Cybersecurity insurance is designed to mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and network damage. The Department of Commerce has described it as an “effective, market-driven way of increasing cybersecurity” because it may help reduce the number of successful cyber attacks by promoting the adoption of preventative measures; encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection; and limiting the level of losses that companies face following an attack. Many companies nevertheless forego available policies, citing their perceived high cost, a lack of awareness about what they cover, and uncertainty that they’ll suffer a cyber attack as the basis for their decisions.
In order to examine what obstacles hinder the development of a robust cybersecurity insurance market that can offer more relevant policies at lower cost, the Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD) has brought together a diverse group of private and public sector stakeholders in recent years – including insurance carriers, risk managers, IT/cyber experts, critical infrastructure owners, and economists and other social scientists – to examine the current state of the cybersecurity insurance market.
The first workshop, in October 2012, focused on the challenges facing the “first-party” market which covers direct losses to companies arising from cyber-related incidents. Workshop participants nominated a number of topics for discussion: (1) Defining Insurable and Uninsurable Cyber Risks; (2) Cyber Insurance and the Human Element; (3) Cyber Liability: Who is Responsible for What Harm; (4) Current Cyber Risk Management Strategies and Approaches; (5) Cyber Insurance: What Harms Should It Cover and What Should It Cost; (6) Improving the Cyber Insurance Market: Stakeholder Roles and Responsibilities; and (7) Sequencing Solutions: How Should the Market Move Forward? The participants identified a series of obstacles preventing first-party market growth in each of these areas, and potential ways forward, in the “Cybersecurity Insurance Workshop Readout Report” linked below.
In May 2013, NPPD held a follow-on roundtable to expand on some of the ideas identified the previous fall. The roundtable, which included representatives from the aforementioned stakeholder groups, focused on how organizations should go about building more effective cyber risk cultures as a prerequisite to a stronger and more responsive first-party market. NPPD led a discussion about four “pillars” of such cultures: (1) Engaged Executive Leadership; (2) Targeted Cyber Risk Management and Awareness; (3) Cost-Effective Technology Investments Tailored to Organizational Needs; and (4) Relevant Information Sharing. During the roundtable, participants discussed the importance of and challenges with implementing each of the identified pillars in three distinct but related contexts: within companies; between partnering companies; and nationally. The “Cyber Risk Culture Roundtable Readout Report” linked below includes the key themes that emerged from those discussions.
In November 2013, NPPD convened a second roundtable focused on a fundamental yet unanswered question that had arisen during the prior discussions: how do cost/ benefit considerations inform the identification of not only an organization’s top cyber risks but also appropriate risk management investments to address them? The event included use case presentations by three health care organizations. Each presenter described an actual cyber incident that they had experienced; how they managed the incident; and how lessons learned from the incident have influenced their actions and investments to improve patient safety. The presenters likewise addressed how the organizations are incorporating cost/benefit considerations as part of their cyber risk management strategies; how their individual cyber risk cultures are evolving as a result; and what role cybersecurity insurance is playing as part of their processes. Summaries of their presentations and subsequent participant commentary can be found in the “Cyber Insurance Use Case Readout Report” linked below.
DHS and NPPD conducted all stakeholder outreach in accordance with the Federal Advisory Committee Act, P.L. 92-463. NPPD intends to use the referenced readout reports as starting points for future cybersecurity insurance discussions. The comments, perspectives, and suggestions contained in the reports are those of the workshop and roundtable participants only and do not necessarily reflect the views of DHS or NPPD.