Cyber-incident sharing needed to grasp risk, says industry

By Chad Hemenway on July 24, 2014

cyber-information-sharing200x200The insurance industry told the Department of Homeland Security it needs an information sharing mechanism for cyber incidents as part of other requests in order to increase its participation in taking cyber risk.

The DHS’ National Protection and Programs Directorate released a report highlighting the results of a several roundtables and workshops meant to examine the insurance industry’s appetite for first-party cyber risk. According to the report, the industry also expressed a desire for more data regarding a cyber attack on critical infrastructure and noted shortcomings in companies’—mostly medium and small business—enterprise risk management efforts.

NPPD was joined by 10 each of brokers, underwriters and reinsurers and agreed to included their comments in the report on a non-attribution basis. The workshops did not focus on third-party risk.

“One idea that surfaced repeatedly was the creation of a cyber-incident repository where [information on types, frequency, affected parties and impacts] could be stored and analyzed,” according to the report. Clearly, underwriters are struggling to grasp what occurs during a cyber incident.

But such a request would start from the simplest of tasks—defining a “cyber incident” and potentially categorizing these incidents into physical and non-physical events. Defining “critical infrastructure” would also be needed, since the insurance industry oftentimes identifies this in terms of risk aggregation—which does not always follow industry sectors identified by the federal government (energy, transportation, etc.). The cloud is an example, said industry participants. Defining terms internationally is another challenge.

ALSO READ: Senate panel advances cybersecurity bill | Privacy groups urge Obama to quash CISA

The manner in which information would be shared varied, and how to incentivize a company to share is up for argument, but all appeared to agree the value proposition of a repository is its potential to help an organization see its significant cyber risks. One underwriter said analysis of this data as it accumulates “would enhance the ability of carriers to identify and put a dollar figure on high-consequence cyber risks of most relevance to different critical infrastructure sectors.”

The federal government may have the best information pertaining to potential damages to large swaths of industries caused by a cyber attack, but due to national security concerns, it may be apprehensive about sharing. Industry representatives suggested government-inclusive table-top exercises as is conducted to understand impacts to infrastructure following a hurricane.

ERM

Importantly, the industry said companies who have adopted an enterprise risk management approach to cyber risk have “many more options” when turning to the market for cyber insurance.

ERM programs allow carriers to identify safer insurance investments. “The outgrowths of ERM, such as insurance, come with a certain confidence level in the security of the [company’s] infrastructure,” one underwriter said.

Chief information security officers need to be involved in the ERM process, but typically only large companies employ CISOs. IN fact, many companies aren’t large enough to support an ERM program in the first place. However, industry representatives said this is no excuse to avoid risk management.

“Regardless of whether a company is sophisticated enough to have an ERM program, it will have a board,” the report stated. “A board-level review could essentially serve as an ERM program substitute for a mid-size or small company.”

There are other ERM challenges in communication and integration–and whether ERM itself is a cybersecurity strategy.

Chad Hemenway is Managing Editor of Advisen News. He has more than 15 years of journalist experience at a variety of online, daily, and weekly publications. He has covered P&C insurance news since 2007, and he has experience writing about all P&C lines as well as regulation and litigation. Chad won a Jesse H. Neal Award for Best Single Article in 2014 for his coverage of the insurance implications of traumatic brain injuries and Best News Coverage in 2013 for coverage of Superstorm Sandy. Contact Chad at 212.897.4824 or [email protected].