[Senate Hearing 114-171] [From the U.S. Government Publishing Office] S. Hrg. 114-171 EXAMINING THE EVOLVING CYBER INSURANCE MARKETPLACE ======================================================================= HEARING BEFORE THE SUBCOMMITTEE ON CONSUMER PROTECTION, PRODUCT SAFETY, INSURANCE, AND DATA SECURITY OF THE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION UNITED STATES SENATE ONE HUNDRED FOURTEENTH CONGRESS FIRST SESSION __________ MARCH 19, 2015 __________ Printed for the use of the Committee on Commerce, Science, and Transportation [GRAPHIC NOT AVAILABLE IN TIFF FORMAT] U.S. GOVERNMENT PUBLISHING OFFICE 98-475 PDF WASHINGTON : 2016 ________________________________________________________________________________________ For sale by the Superintendent of Documents, U.S. Government Publishing Office, http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). E-mail, [email protected]. SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION ONE HUNDRED FOURTEENTH CONGRESS FIRST SESSION JOHN THUNE, South Dakota, Chairman ROGER F. WICKER, Mississippi BILL NELSON, Florida, Ranking ROY BLUNT, Missouri MARIA CANTWELL, Washington MARCO RUBIO, Florida CLAIRE McCASKILL, Missouri KELLY AYOTTE, New Hampshire AMY KLOBUCHAR, Minnesota TED CRUZ, Texas RICHARD BLUMENTHAL, Connecticut DEB FISCHER, Nebraska BRIAN SCHATZ, Hawaii JERRY MORAN, Kansas EDWARD MARKEY, Massachusetts DAN SULLIVAN, Alaska CORY BOOKER, New Jersey RON JOHNSON, Wisconsin TOM UDALL, New Mexico DEAN HELLER, Nevada JOE MANCHIN III, West Virginia CORY GARDNER, Colorado GARY PETERS, Michigan STEVE DAINES, Montana David Schwietert, Staff Director Nick Rossi, Deputy Staff Director Rebecca Seidel, General Counsel Jason Van Beek, Deputy General Counsel Kim Lipsky, Democratic Staff Director Chris Day, Democratic Deputy Staff Director Clint Odom, Democratic General Counsel and Policy Director ------ SUBCOMMITTEE ON CONSUMER PROTECTION, PRODUCT SAFETY, INSURANCE, AND DATA SECURITY JERRY MORAN, Kansas, Chairman RICHARD BLUMENTHAL, Connecticut, ROY BLUNT, Missouri Ranking TED CRUZ, Texas CLAIRE McCASKILL, Missouri DEB FISCHER, Nebraska AMY KLOBUCHAR, Minnesota DEAN HELLER, Nevada EDWARD MARKEY, Massachusetts CORY GARDNER, Colorado CORY BOOKER, New Jersey STEVE DAINES, Montana TOM UDALL, New Mexico C O N T E N T S ---------- Page Hearing held on March 19, 2015................................... 1 Statement of Senator Moran....................................... 1 Statement of Senator Blumenthal.................................. 3 Statement of Senator Blunt....................................... 28 Statement of Senator Klobuchar................................... 29 Witnesses Ben Beeson, Vice President, Cyber Security and Privacy, Lockton Companies..................................................... 4 Prepared statement........................................... 6 Catherine Mulligan, Senior Vice President, Management Solutions Group, Zurich (North America).................................. 8 Prepared statement........................................... 9 Ola Sage, Founder and CEO, e-Management.......................... 13 Prepared statement........................................... 14 Michael Menapace, Counsel, Wiggin and Dana LLP, and Adjunct Professor of Insurance Law, Quinnipiac University School of Law 18 Prepared statement........................................... 20 Appendix Response to written questions submitted by Hon. Jerry Moran to: Ben Beeson................................................... 39 Catherine Mulligan........................................... 39 Ola Sage..................................................... 40 EXAMINING THE EVOLVING CYBER INSURANCE MARKETPLACE ---------- THURSDAY, MARCH 19, 2015 U.S. Senate, Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security, Committee on Commerce, Science, and Transportation, Washington, DC. The Subcommittee met, pursuant to notice, at 10 a.m. in room SR-253, Russell Senate Office Building, Hon. Jerry Moran, Chairman of the Subcommittee, presiding. Present: Senators Moran [presiding], Blunt, Blumenthal, and Klobuchar. OPENING STATEMENT OF HON. JERRY MORAN, U.S. SENATOR FROM KANSAS Senator Moran. Good morning, everybody. We are delighted that we are here. I call this subcommittee hearing to order. Let me first of all thank our witnesses for taking the time to provide us with--I have read the testimony--very valuable information on a topic that I think has not received much attention. We are delighted to have you here and appreciate your willingness to share with us. I also want to thank our committee staff who worked hard at arranging those witnesses and putting this hearing together. The purpose of this hearing is to examine the state of the cyber insurance market, identify challenges and opportunities, and learn how cyber insurance may drive improvements to the risk management culture at businesses that purchase those insurance policies. This is our second hearing on a broad topic of data security, and to my knowledge, it is the first time, as I said, that a hearing has ever been held on the cyber insurance market. American consumers and businesses face ongoing and serious cyber threats. Just last week we learned of yet another. Every time we have had a hearing there has been an announcement of a data breach. May be a reason not to have another hearing. A Washington state-based health insurance company notified 11 million customers that credit card numbers, Social Security numbers, medical records, and other sensitive information may have been compromised. A data breach, as we know, is all too frequent, and has become common in