For the insurance industry, the field of cybersecurity has very little actuarial data with which they can write their policies, especially when it comes to estimating the physical impacts of cyber-attacks on operations, including industrial manufacturing operations and energy production. When speaking of the insurance industry’s role in reducing cyber risk at the 4th annual cybersecurity conference at Georgetown University, Greg Vernaci of American International Group, explained, “We have actuarial data on breaches and notifications. Where we don’t have data is on the physical impacts for major industrial sectors which are increasingly looking for cybersecurity coverage.” Vernaci explained such data would be beneficial to “provide a solution” for these industries seeking insurance products. As a result, there has been an effort within the Department of Homeland Security to create a cyber-incident data repository for insurers to use when analyzing cyber risk. Former DHS official Tom Finan spoke of efforts in conjunction with industry leaders to figure out what was needed in order for the risk posed by cybersecurity threats to be underwritten. “Insurance cannot be the sum total of a risk-management strategy,” said Finan, who is currently with Ark Network Security Solutions. Cybersecurity controls and mitigation measures are also necessary features of an effective cybersecurity strategy.
These efforts led to the creation of a working group and three “white papers” on what it would take to initiate this repository. On this matter Finlan said “We heard that it could not be run by DHS in the post-Snowden era, But DHS is continuing to the lay the groundwork for a repository that could be run by a private-sector entity, such as a university, trade association or as a for-profit venture.” DHS is now in the process of creating focus groups for this repository which reportedly will be done by the summer.