Cybersecurity insurance is designed to mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and network damage. A robust cybersecurity insurance market could help reduce the number of successful cyber attacks by: (1) promoting the adoption of preventative measures in return for more coverage; and (2) encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection. Many companies forego available policies, however, citing as rationales the perceived high cost of those policies, confusion about what they cover, and uncertainty that their organizations will suffer a cyber attack.
In recent years, the Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD) has brought together a diverse group of private and public sector stakeholders – including insurance carriers, risk managers, IT/cyber experts, critical infrastructure owners, and social scientists – to examine the current state of the cybersecurity insurance market and how to best advance its capacity to incentivize better cyber risk management:
- An October 2012 workshop focused on the challenges facing the “first-party” market which covers direct losses to companies arising from cyber-related incidents – including cyber-related critical infrastructure loss. During the event, the participants identified various obstacles to market growth, including a lack of actuarial data and consequence-oriented analytics. They likewise described the overarching need for infrastructure owners to build effective cyber risk cultures as a prerequisite to expanding coverage.
- A May 2013 roundtable examined the four “pillars” of an effective cyber risk culture that carriers had identified as particularly attractive from an underwriting perspective: engaged executive leadership; targeted cyber risk education and awareness; cost-effective technology investments; and relevant information sharing. Participants discussed the importance of and challenges with implementing each of these pillars in three distinct but related contexts: within companies; between partnering companies; and nationally.
- A November 2013 roundtable focused on a fundamental yet unanswered question that had arisen during the prior events: how do cost/benefit considerations inform the identification of both an organization’s top cyber risk and appropriate risk management investments to address them? The event included use case presentations by health care organizations that described an actual cyber incident they had experienced; how they managed the incident; and how their experiences had since influenced their actions and investments to improve patient safety, including investments in cybersecurity insurance.
- Based on what it had learned, NPPD hosted an insurance industry working session in April 2014 to assess three areas where it appeared progress could lead to a more robust first-party market: the creation of an anonymized cyber incident data repository; enhanced cyber incident consequence analytics; and enterprise risk management evangelization.
As described in the readout reports included below, participants at all four events offered a wide array of ideas and opinions on these and other topics. DHS and NPPD intend to use the reports as starting points for future cybersecurity insurance discussions. The comments, perspectives, and suggestions contained in the reports are those of the event participants only and do not necessarily reflect the views of DHS or NPPD. DHS and NPPD conducted all stakeholder outreach regarding the cybersecurity insurance events in accordance with the Federal Advisory Committee Act, P.L. 92-463.