our digital lives. One strategy for business to mitigate cyber or privacy- related losses is to purchase cybersecurity insurance. While some cyber related losses may be covered under a business' general insurance policy, the increase of publicly reported cyber incidents and data breaches have led insurers to begin offering stand-alone policies to cover cyber related risks and losses. Cyber insurance policies vary greatly but increasingly new policies are being developed to cover costs ranging from crisis management and response to a data breach, personal or health information, to business interruption or damage to critical infrastructure systems from a cyber attack. While an insurer's primary function is to mitigate financial losses, not defend against cyber threats, cyber insurance may be a market led approach to help businesses improve their cybersecurity posture by tying policy eligibility or lower premiums to better cybersecurity practices. An example of this relationship is an automobile insurer offering good driver discount to a customer who avoids accidents or driving violations, providing an additional incentive to a driver to be more cautious and attentive. The insurance company also wins. Even though the premium they receive may be lower, in the end, they have fewer claims to pay out. The cyber insurance market is one of the fastest growing commercial lines of insurance, approximately 50 carriers now offer stand-alone cyber policies, and the total written premiums were between 1.5 and $2 billion in 2014. Some estimates show that the market could grow as high as $5 billion by the decade's end. During last year, 2014, the number of clients at brokerage, Marsh & McLennan, who purchased stand-alone cyber coverage increased by 32 percent over 2013. Among their clients, the highest take up rates for cyber insurance in 2014 were in health care, education, hospitality, and gaming. The challenges in the cyber insurance market exists due to the difficulty of quantifying the exposure to cyber risk, liabilities, and losses, the aggregation of losses due to the interconnected nature of IT and the changing cyber threat environment. Several IT security firms are developing products and assisting insurers in either identifying potential threats and/ or offering cyber products or services to better protect their networks. For instance, a startup named BitSite partners with Liberty International Underwriters to externally analyze a company's cybersecurity. In one case, BitSite helped discover a dormant threat in a company's IT system, and the insurer was able to work with the company to avoid the possible breach. Another example in my home state of Kansas, Overland Park- based risk analysts partner with AIG to provide security products to some AIG insurance products. This Congress considers cyber threat information sharing legislation as well as a national data breach notification standard. There are lots of important questions about developing the state of a private insurance market that come to mind. Today, we will focus our attention on some of those key questions, and I am confident today's expert panel can share their valuable insights on these topics. I would like now to turn to the Ranking Member, my friend and colleague, the Senator from Connecticut, Senator Blumenthal. STATEMENT OF HON. RICHARD BLUMENTHAL, U.S. SENATOR FROM CONNECTICUT Senator Blumenthal. Thank you so much, Senator Moran. I really appreciate your convening this hearing on a topic of huge importance to the entire country, indeed, the world, and certainly to my home state of Connecticut. I want to join you in thanking our staff, but most especially the experts who have come to be with us today. This topic, I can tell you, is of tremendous interest to my colleagues. I have spoken to them about this issue over the last couple of days. We have a busy day today, so the attendance here may not reflect that interest, but I can tell you there is no topic more important than cybersecurity to the U.S. Senate and maybe to our country. At this moment, the Armed Services Committee, and I am a member of that committee as well, is having a hearing on the budget for our military cyber warfare activities in part. The two are inextricably linked, the private security and our national defense security. As you well know, we are struggling now to deal with the problems raised in both spheres, which are very closely linked. Hartford, Connecticut is home to the Nation's oldest continuously published newspaper, the Hartford Courant, but it is also home to many of the world's biggest and greatest insurance companies. It is known colloquially as the insurance capital of the world. Some may dispute whether any place in the world is an insurance capital these days because of their multinational activities. Hartford, I think, has the longest standing claim to that title. We are a small state but we actually still rank number one in total insurance jobs as a percentage of total employment. I am particularly pleased to see one our nation's experts, Michael Menapace, of Quinnipiac University joining us here today. Thank you, Michael, for being here. I am also happy to be here today to learn, and I really do mean learn more about this issue. We all think we know a lot about breaches because they are so common, as Chairman Moran said, but each in many important respects is different from the other, in its consequences and causes, and what can be done to prevent these kinds of breaches. That is the issue that brings us here today: how to prevent them, how to insure against them, and how to use insurance as an incentive, as a