The Government Wants a Thriving Cyber Insurance Market. Here’s How It’s Getting Started

Den Rise/Shutterstock.com

The Homeland Security Department wants to build a massive repository of cybersecurity and breach data that insurers can learn from.

Can the insurance industry offer cybersecurity policies that will help companies stay afloat even when they’re targeted with devastating cyberattacks that result in massive property damage or loss of life?

That’s the question a Department of Homeland Security working group was tasked with answering back in 2012. Their conclusion: The cyber insurance market isn’t mature enough to even begin answering that question.

Around the end of 2013, however, insurance agencies told the working group something that could set them on the right path: a repository of heavily detailed data covering what cyber protections companies have in place, whether those protections stopped cyber breaches or mitigated their effects and how much money breached companies ended up shelling out through repairs, upgrades, lost business, legal fees, settlements and reputational damage.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The Cyber Incident Data and Analysis Repository working group got started in 2014, gathering feedback from insurers and companies. Now it’s at work building a proof of concept loaded with phony but believable data to show to companies. If the group can convince those companies the repository is secure enough to hold their anonymized data, it hopes to get to work on the real thing, said project leader Matt Shabat, strategist and performance manager for the DHS Office of Cybersecurity and Communications.

“The idea behind the repository was, over the long term, this may help move the actuarial data forward,” Shabat said. “But if the repository really takes off and gets a lot of traction, it could still be 10 to 15 years’ worth of data before you’d really see it impact the insurance markets. In the short term, what we’re really focused on is a repository where individual companies can use the data more immediately to benchmark themselves, to better appreciate their own risk management and their own security postures.”

Nextgov recently spoke with Shabat about the effort. The transcript below is edited for length and clarity.

Nextgov: Why is the cyber insurance market so immature?

Matt Shabat: Part of the reason is it just hasn’t been around as long as some of the other insurance markets. Insurance products for cyber have been offered for the last 20 years, give or take a couple years, but the market itself is still relatively small. If you look at annual premiums for cyber insurance, the last numbers I got out of [the] Treasury [Department] for 2015 had about $2.75 billion in premiums. If you look at home owners’ insurance, auto and health care, general property and casualty, you start getting up into the hundreds of billions in premiums and an aggregate of over $1 trillion. So, there’s a lot of room for growth in the cyber insurance space.

Nextgov: What are the major barriers to setting up the repository?

Matt Shabat: As you can imagine, information about a company’s security posture is sensitive in and of itself. If [the company] wants to share information about the impact or cost of a [cyber] incident, that’s pretty sensitive too. If you start pulling that together, that’s clearly sensitive information.

Nextgov: So how do you overcome that sensitivity?

Matt Shabat: As with any information sharing initiative, it’s about building that trust over time. Ideally, you can put in place solutions that help accelerate that trust. What we want to do in the proof of concept is show the security and the anonymization procedures—both the technology for anonymization and also the statistical algorithms you can run to ensure that there’s sufficient data being shared and aggregated that individual information is obfuscated. The technology is there. It’s the legal concerns, the process, the policy, the governance around it.

We’re looking to stand up the proof of concept that will use synthetic data and really put the repository through its paces—testing the security and anonymization procedures but also going to potential future stakeholders and saying: ‘If you had this type of data, would that be useful to you? What other data points would you need? Are there any data points you don’t need?’

Nextgov: The final database will all be voluntary information from the private sector?

Matt Shabat: It’s envisioned to all be voluntary. We have talked in the working group about potentially adding information from government incidents. The challenge is that the risk equation government agencies follow and those that are followed in the private sector could be different. You don’t want to skew the data.

Also, the typical costs [from a cyber incident] that we’ll see in the private sector are not typical of costs you’ll see in government. Once you get outside of direct costs for incident response and recovery, [for companies] there’s impact to stock price and reputation, etc.

But, it also might help build trust because we’re showing the government is putting its data in there. More importantly, it could serve as an initial set of data points that are based on reality as opposed to the synthetic data we’re using.

Nextgov: What will the government’s role ultimately be?

Matt Shabat: There was a definite consensus in the working group that the repository ultimately shouldn’t be owned or operated by the government. Whether a for-profit or not-for-profit entity is ultimately in charge is yet to be determined, but it shouldn’t be government owned.

Nextgov: Is it difficult to collect data about lower impact incidents because, in many cases, companies aren’t required to disclose it, especially if it doesn’t cross a barrier for data breach notification, which varies from state to state?

Matt Shabat: You’re absolutely right there are certain things that rise to the level that you would think to share them and other things that just never make it there. Part of what we want to look at during the proof of concept is understanding the governance structure not just in terms of who has access to the repository and how you govern sharing into it, but also how you govern what gets shared in and how to let participating entities know to share those smaller incidents.

Nextgov: How do you make companies more willing to voluntarily share that information?

Matt Shabat: I fall back to trust, building trust but also using pre-existing trust relationships. We’re looking at whether the ISACs and ISAOs [Information Sharing and Analysis Centers and Information Sharing and Analysis Organizations, government-supported sectoral and regional groups that share cyber threat information] could serve as the entry point or the front door to the repository. We’d have to work with them to develop the necessary front end that their members could contribute to. They’d aggregate and anonymize [data] before it goes into the repository and then becomes available more broadly.

Additionally, the ISACs or ISAOs could conduct analysis on the data and provide more finished data back to their communities.

Nextgov: There are a number of private sector reports that come out each year about the cost of data breaches. What will this repository offer that they don’t?

Matt Shabat: There are a number of good studies that come out and there are a bunch of data repositories that are currently available. But rarely do you get the true combination of: here are the controls the [company] has in place, controls it didn’t have in place, controls that failed. That’s the piece that’s missing right now.

I’ve heard many people tell me ‘no one can tell me how much a particular control buys down in terms of risk from a monetary perspective.’ Being able to put a finer point on particular security controls and dollar reduction of risk is where we would hope this starts to shift the landscape.

Nextgov: If it really takes 10 to 15 years for the cyber insurance market to develop, isn’t that concerning because the cost of breaches continues to grow?

Matt Shabat: We have seen maturation. We have seen the market grow and as the market grows insurers learn more. The last I tried to capture it, there were about 70 insurance companies providing [cyber] products and there were 15 to 20 types of cyber products being offered. If you ask about coverage for financial loss, that’s actually fairly robust. There’s decent coverage for [other] data beach notification costs such as legal fees.

When you start getting into property and casualty though, when you get into those physical consequences for a cyber event, that’s where the market seems to be less mature. That’s where we hear demand. Right now, you may have to buy a special policy for that or negotiate some sort of rider to your property and casualty coverage.

Nextgov: Regarding property and casualty, there haven’t been any cyberattacks to date that I’m aware of that caused major injuries or killed people, though that’s a major fear. The number of attacks that have caused major property damage are pretty limited. Is it tough to develop insurance products or even gather useful data when these things aren’t actually happening yet?

Matt Shabat: Yes, in the absence of something, it’s hard to come up with the actuarial data. If you can trace the incident to something that could have had a property or casualty impact, that gives them something to go on, looking at the probability or likelihood.

You also get that whole issue of the thinking adversary. Unlike some insurance coverages which focus on, for example, natural disasters or inadvertent human behavior, here you have a thinking adversary and probabilistic risk assessment is a little bit more challenging. [A hacker] could go right up to that point and then pull back knowing they could have caused some sort of injury or damage to property and realizing they didn’t want to.

Nextgov: Are there models you can use, other types of insurance where there’s a thinking adversary?

Matt Shabat: Clearly there’s terrorism risk insurance where there’s a thinking adversary. Employee misconduct is another area. 

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.