Cybersecurity insurance is designed to mitigate losses from a variety of cyber incidents, including data breaches, network damage, and cyber extortion. The Department of Commerce has described cybersecurity insurance as a potentially “effective, market-driven way of increasing cybersecurity” because it may help reduce the number of successful cyber attacks by promoting widespread adoption of preventative measures; encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection; and limiting the level of losses that companies face following a cyber attack. However, the cybersecurity insurance market today faces significant challenges.
In order to examine what obstacles hinder the development of a robust cybersecurity insurance market – i.e., one that can offer more relevant policies to more people at lower cost – the Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD) hosted an all-day workshop on cybersecurity insurance on Monday, October 22, 2012, at the Intellectual Property Rights (IPR) Center in Arlington, Virginia. Sixty-five private-sector and Federal agency participants examined today’s cybersecurity insurance market, focusing in particular on the challenges facing the “first-party” insurance market. NPPD invited stakeholders from five groups: insurance carriers; corporate risk managers; IT/cyber experts; economists and other social scientists; and critical infrastructure owners and operators. NPPD asked participants to nominate breakout group topics to develop the workshop agenda and those included:
- Defining Insurable and Uninsurable Cyber Risks
- Cyber Insurance and the Human Element
- Cyber Liability: Who is Responsible for What Harm?
- Current Cyber Risk Management Strategies and Approaches
- Cyber Insurance: What Harms Should It Cover and What Should It Cost?
- Improving the Cyber Insurance Market: Stakeholder Roles and Responsibilities
- Sequencing Solutions: How Should the Market Move Forward?
The workshop included three plenary panelists – Tyler Moore, Professor of Computer Science and Engineering at Southern Methodist University; Emily Freeman, Executive Director for Technology and Media Risks with Lockton; and Jason Averill, Leader, Engineered Fire Safety Group at the National Institute of Standards and Technology (NIST).
NPPD conducted the Cybersecurity Insurance Workshop in accordance with the Federal Advisory Committee Act, P.L. 92-463, and captured the current viewpoints of the workshop participants in a Cybersecurity Insurance Workshop Readout Report. That report can be viewed below. NPPD intends to use the report as a reference point for any future cybersecurity insurance discussions that it convenes going forward. The comments, perspectives, and suggestions contained in the report are those of the workshop participants only and do not necessarily reflect the views of DHS.