The Government Wants a Thriving Cyber Insurance Market. Here’s How It’s Getting Started

Den Rise/

The Homeland Security Department wants to build a massive repository of cybersecurity and breach data that insurers can learn from.

Can the insurance industry offer cybersecurity policies that will help companies stay afloat even when they’re targeted with devastating cyberattacks that result in massive property damage or loss of life?

That’s the question a Department of Homeland Security working group was tasked with answering back in 2012. Their conclusion: The cyber insurance market isn’t mature enough to even begin answering that question.

Around the end of 2013, however, insurance agencies told the working group something that could set them on the right path: a repository of heavily detailed data covering what cyber protections companies have in place, whether those protections stopped cyber breaches or mitigated their effects and how much money breached companies ended up shelling out through repairs, upgrades, lost business, legal fees, settlements and reputational damage.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The Cyber Incident Data and Analysis Repository working group got started in 2014, gathering feedback from insurers and companies. Now it’s at work building a proof of concept loaded with phony but believable data to show to companies. If the group can convince those companies the repository is secure enough to hold their anonymized data, it hopes to get to work on the real thing, said project leader Matt Shabat, strategist and performance manager for the DHS Office of Cybersecurity and Communications.

“The idea behind the repository was, over the long term, this may help move the actuarial data forward,” Shabat said. “But if the repository really takes off and gets a lot of traction, it could still be 10 to 15 years’ worth of data before you’d really see it impact the insurance markets. In the short term, what we’re really focused on is a repository where individual companies can use the data more immediately to benchmark themselves, to better appreciate their own risk management and their own security postures.”

Nextgov recently spoke with Shabat about the effort. The transcript below is edited for length and clarity.

Nextgov: Why is the cyber insurance market so immature?

Matt Shabat: Part of the reason is it just hasn’t been around as long as some of the other insurance markets. Insurance products for cyber have been offered for the last 20 years, give or take a couple years, but the market itself is still relatively small. If you look at annual premiums for cyber insurance, the last numbers I got out of [the] Treasury [Department] for 2015 had about $2.75 billion in premiums. If you look at home owners’ insurance, auto and health care, general property and casualty, you start getting up into the hundreds of billions in premiums and an aggregate of over $1 trillion. So, there’s a lot of room for growth in the cyber insurance space.

Nextgov: What are the major barriers to setting up the repository?

Matt Shabat: As you can imagine, information about a company’s security posture is sensitive in and of itself. If [the company] wants to share information about the impact or cost of a [cyber] incident, that’s pretty sensitive too. If you start pulling that together, that’s clearly sensitive information.

Nextgov: So how do you overcome that sensitivity?

Matt Shabat: As with any information sharing initiative, it’s about building that trust over time. Ideally, you can put in place solutions that help accelerate that trust. What we want to do in the proof of concept is show the security and the anonymization procedures—both the technology for anonymization and also the statistical algorithms you can run to ensure that there’s sufficient data being shared and aggregated that individual information is obfuscated. The technology is there. It’s the legal concerns, the process, the policy, the governance around it.

We’re looking to stand up the proof of concept that will use synthetic data and really put the repository through its paces—testing the security and anonymization procedures but also going to potential future stakeholders and saying: ‘If you had this type of data, would that be useful to you? What other data points would you need? Are there any data points you don’t need?’

Nextgov: The final database will all be voluntary information from the private sector?

Matt Shabat: It’s envisioned to all be voluntary. We have talked in the working group about potentially adding information from government incidents. The challenge is that the risk equation government agencies follow and those that are followed in the private sector could be different. You don’t want to skew the data.

Also, the typical costs [from a cyber incident] that we’ll see in the private sector are not typical of costs you’ll see in government. Once you get outside of direct costs for incident response and recovery, [for companies] there’s impact to stock price and reputation, etc.

But, it also might help build trust because we’re showing the government is putting its data in there. More importantly, it could serve as an initial set of data points that are based on reality as opposed to the synthetic data we’re using.

Nextgov: What will the government’s role ultimately be?

Matt Shabat: There was a definite consensus in the working group that the repository ultimately shouldn’t be owned or operated by the government. Whether a for-profit or not-for-profit entity is ultimately in charge is yet to be determined, but it shouldn’t be government owned.

Nextgov: Is it difficult to collect data about lower impact incidents because, in many cases, companies aren’t required to disclose it, especially if it doesn’t cross a barrier for data breach notification, which varies from state to state?

Matt Shabat: You’re absolutely right there are certain things that rise to the level that you would think to share them and other things that just never make it there. Part of what we want to look at during the proof of concept is understanding the governance structure not just in terms of who has access to the repository and how you govern sharing into it, but also how you govern what gets shared in and how to let participating entities know to share those smaller incidents.

Nextgov: How do you make companies more willing to voluntarily share that information?

Matt Shabat: I fall back to trust, building trust but also using pre-existing trust relationships. We’re looking at whether the ISACs and ISAOs [Information Sharing and Analysis Centers and Information Sharing and Analysis Organizations, government-supported sectoral and regional groups that share cyber threat information] could serve as the entry point or the front door to the repository. We’d have to work with them to develop the necessary front end that their members could contribute to. They’d aggregate and anonymize [data] before it goes into the repository and then becomes available more broadly.

Additionally, the ISACs or ISAOs could conduct analysis on the data and provide more finished data back to their communities.

Nextgov: There are a number of private sector reports that come out each year about the cost of data breaches. What will this repository offer that they don’t?

Matt Shabat: There are a number of good studies that come out and there are a bunch of data repositories that are currently available. But rarely do you get the true combination of: here are the controls the [company] has in place, controls it didn’t have in place, controls that failed. That’s the piece that’s missing right now.

I’ve heard many people tell me ‘no one can tell me how much a particular control buys down in terms of risk from a monetary perspective.’ Being able to put a finer point on particular security controls and dollar reduction of risk is where we would hope this starts to shift the landscape.

Nextgov: If it really takes 10 to 15 years for the cyber insurance market to develop, isn’t that concerning because the cost of breaches continues to grow?

Matt Shabat: We have seen maturation. We have seen the market grow and as the market grows insurers learn more. The last I tried to capture it, there were about 70 insurance companies providing [cyber] products and there were 15 to 20 types of cyber products being offered. If you ask about coverage for financial loss, that’s actually fairly robust. There’s decent coverage for [other] data beach notification costs such as legal fees.

When you start getting into property and casualty though, when you get into those physical consequences for a cyber event, that’s where the market seems to be less mature. That’s where we hear demand. Right now, you may have to buy a special policy for that or negotiate some sort of rider to your property and casualty coverage.

Nextgov: Regarding property and casualty, there haven’t been any cyberattacks to date that I’m aware of that caused major injuries or killed people, though that’s a major fear. The number of attacks that have caused major property damage are pretty limited. Is it tough to develop insurance products or even gather useful data when these things aren’t actually happening yet?

Matt Shabat: Yes, in the absence of something, it’s hard to come up with the actuarial data. If you can trace the incident to something that could have had a property or casualty impact, that gives them something to go on, looking at the probability or likelihood.

You also get that whole issue of the thinking adversary. Unlike some insurance coverages which focus on, for example, natural disasters or inadvertent human behavior, here you have a thinking adversary and probabilistic risk assessment is a little bit more challenging. [A hacker] could go right up to that point and then pull back knowing they could have caused some sort of injury or damage to property and realizing they didn’t want to.

Nextgov: Are there models you can use, other types of insurance where there’s a thinking adversary?

Matt Shabat: Clearly there’s terrorism risk insurance where there’s a thinking adversary. Employee misconduct is another area.