DHS banks on data repository for cyber insurance

The Department of Homeland Security got interested in encouraging a cybersecurity insurance market about four years ago after officials realized that "regulating our way out of cyber risk was probably not going to happen," said Tom Finan, a senior cybersecurity strategist and counsel at DHS.

In the four years since, they have been establishing a common breach nomenclature for insurers and IT security professionals, and Finan said he believes they are on to something with the cyber incident data repository DHS is exploring.

The idea behind the repository is to help insurers build more sophisticated products by giving them access to a richer harvest of threat data. DHS is particularly interested in the insurance market's ability to cover property damages and bodily harm that might result from cyberattacks, Finan said Oct. 26 during a panel discussion hosted by New America and Just Security in New York City.

For now, the data repository is just a concept, and the cyber insurance market is challenged by a lack of actuarial data and common metrics, Finan added. A DHS-backed group that is exploring the idea of a repository released a white paper last month outlining 16 categories of data that could form the basis of the repository. The categories include incident detection techniques and mitigation measures.

Another challenge is the differing expectations insurers and lawyers often have for the level of disclosure after a data breach. Companies hit by large breaches have not always been transparent with insurers, said Greg Vernaci, a senior vice president at insurance giant AIG.

Harvey Rishikof, a national security lawyer at Crowell and Moring, countered that attorney/client privilege is an important refuge for firms that expect litigation to result from a breach.

Meanwhile, the demand for cyber insurance is growing. The global market for annual premiums is poised to triple from about $2.5 billion this year to $7.5 billion by the end of 2020, consulting firm PwC said in a recent report.

More analysis is needed to determine what measures are effective in mitigating cyber risk, Finan said. The sense of what works is still anecdotal, and "there's really no broad, objective way to assess what's actually making a difference and what isn't," he added.

Nonetheless, Finan sees progress in having IT professionals and insurers talk it out. "Even four years ago, when we were having our first workshops, the [chief information security officers] were very suspicious of insurance," he said. "They really saw it as a competitor to the limited resources that they had access to [in order] to address the cyber risk of the company."

But large-scale, reputation-damaging hacks like those on Target and Sony Pictures Entertainment are making CISOs realize that risk mitigation and insurance "are two sides of the same coin," Finan said.