On March 22, 2016, the Cybersecurity, Infrastructure Protection, and Security Technologies Subcommittee of the House Homeland Security Committee held a hearing entitled “The Role of Cyber Insurance in Risk Management.” Participants in the hearing discussed the current state of the cyber insurance market and its role in improving the cybersecurity posture in the United States. The participants further described various ongoing efforts involving the private sector and state and federal entities to develop and improve the cyber insurance market.
Witnesses testifying at the hearing were Matthew P. McCabe, Senior Vice President of Marsh, LLC; Adam W. Hamm, Commissioner of the North Dakota Department of Insurance, testifying on behalf of the National Association of Insurance Commissioners; Daniel Nutkis, CEO and founder of the Health Information Trust Alliance; and Thomas Michael Finan, Chief Strategy Officer for Ark Network Security Solutions and former Senior Cybersecurity Strategist and Counsel with the U.S. Department of Homeland Security’s National Protection and Programs Directorate.
The Subcommittee’s Chairman, Rep. John Ratcliffe (R-TX) framed the discussion by noting that cyber insurance may be an effective market-driven mechanism for improving the security of companies that store personal information. According to Mr. McCabe, the “very act of applying for cyber insurance forces an assessment of the applicant’s cyber practices.” Mr. Ratcliffe stated that the marketplace for cyber insurance needs to expand to attract small and medium-sized entities by offering a “wide array of diverse, affordable products.”
In discussing obstacles that face the cyber insurance market, both Mr. Hamm and Mr. Finan note in their prepared testimonies that cyber risk should be treated as an enterprise risk management issue rather than being treated separately as an information technology issue. A common theme among the witnesses’ testimonies was that cyber risk is difficult to assess quantitatively. Mr. Hamm noted that this difficulty is due in large part to a lack of actuarial data. As a consequence, Mr. Hamm and Mr. Finan both observe that brokers and underwriters increasingly assess qualitative factors such as whether a company exhibits an engaged cyber risk culture during the insurance underwriting process. Reliance on qualitative assessments, according to Mr. Hamm, results in cyber insurance policies that are more customized, and therefore, more costly.
Mr. Nutkis’ testimony describes how the Health Information Trust Alliance (“HITRUST”) leveraged its Risk Management Framework (“HITRUST RMF”) and its Common Security Framework (“HITRUST CSF”) as bases for a standardized approach to cyber risk assessment in the healthcare cyber insurance sector. According to Mr. Nutkis, this HITRUST RMF-based underwriting model allows organizations that demonstrate an enhanced information security posture to enjoy the benefit of lower premiums and broader coverage.
The participants in the hearing discussed the idea of a data repository whereby companies could share cyber incident data and thus increase awareness of current cyber risk conditions and cyber risk trends. Mr. Finan’s testimony describes his experience with the Cyber Incident Data and Analysis Working Group (“CIDAWG”), which was initiated by the Department of Homeland Security (“DHS”). The CIDAWG included chief information security officers, chief security officers, and other cybersecurity professionals from the Critical Manufacturing Sector Coordinating Council (“CMSCC”) and cyber insurance brokers and underwriters. The CIDAWG concluded that such a data repository could, for example, support analysis that identifies cyber risks and effective controls; supports cyber risk forecasting, trending, and modeling; and advances cyber risk management culture.
Although the Subcommittee’s Minority Chairman Rep. Cedric Richmond (D-LA) noted in his opening remarks that the federal government has no oversight or legislative jurisdiction over the insurance industry, Mr. Finan recommends that the DHS use its convening power, as evidenced by the CIDAWG, to “provide tremendous benefit when it comes to helping mid-size and small businesses struggling with their cybersecurity efforts” by engaging them with cyber insurance brokers and underwriters.
Additional information on the hearing is available by clicking here. Copies of the witnesses’ prepared testimonies are available as follows: Mr. McCabe, Mr. Hamm, Mr. Nutkis, and Mr. Finan.
Reporter, Stephen R. Shin, New York, NY, +1 212 556 2198, sshin@kslaw.com
