The brave new world of cyber insurance

Shutterstock image (by deepadesigns): protection concept, shield icon.

(deepadesigns / Shutterstock)

Perimeter defenses have been penetrated the world over, and the modern cybersecurity conversation is all about how to mitigate the damage once your organization is inevitably breached.

Could cyber insurance be a smart way to ease the pain? Insurance pros say yes, but they need more information, and maybe government aid, for the space to grow.

Insurers as cyber auditors

Cyber insurance is an “important” tool, Deputy Treasury Secretary Sarah Bloom Raskin said at a Sept. 10 conference on the topic sponsored by the Center for Strategic and International Studies.

The actual payout companies could get from their cyber insurance in the event of a breach is a “last line of defense,” Raskin noted, but there’s more benefit to getting insured than just the money.

“The underwriting process itself can bolster cybersecurity,” she noted.

“At [insurance broker] Marsh, we don’t consider ourselves just in cyber insurance,” said the firm’s senior cyber advisory specialist Matt McCabe, echoing Raskin’s comment. “We’re in cyber risk management.”

When a company wants to buy cyber insurance, they don’t just fill out some forms, pay a premium and call it a day, McCabe said. “That’s just not how the industry works.”

Instead, companies work through an involved exercise as underwriters closely examine their cybersecurity setup and offer suggestions for improvement, something McCabe called, “the closest thing I’ve seen to a deposition outside the courtroom process.”

Insurers typically stay on top of their clients afterward to promote good cybersecurity practices, McCabe added.

A dearth of information

A key challenge facing the industry is data.

“There’s a paucity of information” about cyberattacks on private companies, noted Suzanne Spaulding, the Homeland Security Department’s undersecretary for the National Protection and Programs Directorate. Companies just don’t want to talk about cyber incidents unless they absolutely have to (when hackers take information public, as happened with Ashley Madison and Sony Pictures, or when the release of personally identifiable information renders the company legally obligated to disclose a breach), Spaulding said. Underwriters are left with a big knowledge gap as they try to figure out the type, frequency and severity of cyber threats.

BitSight Technologies is one of the private assessment firms filling that gap, giving companies security ratings on a 250-900 scale, much like FICO scores relay the risk associated with lending to individuals.

“Cyber insurance is harder in many respects than traditional risk insurance, in part because the historical data hasn't been aggregated but also because there's less certainty about the effectiveness of ‘best practices,’” noted Jake Olcott, BitSight’s VP of business development.

Third-party assessors like BitSight probing company defenses from the outside can help insurers know the risk they’re taking on, and help companies understand how well they’re defending themselves (or how poorly; of the six industries BitSight tracks, two average “basic” security levels and four average “intermediate,” with only the finance industry topping 700 on average).

But Olcott said the government still needs to play an important role, “providing more information, more data for those underwriters.”

DHS’s Spaulding promised to help, plugging the department’s Cyber Incident Data and Analysis Working Group.

Geared at gathering private sector cybersecurity incident data into one, shareable database, CIDAWG released a new cyber insurance white paper on Sept. 14, Spaulding said.

Incident reports coming to DHS will be anonymized and companies will face no liability for sharing information, Spaulding pledged, adding that her “cyber ninja warriors” have been working to ensure the information sharing setup is as secure as possible.

“We really want to incentivize information coming into one place,” she said.

According to Olcott, McCabe and other industry veterans, that data repository could prove invaluable for the nascent cyber insurance marketplace.

About the Author

Zach Noble is a staff writer covering digital citizen services, workforce issues and a range of civilian federal agencies.

Before joining FCW in 2015, Noble served as assistant editor at the viral news site TheBlaze, where he wrote a mix of business, political and breaking news stories and managed weekend news coverage. He has also written for online and print publications including The Washington Free Beacon, The Santa Barbara News-Press, The Federalist and Washington Technology.

Noble is a graduate of Saint Vincent College, where he studied English, economics and mathematics.

Click here for previous articles by Noble, or connect with him on Twitter: @thezachnoble.

The Fed 100

Read the profiles of all this year's winners.


  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group