tool, to provide for stronger prevention. The simple and stark fact is that the Internet was not built for security. The Internet was not built to be secure. It was not intended to be the commercial and financial backbone of the post-industrial world. It was designed as an open system, and it was based and still is based on anonymity, meant to be used among a select group of Government officials and university computer scientists. Very sadly, it seems like this dynamic has in some ways reinforced the picture we see every time we open the newspaper to read of millions of consumer records stolen from major retailers: Target, Neiman Marcus, Home Depot, Anthem. Data breaches are hardly a new phenomenon. When I was Attorney General of the State of Connecticut, we tried to deal with them in terms of providing protections to consumers, and consumers have been facing and paying for data breaches for years. Consumers are hit the hardest, but the growing threats of cyber attacks and data breaches impair more than just our consumers, and it is our critical infrastructure now that has a huge risk, and has so much at stake. They are increasingly hitting the bottom line of our major companies. The question is whether insurance can play a role in preventing these kinds of breaches, what kinds of insurance are best designed to cover damages from security breach or cyber attack, and why companies do not more commonly choose to have cybersecurity insurance. A lot of these companies cite its high cost, lack of awareness about what it covers, uncertainty that they will suffer a cyber attack as reasons for their decisions or non- decisions to have insurance. I am looking forward to the panel's testimony today to know about what has been changing, the dynamics of this industry, and what can be done to encourage the growth of this very dynamic market, and ultimately increase its positive impact on the security of consumers' sensitive information. Thank you very much for being here today. Senator Moran. Senator Blumenthal, thank you very much. Our witnesses are Mr. Ben Beeson, Vice President for Cyber Security and Privacy at Lockton Companies. Ms. Catherine Mulligan, Senior Vice President of Management Solutions Group for Zurich, North America. Ms. Ola Sage, CEO, e-Management, an IT firm from Silver Spring, Maryland, and Mr. Michael Menapace, Counsel at Wiggin and Dana, who also serves as Adjunct Professor of Insurance Law at Quinnipiac University School of Law. It is a good thing to have a polling organization so I know how to pronounce the University's name. Thank you all very much for being here. Mr. Beeson, we will begin with your testimony. STATEMENT OF BEN BEESON, VICE PRESIDENT, CYBER SECURITY AND PRIVACY, LOCKTON COMPANIES Mr. Beeson. Chairman Moran, Ranking Member Blumenthal, distinguished members of the Committee, thank you very much on behalf of Lockton Companies for the opportunity to testify today. My name is Ben Beeson. I am Vice President for Cyber Security and Privacy at Lockton. Lockton is the largest privately held independent insurance broker in the world. I am based in the Washington, D.C. office where I advise clients on a cyber risk management strategy that addresses crucially people, processes, and technology. Our clients face a substantial set of cyber threats today that include criminal gangs, disgruntled employees, politically motivated actors, and now even nation states. Well-publicized attacks have sought to target and monetize personally identifiable data and protected health information. However, it is also commonly understood that the theft of corporate intellectual property is a significant problem with non-trivial impacts on innovation for companies and countries, and companies also face incidents that can disrupt or destroy information technology and other vital assets, even now physical assets. The key message I would like to convey today is this, we believe that cyber insurance is an important market force that can drive improved cybersecurity within companies but also importantly thereby improve consumer protection and the nation as a whole. There is an important link there. It should not just be seen as a financial instrument to transfer risk from one balance sheet to another. As the cyber insurance market develops, it will provide incentives for companies to understand and better mitigate their risks. For example, forward thinking companies invest in workplace safety to reduce their Workers' Compensation costs, and in the same way, sophisticated companies are investing in strong cybersecurity. Those companies ultimately will experience fewer losses and insurers will see fewer claims and the premiums will be lower. In addition, and importantly, simply just engaging in the process of seeking cyber insurance coverage can also assist businesses to develop the correct approach to mitigate risks. It is no longer just the domain of the IT Department. Cyber insurance can also act as a catalyst for driving an enterprise-wide risk management approach. It can bring all the relevant stakeholders together, in IT, Legal, Risk Management, R&D, Finance, Human Resources, Communications, and perhaps now most importantly, the Board itself. So, do not view cyber insurance as just a commodity that you may or may not see at the end of this process. However, we are not there yet today. The cyber insurance market is still young and developing. Companies today spend about $2 billion annually on cyber insurance, a fraction of the $1 trillion U.S. insurance market. Lockton also sees the NIST Framework aligning hand in glove with this enterprise risk management