//
you're reading...
Information Security, IT & TECHNOLOGY

Insurance Carrot Beats Government Stick in Quest for Stronger Cybersecurity


CSA-Logo

insurance-carrot-1When it comes to cybersecurity, the U.S. federal government recognizes the carrot is more effective than the stick. Instead of using regulations to increase data security and protect personal information within private organizations, the White House is enlisting the insurance industry to offer incentives for adopting security best practices.

In March 2016, the U.S. House Homeland Security Cybersecurity Subcommittee held a hearing to explore possible market-driven cyber insurance incentives. The idea, said Rep. John Ratcliffe, chairman of the subcommittee, is to enable “all boats to rise, thereby advancing the security of the nation.”

The issue isn’t a lack of cyber insurance. Today, 80% of companies with more than 1,000 employees have a standalone cybersecurity policy, according to a Risk and Insurance Management Society survey. The real issue is getting companies to maintain more than a minimum set of security standards.

Borrowing from the fire insurance playbook
The insurance industry has been a catalyst for change in the past. Attendees of the Homeland Security Cybersecurity Subcommittee hearing pointed to the fire insurance market as a good example of using a carrot to drive positive behavior. Insurers offer lower rates to policyholders who adhere to certain fire safety standards, such as installing sprinklers and having extinguishers nearby.

Identifying best practices
So, what are the cybersecurity equivalents of sprinklers and fire alarms? Hearing attendees highlighted four components of an effective cyber risk culture:

  • Executive leadership: what boards of directors should do to build corporate cultures that manage cyber risk well.
  • Education and awareness: training and other mechanisms that are necessary to foster a culture of cybersecurity.
  • Technology: specific technologies that can improve cybersecurity protections.
  • Information sharing: ensuring the right people within the company have the information they need to enhance cybersecurity risk investments.

Spurring much-needed actuarial data
The hearing also touched on a major missing element in the current cyber insurance industry: reliable actuarial data regarding data breaches and other cyber incidents. Auto insurers know the likelihood of car accidents, so they know how to price the liability and measure the risk. But the likelihood and ramifications of various data breaches are a wildcard today, leading to problems in pricing cybersecurity policies.

Hearing attendees discussed creating an actuarial data repository with data from leading actuarial firms, forensic technology firms and individual insurer cyber claims. The proposed database would be housed at a nongovernmental location such as the Insurance Services Office Inc. (ISO), which has managed insurer actuarial databases for more than four decades. The hope is the database would encourage voluntary sharing of information about data breaches, business interruption events and cybersecurity controls to aid in risk mitigation.

While the cyber insurance carrot is a long way from becoming reality, at least the seed has been planted.

Laurie Kumerow, Consultant, Code42

[Cloud Security Alliance Blog]

About @PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Web Stats

  • 124,682 hits
@PhilipHungCao

@PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Personal Links

View Full Profile →

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 2,533 other followers

Twitter Updates

Archives

December 2016
M T W T F S S
« Nov   Jan »
 1234
567891011
12131415161718
19202122232425
262728293031  
%d bloggers like this: