DHS banks on data repository for cyber insurance

Shutterstock image (by deepadesigns): protection concept, shield icon.

The Department of Homeland Security got interested in encouraging a cybersecurity insurance market about four years ago after officials realized that "regulating our way out of cyber risk was probably not going to happen," said Tom Finan, a senior cybersecurity strategist and counsel at DHS.

In the four years since, they have been establishing a common breach nomenclature for insurers and IT security professionals, and Finan said he believes they are on to something with the cyber incident data repository DHS is exploring.

The idea behind the repository is to help insurers build more sophisticated products by giving them access to a richer harvest of threat data. DHS is particularly interested in the insurance market's ability to cover property damages and bodily harm that might result from cyberattacks, Finan said Oct. 26 during a panel discussion hosted by New America and Just Security in New York City.

For now, the data repository is just a concept, and the cyber insurance market is challenged by a lack of actuarial data and common metrics, Finan added. A DHS-backed group that is exploring the idea of a repository released a white paper last month outlining 16 categories of data that could form the basis of the repository. The categories include incident detection techniques and mitigation measures.

Another challenge is the differing expectations insurers and lawyers often have for the level of disclosure after a data breach. Companies hit by large breaches have not always been transparent with insurers, said Greg Vernaci, a senior vice president at insurance giant AIG.

Harvey Rishikof, a national security lawyer at Crowell and Moring, countered that attorney/client privilege is an important refuge for firms that expect litigation to result from a breach.

Meanwhile, the demand for cyber insurance is growing. The global market for annual premiums is poised to triple from about $2.5 billion this year to $7.5 billion by the end of 2020, consulting firm PwC said in a recent report.

More analysis is needed to determine what measures are effective in mitigating cyber risk, Finan said. The sense of what works is still anecdotal, and "there's really no broad, objective way to assess what's actually making a difference and what isn't," he added.

Nonetheless, Finan sees progress in having IT professionals and insurers talk it out. "Even four years ago, when we were having our first workshops, the [chief information security officers] were very suspicious of insurance," he said. "They really saw it as a competitor to the limited resources that they had access to [in order] to address the cyber risk of the company."

But large-scale, reputation-damaging hacks like those on Target and Sony Pictures Entertainment are making CISOs realize that risk mitigation and insurance "are two sides of the same coin," Finan said.

About the Author

Sean Lyngaas is a former FCW staff writer.


  • Acquisition
    Shutterstock ID 169474442 By Maxx-Studio

    The growing importance of GWACs

    One of the government's most popular methods for buying emerging technologies and critical IT services faces significant challenges in an ever-changing marketplace

  • Workforce
    Shutterstock image 1658927440 By Deliris masks in office coronavirus covid19

    White House orders federal contractors vaccinated by Dec. 8

    New COVID-19 guidance directs federal contractors and subcontractors to make sure their employees are vaccinated — the latest in a series of new vaccine requirements the White House has been rolling out in recent weeks.

Stay Connected