In written comments to the presidential commission on cybersecurity, global insurance firm Marsh & McLennan calls for the expanded use of the SAFETY Act, which provides liability protections for providers of anti-terrorism technologies, to legally protect the nation’s critical industries such as power plans and telecommunications companies. Marsh & McLennan suggest the Act could be applied more broadly across industries to allow for more protective cyber protocols. “Companies that own and operate critical infrastructure, including power and water utilities, chemical plants, civilian nuclear facilities, dam operators and telecommunication providers, should be encouraged to submit their information security protocols and controls for SAFETY Act approval,” according to the firm.If accepted by the Commission on Enhancing National Cybersecurity, the proposal will be a controversial wrinkle in current protocol. It will put the Department of Homeland Security in the central role of dictating which industries best qualify for data and network liability protections under the law. The overall goal of the proposal is to improve the cyber resilience in the private sector.
The proposal has been met by some resistance from state insurance regulators who argue that private insurance providers are still improving in the services and products they can provide to atypical situations like this one. State commissioners argued that qualitative assessments and data based on actual incident experience will be needed in order to properly evaluate an applicant’s true cyber risk and to allow for the greatest degree of personalization in security plans. The NAIC writes, “Though demand is increasing, the cyber insurance market is still relatively small as cybersecurity risk remains difficult for insurance underwriters to quantify due in large part to a lack of actuarial data.”
The presidential commission is to release its policy recommendations for the next administration on December 1.