On March 22, the House Homeland Security Committee’s Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies held a hearing on The Role of Cyber Insurance in Risk Management. The witnesses were Matthew McCabe, a Senior Advisory Specialist for cyber insurance at Marsh FINPRO, Adam Hamm, North Dakota Insurance Commissioner, Daniel Nutkis, CEO at Health Information Trust Alliance, and Tom Finan, CSO at Ark Network Security Solutions. The goal of the hearing was to evaluate the current state of the cyber insurance market and its potential for growth, as well as examining ways to promote the adoption of cyber best practices and the use of cyber insurance to more effectively manage risk.
In his opening statement, Subcommittee Chairman Rep. John Ratcliffe (R-TX) outlined the goals of the hearing and the importance of cybersecurity in an increasingly interconnected world. The potential for cyber insurance to encourage companies to improve risk management has been an important topic recently, which Mr. Ratcliffe underscored by pointing to a string of high profile breaches including Home Depot, Target, and JPMorgan Chase, which impacted everyday Americans. While noting that the cyber insurance market is still in its infancy, he conveyed optimism for the market’s future potential. Mr. Ratcliffe believes that cyber insurance may be one solution to improving the security of companies that store data online. In a premise that was reiterated throughout the hearing, he noted how the process of considering, applying for, and maintaining a cyber insurance policy forces companies to examine their own cyber security weaknesses and vulnerabilities. He also mentioned the work of the Department of Homeland Security’s Cyber Incident Data and Analysis Working Group, which is facilitating discussions with key stakeholders on mitigating risks, examining the potential value of a cyber incident data repository, developing new cyber risk scenarios and models, and seeking to help organizations to evaluate and improve cyber risk management. Ranking Member Rep. Cedric Richmond (D-LA) echoed these sentiments and raised the question of what a cyber insurance policy would look like in certain scenarios, such as if a company was already hacked, malware was dormant, but it still wanted to mitigate its subsequent risk. This brought up some of the challenges that are unique to cyber insurance compared to other types, such as homeowners insurance.
In the witnesses’ opening statements, they discussed the state of the cyber insurance market from an industry and regulatory perspective, as well as ways that it might grow. Mr. McCabe discussed cyber insurance as a product, how it helps improve resiliency against threats, and the use of data analysis to support and improve the industry. He also discussed Marsh’s role in helping clients assess their own risk exposure and helping them deal with the financial impact of a cyber incident. He argued for the importance of cybersecurity and risk management for the private sector, as well as to protect U.S. critical infrastructure that is increasingly connected to the internet and therefore increasingly vulnerable to cyber attacks.
Mr. Hamm’s opening statement focused on cyber insurance from a regulatory perspective, and how the system compares to other types of insurance. He reiterated the evolving nature of cyber threats, especially as society becomes increasingly reliant on electronic communication and businesses collect and store more “granular” information about their customers. He pointed out that contrary to what many businesses may believe, commercial insurance policies do not cover many cyber risks, which require a cybersecurity policy. Because cyber insurance is so new, he urged caution in using the term “cybersecurity policy,” which can mean different things depending on the specifics for the purchaser and insurer. He then outlined the structure and benefits of the state-based insurance regulation system. Mr. Hamm stated that though cyber insurance policies are relatively new, the policies are scrutinized just as rigorously as other insurance policies.
Mr. Nutkis discussed the role of cybersecurity in risk management and the work done by HITRUST and the health care industry to enhance this role. He underlined the importance of cyber insurance in increasing the health care industry’s cyber awareness, improving its cyber preparedness, and strengthening its risk management posture. He then detailed the work HITRUST does to provide a risk-based information privacy and security control framework, compliance assessment and reporting for regulatory requirements, and best practices frameworks specifically for the health care industry, among other services.
The final witness, Mr. Finan, described the role that DHS has played in identifying and overcoming obstacles to a more robust cybersecurity insurance market, as well as the role of the private-public engagement model, especially as it relates to small and mid-sized businesses. Like the other witnesses, he underlined the importance of cyber insurance in cyber risk management, because it encourages critical infrastructure owners to better manage their cyber risk in return for better and cheaper policies. He then outlined some of the major obstacles preventing insurers from providing more cyber insurance coverage, including the ongoing lack of actuarial data, the absence of common cybersecurity standards, the lack of understanding about critical infrastructure dependencies and interdependencies, and the failure of businesses to incorporate cyber risk into their traditional enterprise risk management programs.
Many of the members’ questions focused on the link between cyber insurance and improved risk management and cyber security measures, the details of a potential data repository, and the role of government in the growing cyber insurance market. Rep. Ratcliffe asked Mr. Nutkis if they had found that applying for cyber insurance caused organizations to bolster their security, to which he replied that this is usually the case, since making good decisions on cyber controls and lowering residual risk result in lower premiums.
Rep. Richmond asked witnesses about the impact of the “risk culture” and whether cyber insurance changes the conversation on cyber risk, which is usually low on businesses’ list of priorities. Mr. Finan replied that cyber risk is usually relegated to IT departments because it isn’t understood in business terms. Insurance, however, could play a bridging role because executives understand how it fits into an enterprise risk management framework.
Members asked about the specifics of cyber insurance policies and what they look like. Mr. McCabe discussed how different companies’ policies would differ based on factors such as sector, revenue, and current risk management practices, meaning that they could be tailored to companies of all sizes. Mr. Hamm talked about the importance of gathering and sharing data in order to better understand cyber risk and come up with better products that can respond to the evolving nature of cyber threats. The question that followed was who should develop the standards and maintain and protect the data repository. Mr. Hamm did not have a specific answer, saying that his only concern was that the data be useful and available to state insurance commissioners. When prompted by Rep. Scott Perry (R-PA), however, he did concede that he didn’t wish to see another federal program.
This concern came up with other members as well, as they and the witnesses talked about the role of the federal government in cybersecurity and the cyber insurance market. Rep. Curtis Clawson (R-FL) said he wanted to see the market sort things out on its own, since the government would take an overly-simplified approach that could hamper the market in its early stages. While the witnesses generally agreed that the federal government shouldn’t be completely involved in the market, they agreed on the importance of a limited role, such as private-public partnerships and other initiatives. One witness discussed the “ghost of Edward Snowden,” which has led to discomfort with the federal government housing a potential data repository, while also recognizing it has an important role to play.
This hearing underscored the constantly evolving nature of cyber threats and the potentially devastating impact of cyber breaches, and thus the importance of addressing and better understanding cybersecurity. Cyber insurance is just one of many tools an organization can use to address these threats and manage its risk, and the witness testimonies indicate that demand will only continue to increase.