strategy. Working closely with the Department of Homeland Security to support its implementation, Lockton sees the Framework providing the tool that is needed to help boards of directors understand in layman's terms their current security, areas for improvement, and desired future status. As insurance brokers, we also advise directors and officers on management liability, and we see that cyber risk has now entered the governance dialogue. The NIST Framework has proved immensely helpful in driving better board discussions. Building on a public/private partnership, discussions are ongoing with the Department of Homeland Security about the possible formation of a data repository to house anonymized enterprise loss information. The ability to access anonymized loss data, shared between industry and government with appropriate privacy protections, would accelerate the growth of the marketplace, and crucially accelerate the ability of cyber insurance to act as a market incentive for industry to invest in cybersecurity. In addition, Lockton, and we believe the industry as a whole, would welcome the introduction of legislation that would reduce barriers and incentivize organizations to share threat indicators with government and each other while also protecting individual privacy. Thank you again for the opportunity to testify, and I will be happy to answer any questions you may have. [The prepared statement of Mr. Beeson follows:] Prepared Statement of Ben Beeson, Vice President, Cyber Security and Privacy, Lockton Companies Chairman Moran, Ranking Member Blumenthal, distinguished members of the Committee, thank you for the opportunity to testify today on behalf of Lockton Companies. My name is Ben Beeson and I am Vice President for Cyber Security and Privacy at Lockton Companies. Lockton is the world's largest privately held, independent insurance broker. I am based in the Washington, DC, office, where I advise clients on a cyber risk management strategy that addresses people, processes, and technology. Our clients face a substantial set of cyber threats today that include criminal gangs, disgruntled employees, politically motivated actors, and now nation states. Well-publicized attacks have sought to target and monetize personally identifiable data and protected health information. However, it is also now well understood that the theft of corporate intellectual property is a significant problem, with nontrivial impacts on innovation for companies and countries, and companies also face incidents that can disrupt or destroy information technology and other vital assets. We believe that cyber insurance is an important market force that can drive improved cyber security for companies--and thus improve protection to consumers and the Nation as a whole. It should not just be seen as another insurance transaction. As the cyber insurance market develops, it will provide incentives for companies to understand and mitigate their risks. For example, forward-thinking companies invest in workplace safety to reduce their workers' compensation costs. In the same way, sophisticated companies are investing in stronger cyber security, and those companies ultimately will experience fewer losses, insurers will see fewer claims, and their premiums will be lower. However, we're not there today. The cyber insurance market is still nascent and developing. Cyber Insurance Market Today It is estimated that more than 50 insurers domiciled mainly in the U.S. and the Lloyd's of London marketplace provide dedicated cyber products and solutions today. Buyers are overwhelmingly concentrated in the U.S. with little take-up to date internationally. Annual premium spend at the end of 2014 was estimated to be in excess of $2 billion \1\ with the potential to grow to $5 billion.\2\ Total capacity (the maximum amount of insurance available to any single buyer) is currently at about $300,000,000. Cyber insurance first emerged at the end of the 1990s, primarily seeking to address loss of revenue and data- restoration costs from attacks to corporate networks. However, the underwriting process was seen as too intrusive and the cost prohibitively expensive, and it was not until 2003, and the passage of the world's first data breach notification law in California,\3\ that demand started to grow. --------------------------------------------------------------------------- \1\ The Betterley Report--www.betterley.com \2\ The Cyber Liability Insurance Market 2015--Jim Blinn, Advisen. www.cyberrisknetwork.com \3\ California S.B.1386 --------------------------------------------------------------------------- What Does Cyber Insurance Cover? It is important to understand that insurers do not address all enterprise assets at risk. The vast majority of premium spent by buyers has sought to address increasing liability from handling personally identifiable information (PII) or protected health information (PHI), and the costs from either unauthorized disclosure (a data breach), or a violation of the data subject's privacy. Insurable costs range from data breach response expenses such as notification, forensics, and credit monitoring to defense costs, civil fines, and damages from a privacy regulatory action or civil litigation. Insurers also continue to address certain first-party risks including the impact on revenue from attacks on corporate networks, extortion demands, and the costs to restore compromised data. What Does Cyber Insurance Not Cover? Theft of corporate intellectual property (IP) still remains uninsurable today as insurers struggle to understand its intrinsic loss value once compromised. The increasing difficulty