The role of insurers on cybersecurity has been a hot topic lately, both on and off Capitol Hill. A recent Business Insurance article says that cyber insurance could be an answer to the United States’ most critical national security problems, at least in an indirect way. However, the federal government is not interested in the cyber insurance market, at least not for themselves. Even if it was, the government’s spotty reputation on data protection would most likely push insurance companies away from underwriting government cyber coverage. Nonetheless, BI’s Mark Hofmann explains that cyber insurance might “enhance national security in an indirect yet crucial way – by encouraging ever more effective risk management for exposures involving such matters as critical infrastructure.”
As that conversation continues to circle, it brought me back to a subcommittee hearing I attended in early March. The focus of the hearing centered on the insurance industry’s role in cyber risk management. Appearing before the U.S. House Homeland Security Committee’s Cybersecurity, Infrastructure Protection, and Security Technologies Subcommittee, Tom Finan, chief strategy officer for Ark Network Security Solutions, explained just how the cyber insurance industry could bolster cyber risk management on the front end, the same way that fire insurance has help alleviate fire risks. “We knew that insurers had been very successful in identifying specific fire safety controls that today are not only conditions for coverage within fire insurance policies but also prerequisites for obtaining a building permit,” said Mr. Finan. “Our hope was that brokers and underwriters together could help identify the cyber security equivalents of sprinkler and other fire suppression systems. What we discovered is that while they may get there one day, they are not there yet.”
However, while the progress in fire insurance has evolved over hundreds of years, we only have about a decade of data and experience to support cyber loss control. For now, we find ourselves constantly playing catch-up with the cyber criminals, as cyber threats evolve at a far faster rate than fire. As Hofmann reports, “it will take time to achieve penetration, [but] the industry can begin encouraging enhanced cyber risk management through both carrots such as premium breaks for sound risk management, and sticks such as refusing to write coverage for accounts that don’t practice adequate risk management. The faster they begin, the sooner a gap in national security will be at least partially filled.”