Cybersecurity insurance is designed to mitigate losses from a variety of cyber incidents, including data breaches, network damage, and cyber extortion. The Department of Commerce has described cybersecurity insurance as an “effective, market-driven way of increasing cybersecurity” because it may help reduce the number of successful cyber attacks by promoting widespread adoption of preventative measures; encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection; and limiting the level of losses that companies face following a cyber attack. Many companies nevertheless forego cybersecurity insurance altogether. They cite its perceived high cost, a lack of awareness about what it covers, and uncertainty that they’ll suffer a cyber attack as just some reasons for their decision.
In order to examine what obstacles hinder the development of a robust cybersecurity insurance market that can offer more relevant policies to more people at lower cost, the Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD) brought together a diverse group of public and private sector stakeholders in October 2012 to examine the current state of the cybersecurity insurance market. That Cybersecurity Insurance Workshop focused on the challenges facing the “first-party” market which covers direct losses to companies arising from cyber-related incidents such as business interruption, destruction of data and property, and reputational harm. The participants included insurance carriers, corporate risk managers, IT/cyber experts, economists and other social scientists, and critical infrastructure owners and operators. NPPD asked the participants to nominate breakout group topics to develop the workshop agenda, and they included:
- Defining Insurable and Uninsurable Cyber Risks
- Cyber Insurance and the Human Element
- Cyber Liability: Who is Responsible for What Harm?
- Current Cyber Risk Management Strategies and Approaches
- Cyber Insurance: What Harms Should It Cover and What Should It Cost?
- Improving the Cyber Insurance Market: Stakeholder Roles and Responsibilities
- Sequencing Solutions: How Should the Market Move Forward?
In May 2013, DHS held a Cyber Risk Culture Roundtable focused on how to build more effective cyber risk cultures as a prerequisite to a stronger and more responsive first-party market. Based in part on the previous discussions as well as its own research, DHS identified four “pillars” of such cultures: engaged executive leadership; targeted cyber risk management and awareness; cost-effective technology investments tailored to organizational needs; and relevant cyber risk information sharing. During the Cyber Risk Culture Roundtable, participants from each of the aforementioned stakeholder groups discussed the importance of and challenges with implementing each of the identified pillars in three distinct but related contexts: within companies; between partnering companies; and nationally. Participants also shared their views about how large, mid-size, and small companies should go about meeting those challenges given their varying levels of expertise and risk management resources.
DHS and NPPD conduct all stakeholder outreach in accordance with the Federal Advisory Committee Act, P.L. 92-463, and captured the viewpoints of the workshop and roundtable participants in a Cybersecurity Insurance Workshop Readout Report and a Cyber Risk Culture Roundtable Readout Report, respectively. Both reports can be viewed below. NPPD intends to use the reports as reference points for any future cybersecurity insurance discussions that it convenes going forward. The comments, perspectives, and suggestions contained in the reports are those of the workshop and roundtable participants only and do not necessarily reflect the views of DHS or NPPD.