Over the last couple of years, the Department of Homeland Security’s National Protection and Programs Directorate (NPPD) has been working with academics, infrastructure owners and operators, insurers, chief information security officers (CISOs), risk managers, and others to develop and expand the ability of the cybersecurity insurance market to address problems within this emerging risk field. DHS recently released a white paper labeled The Proposition Value, which “details how a cyber incident data repository could help advance the cause of cyber risk management and, with the right repository data, the kinds of analysis that would be useful to CISOs, CSOs, insurers, and other cybersecurity professionals.”
Additionally, NPPD has been engaging these experts to better understand the “market’s potential to encourage businesses to improve their cybersecurity in return for more coverage at more affordable rates.” NPPD has been exploring the possibility of creating a cyber incident data repository to “foster both the identification of emerging cybersecurity best practices across sectors and the development of new cybersecurity insurance policies that ‘reward’ businesses for adopting and enforcing those best practices.”
DHS believes that a cyber incident repository could help create a “trusted environment for enterprise risk owners to anonymously share sensitive cyber incident data. Conceptually, that data, once aggregated and analyzed, will result in increased awareness about current cyber risk conditions and longer-term cyber risk trends. New analytics products, rooted in rich repository data, in turn will help inform more effective cyber risk management investments by both private and public sector organizations as well as better cybersecurity insurance products.”