Apr 28 2015

Cyber insurance regulations: Senate probes federal data breach protections bill

Cyber insurance is becoming a significant market force that will drive improved cyber security for both companies and by extension the consumers and the nation as a whole. It is more than just an instrument to transfer risk, it provides incentives to understand and mitigate risks. To wit, attached is a summary of the most recent Senate hearing:

U.S. Sen. Jerry Moran (R-Kan.), chair of the Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security, held a hearing March 19 titled “Examining the Evolving Cyber Insurance Marketplace.” The hearing explored the growing cybersecurity risk insurance market and heard from experts about coverage, challenges, and opportunities in the industry and the impact on cybersecurity.

The March 19 event followed two previous hearings that were held last month on the same topic. The first one, “Building a More Secure Cyber Future: Examining Private Sector Experience with the NIST Framework,” examined the federal National Institute of Standards and Technology (NIST)’s partnership with the private sector to improve critical infrastructure cybersecurity. (NIST’s continuing role in cybersecurity was defined in the Cybersecurity Enhancement Act of 2014.) The second hearing, “Getting It Right on Data Breach and Notification Legislation in the 114thCongress,” provided the Committee with more information to assist its efforts in drafting a federal data breach bill.

In his testimony, Ben Beeson, vice president, Cyber Security and Privacy, Lockton Companies noted that, just as companies invest in workplace safety to reduce workers compensation costs, sophisticated companies also will invest in stronger cyber security. In turn, those companies will experience fewer losses, insurers will see fewer claims, and companies’ premiums will be lower.

“Simply engaging in the process of seeking cyber insurance coverage can assist businesses to develop the correct approach to mitigate risk,” Beeson said. Insurance can bring all relevant stakeholders in an organization together, encouraging an enterprise-wide risk management approach.

Beeson, Mulligan (Catherine Mulligan, senior vice president, Management Solutions Group, Zurich North America),and Menapace (Michael Menapace, counsel, Wiggin and Dana LLP; Adjunct Professor of Insurance) all were positive on the idea of a public/private partnership between NIST and the insurance industry to create a framework—but not mandate standards—that companies had to meet. Beeson observed that such a partnership, with the possible formation of a data repository to house anonymized enterprise loss information, would “accelerate the growth of the marketplace, and crucially accelerate the ability of cyber insurance to act as a market incentive for industry to invest in cybersecurity.”

The Senate subcommittee is expected to continue hearings. I’ll bring you more information on the topic of cyber insurance as it develops.