Cyber Coverage Will Be A Basic Insurance Policy By 2020

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.nextgov.com/cybersecurity/2014/09/wh-official-cyber-coverage-will-be-basic-insurance-policy-2020/93503/?oref=ng-skybox

By 2020, private firms will be buying cybersecurity insurance when they
sign up for product liability coverage and other basic policies, a top
White House cyber official said Monday.

There isn't a market for cyber insurance yet — not for lack of interest,
but because of the lack of data on the odds companies will be breached and
the true costs of those hacks.

Now, that kind of information is starting to become more transparent, what
with major retailers, banks and other companies reporting breaches daily
and industries finally taking inventory of their security postures.

Within six years, "we're going to be well on our way to everyone having
cyber insurance as just a basic set of insurance, just like property
insurance,” said Ari Schwartz, director for cybersecurity on the White
House National Security Council, during a Sept. 8 panel discussion at the
Nextgov Prime conference.

Demand Outstripping Supply

Some businesses are clamoring for coverage, but cannot obtain the type of
policies they need.

A Bipartisan Policy Center report on power grid cybersecurity published in
February recommended the government initially guarantee coverage.

"A federal backstop would increase carriers’ willingness to offer cyber
insurance and lower the cost of doing so,” said the co-authors, who
included retired Gen. Michael Hayden, former CIA and National Security
Agency director.

Schwartz, however, said the marketplace is “really growing quite a bit”
today without government intervention. However, the demand for such
services still outstrips the supply.

For example, retail giant Target reportedly couldn't find an adequate
policy for cyber losses after hackers raided the big box store's payment
system last year. At the time, Target pieced together $100 million in
coverage, along with a $10 million deductible, which, according to The New
York Times, will barely take care of an anticipated $1 billion in losses.
Target attempted to obtain more insurance, but at least one carrier
rejected the retailer.

"The insurance companies couldn't sell it to them because they didn't have
the actuarial data to be able to figure out what the costs should be and
how it should work," Schwartz said. "Part of that issue is getting the
information that we need in this space."

Companies Now In Data Collection Mode

Industries now are also beginning to collect the necessary data from
victims and potential victims in a way that protects their identities, he
said.

For example, there is the “Electricity Subsector Cybersecurity Capability
Maturity Model,” a 92-page yardstick that delineates both the levels of
protection organizations should maintain and judges how they stack up
against those benchmarks. Conversations among the White House, the
departments of Energy and Homeland Security and power companies led to the
development of the maturity model.

"We've seen a lot of different industries start to build maturity models
for cybersecurity," Schwartz said. The model used by the electricity sector
is being used by most large companies in the industry, he noted. Oil and
natural gas firms, as well as telecommunications companies, are following
suit with their own gauges, Schwartz added.

"You have different industries now building these and the insurance
companies are looking at what those industries are doing and are able to
provide insurance much more easily for those sectors that have maturity
models,” he said. “That's a really positive sign."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!