Cybersecurity insurance is designed to mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and network damage. A robust cybersecurity insurance market could help reduce the number of successful cyber attacks by: (1) promoting the adoption of preventative measures in return for more coverage; and (2) encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection. Many companies forego available policies, however, citing as rationales the perceived high cost of those policies, confusion about what they cover, and uncertainty that their organizations will suffer a cyber attack. In recent years, the Cybersecurity and Infrastructure Security Agency (CISA) has engaged key stakeholders to address this emerging cyber risk area.
Cyber Risk Management and Cybersecurity Insurance
Traditional commercial general liability and property insurance policies typically exclude cyber risks from their terms, leading to the emergence of cybersecurity insurance as a “stand alone” line of coverage. That coverage provides protection against a wide range of cyber incident losses that businesses may suffer directly or cause to others, including costs arising from data destruction and/or theft, extortion demands, hacking, denial of service attacks, crisis management activity related to data breaches, and legal claims for defamation, fraud, and privacy violations. Few cybersecurity insurance policies, however, provide businesses with coverage for an area of growing private and public concern: the physical damage and bodily harm that could result from a successful cyber attack against critical infrastructure.
Since 2012, CISA has engaged academia, infrastructure owners and operators, insurers, chief information security officers (CISOs), risk managers, and others to find ways to expand the cybersecurity insurance market’s ability to address this emerging cyber risk area. More broadly, CISA has sought input from these same stakeholders on the market’s potential to encourage businesses to improve their cybersecurity in return for more coverage at more affordable rates. CISA is currently facilitating dialogue with CISOs, Chief Security Officers (CSOs), and insurers about how a cyber incident data repository could foster both the identification of emerging cybersecurity best practices across sectors and the development of new cybersecurity insurance policies that “reward” businesses for adopting and enforcing those best practices.
DHS Cybersecurity Insurance Working Sessions
From 2012 through 2014, DHS hosted four separate working sessions where cybersecurity professionals examined the existing cybersecurity insurance marketplace, described obstacles to expanding and improving it, and identified three key ideas for overcoming the most pervasive of those obstacles:
- Cyber incident information sharing. An anonymized cyber incident data repository could foster the voluntary sharing of data about breaches, business interruption events, and industrial control system attacks needed for enhanced risk mitigation and risk transfer (insurance) approaches.
- Cyber incident consequence analytics. The development of new cyber risk scenarios, models, and simulations – based on repository data – could help promote understanding about how a cyber attack might cascade across infrastructure sectors and where opportunities for risk mitigations might exist.
- Enterprise Risk Management (ERM). An accepted approach for fusing cyber risk into traditional ERM programs could help organizations of all sizes better prioritize and manage their top business risks.
Additional information about the working sessions, including Readout Reports summarizing session discussions and findings, can be found on the Insurance Industry Readout Reports webpage.
Benefits of a Cyber Incident Data Repository
Following the working sessions and based on the recommendations of the participants, CISA continues to explore the benefits and feasibility of a cyber incident data repository that creates a trusted environment for enterprise risk owners to anonymously share sensitive cyber incident data. Conceptually, that data, once aggregated and analyzed, will result in increased awareness about current cyber risk conditions and longer-term cyber risk trends. New analytics products, rooted in rich repository data, in turn will help inform more effective cyber risk management investments by both private and public sector organizations as well as better cybersecurity insurance products. As the culmination of this conceptual effort, CISA will aim to find answers to three key questions:
- Do existing repositories meet the cyber incident data needs of cybersecurity stakeholder groups?
- Are owners and operators of existing repositories open to leveraging external cyber incident data and analysis knowledge and incorporating it into their existing structures?
- If not, should a new cyber incident data repository be developed?
Cyber Incident Data and Analysis Working Group
As a follow-on to the working sessions, CISA established a Cyber Incident Data and Analysis Working Group (CIDAWG), comprised of CISOs and CSOs from various critical infrastructure sectors, insurers, and other cybersecurity professionals, to deliberate and develop key findings and conclusions about:
- The value proposition of a cyber incident data repository;
- The cyber incident data points that should be shared into a repository to support needed analysis;
- Methods to incentivize such sharing on a voluntary basis; and
- A potential repository’s structure and functions.
- The Value Proposition. Details how a cyber incident data repository could help advance the cause of cyber risk management and, with the right repository data, the kinds of analysis that would be useful to CISOs, CSOs, insurers, and other cybersecurity professionals.
- Cyber Incident Data Points and Repository-Supported Analysis. Addresses the kinds of prioritized data points that should be shared among repository users to promote new kinds of needed cyber risk analysis.
- Overcoming Perceived Information Sharing Obstacles. Identifies potential roadblocks to voluntary sharing into a repository and potential approaches for addressing those roadblocks.
- Repository Structure and Operations Requirements. Will detail the requirements that a future repository must address in order to successfully meet the multiple needs of likely users.
Cyber Incident Data and Analysis Repository Workshop – April 19-20, 2016, Arlington VA
On April 19-20, 2016, the Cybersecurity and Infrastructure Security Agency (CISA) hosted a workshop to discuss the value and the feasibility of a cyber incident data and analysis repository. The workshop built on the work the CIDAWG has accomplished thus far and focused on the execution of the repository. For more details on the event and workshop materials go to: https://www.dhs.gov/event/cidar-workshop.
Federal Register Notice on the Cyber Incident Data and Analysis Repository White Papers
On March 28, 2016, the Cybersecurity and Infrastructure Security Agency (CISA) published a Federal Register Notice (FRN), which sought comments on the benefits and feasibility of a cyber incident data and analysis repository (CIDAR) and requested feedback on three white papers the Cyber Incident Data and Analysis Working Group (CIDAWG) developed from February through December, 2015:
- The value proposition of a CIDAR;
- The cyber incident data points that should be shared into a repository to support needed analysis; and
- Overcoming perceived obstacles to sharing into a repository
Responses to the FRN and the outcomes from the April, 2016 CIDAR workshop will inform a prototype repository that the CIDAWG is planning to scope for a pilot project. For more details on the responses received during the FRN go to the FRN - Cyber Incident Data and Analysis Repository Benefits and Feasibility web page.
Direct all inquiries to firstname.lastname@example.org.