The fledgling cyber insurance industry may hold the key to improving cybersecurity practices across the nation, according to a panel of experts who testified Tuesday before a House subcommittee.
“The expansion of cyber risks and the growth of the cyber insurance market are a tremendous opportunity for the insurance sector to lead in the development of cyber hygiene across our national infrastructure,” said Adam W. Hamm, the North Dakota Insurance Commissioner, testifying during a hearing of the House Homeland Security Committee subcommittee on cybersecurity, infrastructure protection, and security technologies. Hamm noted that though the market for cyber insurance is very young, cyber insurance companies will play a key role in the development of future cybersecurity policies.
Because insurance premiums are based on the cyber policies and practices of individual businesses, applicants have an incentive to assess and improve their cybersecurity before applying.
“Cyber insurance is becoming very, very expensive,” said Daniel Nutkis, CEO of Health Information Trust Alliance. “In fact, if you make good decisions on your cyber controls, you can reduce your cyber premiums, and therefore you have better resilience, and you still have cyber insurance.”
“Our starting point really was the fire insurance market,” said Tom Finan, Chief Strategy Officer at Ark Network Security Solutions and a former senior cybersecurity strategist at the Department of Homeland Security who led the department’s first cybersecurity insurance workshop. In order to apply for fire insurance, builders and building owners must first meet certain controls for fire safety. Similarly, if cyber insurance companies require certain controls before a business can apply, it makes the cybersecurity of businesses stronger on the whole.
This is good news for some of the Subcommittee’s members, who expressed the desire that government stay out of the regulation of cybersecurity practices as much as possible.
“Cyber Insurance can play a key role in helping businesses, especially small- and mid-sized businesses, to assess their cybersecurity posture and readiness, and their ability to be resilient and recover from anticipated attacks,” said Rep. Cedric Richmond, D-LA.
“We really need to be exploring market-driven methods for the security of companies that store all of our personal information,” said Rep. John Ratcliffe, R-Texas. “I believe cyber insurance to be one such solution.”