how big and bad those losses might be, and where a risk control could make a difference, they are reluctant to make new insurance products,” Finan said. “Without more insight, one loss affecting hundreds of clients could potentially put them out of business.”
Recent breaches show just how large the mitigation costs can grow, even with insurance policies. New data released by Home Depot on the cost related to the theft of 56 million sets of credit and debit card data is expected to reach into the billions, with only $100 million covered by insurance. A study released Wednesday from cyber risk management firm NetDiligence had a hard time settling on a price tag for records lost in cybersecurity liability claims from 2012 to 2015: The average cost per record was $964, while the median cost was $13.
Finan said it’s important that all parties involved work to find ways to share any information they can, if for no other reason than giving the insurance industry the ability to craft policy that can fit with company’s modern needs.
“While the cyber insurance market has been around in some form for 30 years, it has some distance to go before it can have that incentivizing effect that we are looking for,” he said.