The brave new world of cyber insurance

Shutterstock image (by deepadesigns): protection concept, shield icon.

(deepadesigns / Shutterstock)

Perimeter defenses have been penetrated the world over, and the modern cybersecurity conversation is all about how to mitigate the damage once your organization is inevitably breached.

Could cyber insurance be a smart way to ease the pain? Insurance pros say yes, but they need more information, and maybe government aid, for the space to grow.

Insurers as cyber auditors

Cyber insurance is an “important” tool, Deputy Treasury Secretary Sarah Bloom Raskin said at a Sept. 10 conference on the topic sponsored by the Center for Strategic and International Studies.

The actual payout companies could get from their cyber insurance in the event of a breach is a “last line of defense,” Raskin noted, but there’s more benefit to getting insured than just the money.

“The underwriting process itself can bolster cybersecurity,” she noted.

“At [insurance broker] Marsh, we don’t consider ourselves just in cyber insurance,” said the firm’s senior cyber advisory specialist Matt McCabe, echoing Raskin’s comment. “We’re in cyber risk management.”

When a company wants to buy cyber insurance, they don’t just fill out some forms, pay a premium and call it a day, McCabe said. “That’s just not how the industry works.”

Instead, companies work through an involved exercise as underwriters closely examine their cybersecurity setup and offer suggestions for improvement, something McCabe called, “the closest thing I’ve seen to a deposition outside the courtroom process.”

Insurers typically stay on top of their clients afterward to promote good cybersecurity practices, McCabe added.

A dearth of information

A key challenge facing the industry is data.

“There’s a paucity of information” about cyberattacks on private companies, noted Suzanne Spaulding, the Homeland Security Department’s undersecretary for the National Protection and Programs Directorate. Companies just don’t want to talk about cyber incidents unless they absolutely have to (when hackers take information public, as happened with Ashley Madison and Sony Pictures, or when the release of personally identifiable information renders the company legally obligated to disclose a breach), Spaulding said. Underwriters are left with a big knowledge gap as they try to figure out the type, frequency and severity of cyber threats.

BitSight Technologies is one of the private assessment firms filling that gap, giving companies security ratings on a 250-900 scale, much like FICO scores relay the risk associated with lending to individuals.

“Cyber insurance is harder in many respects than traditional risk insurance, in part because the historical data hasn't been aggregated but also because there's less certainty about the effectiveness of ‘best practices,’” noted Jake Olcott, BitSight’s VP of business development.

Third-party assessors like BitSight probing company defenses from the outside can help insurers know the risk they’re taking on, and help companies understand how well they’re defending themselves (or how poorly; of the six industries BitSight tracks, two average “basic” security levels and four average “intermediate,” with only the finance industry topping 700 on average).

But Olcott said the government still needs to play an important role, “providing more information, more data for those underwriters.”

DHS’s Spaulding promised to help, plugging the department’s Cyber Incident Data and Analysis Working Group.

Geared at gathering private sector cybersecurity incident data into one, shareable database, CIDAWG released a new cyber insurance white paper on Sept. 14, Spaulding said.

Incident reports coming to DHS will be anonymized and companies will face no liability for sharing information, Spaulding pledged, adding that her “cyber ninja warriors” have been working to ensure the information sharing setup is as secure as possible.

“We really want to incentivize information coming into one place,” she said.

According to Olcott, McCabe and other industry veterans, that data repository could prove invaluable for the nascent cyber insurance marketplace.

About the Author

Zach Noble is a staff writer covering digital citizen services, workforce issues and a range of civilian federal agencies.

Before joining FCW in 2015, Noble served as assistant editor at the viral news site TheBlaze, where he wrote a mix of business, political and breaking news stories and managed weekend news coverage. He has also written for online and print publications including The Washington Free Beacon, The Santa Barbara News-Press, The Federalist and Washington Technology.

Noble is a graduate of Saint Vincent College, where he studied English, economics and mathematics.

Click here for previous articles by Noble, or connect with him on Twitter: @thezachnoble.


  • FCW Perspectives
    human machine interface

    Your agency isn’t ready for AI

    To truly take advantage, government must retool both its data and its infrastructure.

  • Cybersecurity
    secure network (bluebay/

    Federal CISO floats potential for new supply chain regs

    The federal government's top IT security chief and canvassed industry for feedback on how to shape new rules of the road for federal acquisition and procurement.

  • People
    DHS Secretary Kirstjen Nielsen, shown here at her Nov. 8, 2017, confirmation hearing. DHS Photo by Jetta Disco

    DHS chief Nielsen resigns

    Kirstjen Nielsen, the first Homeland Security secretary with a background in cybersecurity, is being replaced on an acting basis by the Customs and Border Protection chief. Her last day is April 10.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.