Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

Congress seeks solutions on cyber risk that include insurance

Insurance seen as key tool to bolster security

Reprints

Following a year of several widespread cyber breach incidents, Congress is poised to encourage the insurance industry to take a lead role in bolstering cyber security.

That was evident earlier this month as the Senate Commerce Committee's Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security held the first congressional hearing on cyber insurance.

As the panel's chairman, Sen. Jerry Moran, R-Kan., put it, cyber insurance “may be a market-led approach to help businesses improve their cyber security posture by tying policy eligibility or lower premiums to better cyber security practices.”

Meanwhile, several bills have been introduced in Congress — the most recent one last week — to promote more information sharing between public and private entities concerning cyber breaches.

Congressional interest in cyber insurance is a “natural extension” of lawmakers' examination of cyber security issues, said Michael Menapace, counsel in the Hartford, Connecticut, office of Wiggin and Dana L.L.P. and an adjunct professor of law at Hamden, Connecticut-based Quinnipiac University.

Mr. Menapace, who testified before Sen. Moran's panel, said after the hearing the congressional concern over how the costs of cyber breaches will be covered is “naturally going to lead you to insurance. Insurers certainly have influence over their practices that are employed by the insureds.”

He added that insurers themselves hold a lot of data, so their own experience in this area is valuable.

Another witness — Ben Beeson, the Washington-based vice president for cyber security and privacy with Lockton Cos. L.L.C. — agreed, saying cyber insurance is an important market force that can drive improved cyber security for companies.

Speaking before the panel, Mr. Beeson said Lockton and “we believe the industry as a whole” would welcome the introduction of legislation that would reduce barriers and encourage organizations to share cyber threat indicators with the government and each other while also protecting individual privacy.

In an interview after the hearing, Mr. Beeson called the hearing “hugely important for our clients and industry.”

“How do you get industry (companies) to raise its game, to improve its resilience against that type of threat?” he said. “I don't think you can legislate minimum security standards. It's about an approach, a culture. It's very difficult to be prescriptive.”

Congress would rather see the market try to help solve the problem, Mr. Beeson said. “It puts the insurance industry in a place perhaps where it didn't expect to be: Congress says, "We want you at the front of the conversation.' “

Cyber insurance can help address two fundamental cyber security problems, Mr. Beeson said: industry not investing enough in security; and the other of determining the right approach to security, which, he said, is tackling it in an enterprise risk management framework.

“It's a huge opportunity; we're asking the government to do anything they can do to provide more incidence data,” Mr. Beeson said.

During his testimony, Mr. Menapace said there's no single standard for private and public entities requiring reporting of data breaches. Instead, each state has its own standard, leading to increased costs and inefficiency, he said.

Mr. Beeson said Congress could follow a precedent in health care reporting and set a federal notification requirement, a good move for consumers and businesses.

Representatives of insurer groups agreed.

“It would be nice to have a single federal standard” for companies regarding data security breach reporting, said Alex Hageli, a director at the Chicago-based Property Casualty Insurers Association of America. “It's been on the wish list for some time, and it seems with all of the recent breaches that it might actually come to fruition.”

“Ideas, which all the panelists endorsed, such as federal legislation encouraging sharing of cyber threat data, exploring the creation of a data repository and a pre-emptive federal data breach standard, should help improve underwriting and increase market capacity,” a spokesman for the Washington-based American Insurance Association said.

PCI's Mr. Hageli also said that the Federal Insurance Office has been “very interested in developing the cyber insurance market.”

“We feel cyber insurance is a key piece of the puzzle of how to best prepare our country to address cyber threats. It was great to see the Senate hold what was the first-ever hearing on this issue,” said Jonathan Bergner, federal affairs director in the Washington office of the National Association of Mutual Insurance Cos.

Laura Foggan, a partner in the Washington law firm Wiley Rein L.L.P. who specializes in insurance law, said she thinks there is “pretty broad” insurance industry support for legislation that encourages information sharing about cyber security breaches.