When the National Institute of Standards and Technology released its Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity, (a priority program for the federal Department of Homeland Security), the National Protection and Programs Directorate (NPPD) became the working session between the government and the private insurance industry to discuss the impact of the NIST Framework on the cyber-insurance marketplace. The Framework, released in February 2014, originally drafted to focus on critical infrastructure enterprises, (utilities, data centers, etc.) is also designed to provide other private organizations that maintain protected data (in any electronic form) a roadmap for effectively and methodically creating and improving their cyber-security.
At working sessions within the NPPD, it has been reported that three primary areas were discussed in addressing how the government would influence more first and third party insurance coverage for computer-related security occurrence: (1) the creation of a “cyber incident information sharing/data repository;” (2) cyber incident consequence analysis; and (3) “enterprise risk management.” It is reported that insurance professionals at the workout session strongly advocated the creation and implementation of a cyber incident data repository as a means whereby public and private sector organization may share information about security vulnerabilities, data breaches and, ultimately, to create actuarial tables to be used to analyze trends.
The types of information valuable for such a repository includes incident objectives and targets, causes, frequency, and severity; the impact and response of affected organizations, and the vulnerabilities exposed by such breaches; timelines of the incidents; third-party vendor information; ability and timeliness of organizations’ remedy of a security breach; and information on preventative actions taken by impacted organizations in response to such attacks.
NPPD also discussed state of the ability to analyze the actual consequences and effects of cyber occurrences and addressed various means of assessing the total potential loss associated.
This issue is of particular significance for insurance underwriters as actual loss data is a common tool in models to anticipate the potential risk of a given occurrence.
Insurance professionals have created their own scenario-based cyber-risk modeling for years, but identified at NPPD that critical information is still unavailable, such as probability of attacks, locations of risk accumulation, the cascading effects of such attacks across infrastructure sectors, the magnitude and value of losses from cyber thefts of intellectual property, and the magnitude and value of losses stemming from reputational harm to companies and business interruption losses.
Finally, reports from the NPPD address how enterprise risk management programs should incorporate cyber risk into traditional business risk insurance loss assessment. Discussion focused on the potential pros and cons of ERM programs on an industry-wide basis, and how ERM programs that specifically include means for addressing cyber risk may be assessed by carrier in affording coverage.
Although the NPPD discussions are ongoing it is clear that the Framework is significantly altering the way insurers think about providing first- and third-party coverage for organizations and third party vendors that are in the business of maintaining or even handling electronic data. Even more, the NIST Framework intends to be the foundation of a more widespread industry standard of care for cyber security.