Robert Knake, a cybersecurity expert with the the Council on Foreign Relations, has recently released a report calling for the creation of a federally sponsored cyber insurance program. The report argues:
Anticipating a catastrophic event in cyberspace, Congress should put in place a federal backstop for cyber insurance. Doing so would set expectations for the market and, if constructed properly, reduce the likelihood of a catastrophic cyber event by stimulating the adoption of best practices through insurance requirements and creating incentives to participate in programs that reduce risk for everyone connected to the internet.
The report notes that there is a current need for expanding the use of standalone cyber insurance. Though recent reports indicate that the market for such insurance is growing, nonetheless, “most companies are not purchasing cyber insurance.”
Perhaps more worrying, is that some “insurers are quickly working to exclude cyber events from other policies.” What’s more, the policies that are available to companies now fall far short of being able to cover the kinds of costs that some analysts see as possible in the event of a large-scale cyberattack against critical infrastructure.
The report identifies a number of challenges for creating a more robust cyber insurance market. Those include:
A lack of actuarial data that would allow insurers to price risk adequately;
A lack of agreement on best practices for improving cybersecurity; and as a result,
A lack of premium reductions (e.g. incentives) for companies to adopt better cybersecurity practices;
Difficulty in creating a government program that promotes, rather than supplants, the market.
The report makes a number of recommendations for addressing these problems. These include:
Using the “promise of limited financial liability to promote participation in initiatives that benefit the security of the internet as a whole and reduce systemic risk.”
Focusing first on information sharing related to threats and impacts to help solve the risk pricing problem.
Modeling the program on current, federally sponsored insurance programs related to terrorism and other rare, catastrophic events.
Requiring firms seeking insurance under the program “to develop a cybersecurity plan based on guidance from the Cybersecurity Framework, the standard for cybersecurity across industries.”
Mandating NTSB-style “breach investigations, which include on-site gathering of data on why the attack succeeded, to help other companies prevent similar attacks.”
I am generally in favor of efforts to promote a reduction in cybersecurity risks first and foremost by encouraging companies (and individuals too) to adopt better security practices. Too often, we seem to want the government, in particular the national security community, to solve these problems for us. But a better approach is to begin by doing the basics, the cybersecurity equivalent of locking the doors and getting your flu shot. If incentives are required, either positive or negative, to make that happen, then that is where we should start.
My primary quibble with this proposal, however, is with offering limited financial liability for participation in information sharing. In particular, I have two main concerns:
Might it be more effective to open companies up to the possibility of penalties in the wake of a breach if it can be shown that they did not follow best practices prior to the breach?
What are the privacy implications of information sharing?
Regardless of these concerns, I think this is a positive entry into the current debate about how to improve U.S. cybersecurity, a proposal that deserves to be taken seriously.