Cyber Insurance Market in 'Infancy,' Could Improve Risk Management Culture, Lawmakers Say
House Cybersecurity Subcommittee members and industry executives said they're hopeful the developing cyber insurance market could become a major force in improving private sector cybersecurity in the U.S., but executives noted during a Tuesday subcommittee hearing that the market will need to grow significantly first. The cyber insurance market is clearly “in its infancy but it is easy to envision its vast potential,” subcommittee Chairman John Ratcliffe, R-Texas, said. A fully matured cyber insurance ecosystem could incentivize companies of all sizes to improve their cyber risk management, he said.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The House Cybersecurity hearing was meant only to explore how Congress can aid the growth of cyber risk management, not to suggest a potential legislative solution, Ratcliffe said, saying he's committed to ensuring legislators “not mandate” that businesses buy cyber insurance. Subcommittee ranking member Cedric Richmond, D-La., agreed, saying the subcommittee “does have an interest” in the cyber insurance market's growth despite having “no oversight or legislative jurisdiction” over the market's activities.
The cyber insurance market experienced “robust” double-digit growth over the past three years, with purchases of the insurance rising 27 percent year-over-year in 2015 and 32 percent year-over-year in 2014, said Marsh Senior Vice President-Network Security and Data Privacy Matthew McCabe. Ratcliffe said he's concerned the vast majority of companies buying cyber insurance have been major firms and that penetration among small and medium-size businesses remains low. State insurance regulators have found cyber insurance has been a lower priority for small and medium-size businesses because insurance firms have to produce customized cyber insurance plans, which significantly raises the price of insurance, said North Dakota Insurance Commissioner Adam Hamm. Cybersecurity funding is "finite" at many companies and when that's the case executives typically give priority to technical solutions rather than getting cyber insurance, McCabe said.
Insurance companies must craft customized cyber insurance plans based on a qualitative assessment of a company's cyber risks and risk management practices because “cyber risk remains difficult for insurance underwriters to quantify due to a lack of actuarial data” on such risk management, Hamm said. The Department of Homeland Security's Cyber Incident Data and Analysis Working Group (CIDAWG) studied whether the cyber insurance market could identify the cyber equivalent of “sprinklers and other fire suppression systems,” but didn't develop a definitive answer, said Ark Network Security Solutions Chief Strategy Officer Tom Finan, former DHS National Protection and Programs Directorate senior cybersecurity strategist. The cyber insurance industry “will certainly get there” one day, but “there is certainly more work to do,” Finan said.
CIDAWG is continuing to develop a cyber incident data repository that will aggregate and analyze anonymized cyber incident data in a bid to improve cyber risk actuarial data, Finan said. The cyber insurance market “is going to take decades” to develop to a point where “you get predictably to a full mature and developed market,” Hamm said. “What this market really needs is time, patience and support” to develop actuarial data and improve pricing conditions to a point where small and medium-sized businesses can more easily afford cyber insurance, he said.