in simply detecting an attack and, unlike a breach of PII or PHI, the frequent lack of a legal obligation to disclose, suggests that a solution is not in the immediate future. Much attention in the industry is now being paid to risks to physical assets from a cyber attack. Much of the credit here must go to the Federal Government for directly engaging the industry initially in 2013 as part of the creation of the NIST Framework and raising awareness about the risks to critical infrastructure industries. In the absence of actuarial risk modeling data, certain innovative insurers and brokers have started to produce solutions that specially address property damage, resultant business interruption loss, and bodily injury from a cyber attack. However, it is early days, and major challenges lie ahead in establishing significant market capacity as well as addressing the current ambiguity embedded in legacy property and casualty insurance policies. How Do Insurers Underwrite Cyber Risks? Historically, underwriters have sought to understand the controls that enterprises leverage around their people, processes, and technology. However, the majority of assessments are ``static,'' meaning a snapshot at a certain point in time through the completion of a written questionnaire, a phone call interview, or a presentation. In the wake of significant insurable losses in 2014 and early 2015 to the retail and healthcare sectors in particular, a consensus is growing that this approach is increasingly redundant. It is Lockton's opinion that insurers will increasingly seek to partner with the security industry to adopt a more threat-intelligence-led capability as part of the underwriting process in the face of threats that continue to evolve. The industry (as discussed later) will also increasingly seek to partner with government to access industry loss data and analytics capabilities. What Is the Role of Cyber Insurance? In the context of building enterprise resilience to counter evolving cyber threats, insurance should not just be seen as a financial instrument for transferring risk from one balance sheet to another. Importantly, the actual process of seeking cyber insurance coverage should also be viewed as the catalyst for driving an enterprise-wide risk management approach, and ultimately an improved security posture. It can bring all relevant stakeholders together in IT, Legal, Risk Management, R&D, Finance, Human Resources, Communications, and the Board of Directors for example. Do not view cyber insurance as just a commodity that you may or may not seek at the end of this process. NIST Framework In the same vein, Lockton also sees the NIST Framework aligning hand in glove with this strategy. Working closely with the Department of Homeland Security to support its implementation, Lockton sees the framework providing the tool that is needed to help boards of directors understand in layman's terms their current security posture, areas for improvement, and desired future status. As insurance brokers who also advise directors and officers on management liability, we can acknowledge that cyber risk has now entered a governance dialogue, and the NIST Framework has proved immensely helpful in facilitating the discussion. Conclusion--A Public/Private Partnership Lockton, and we believe the industry as a whole, would welcome the introduction of legislation that would reduce barriers and incentivize organizations to share threat indicators with government, and each other, while also protecting individual privacy. Actuarial data is extremely thin on the ground and is holding back the growth in market capacity, particularly to address the previously highlighted risks to critical infrastructure industries. As part of the insurance industry's engagement with the Department of Homeland Security, discussions are ongoing about the possible formation of a data repository to house anonymized enterprise loss information. The ability to access anonymized loss data, shared between industry and government with appropriate privacy protections would also accelerate the growth of the marketplace, but crucially the ability of cyber insurance to act as a market incentive for industry to invest in cybersecurity. Thank you again for the opportunity to testify, and I will be happy to answer any questions that you may have. Senator Moran. Thank you very much, Mr. Beeson. Ms. Mulligan? STATEMENT OF CATHERINE MULLIGAN, SENIOR VICE PRESIDENT, MANAGEMENT SOLUTIONS GROUP, ZURICH (NORTH AMERICA) Ms. Mulligan. Good morning, Chairman Moran, Ranking Member Blumenthal, and members of the Subcommittee. My name is Catherine Mulligan. I am a Senior Vice President with Zurich (North America) with our Management Solutions Group. I lead a market facing team of underwriters who are responsible for working with our brokers and customers on the placement of cyber insurance. I appreciate the opportunity to speak with the Subcommittee today, and I apologize for my laryngitis as well. As a brief introduction, Zurich Insurance Group is a global multi-line insurance provider with a global network of subsidiaries and offices, 55,000 employees, and customers in more than 200 countries and territories. We are the fourth largest commercial property and casualty insurer in the United States by gross written premium. Mr. Chairman, as I am sure you are aware, we employ over 400 people in the state of Kansas. Zurich has had a cyber insurance product for over 10 years, and we have invested heavily in the last few years in thought leadership to address the risk management concerns of our customers. In October 2014, Dowling and Partners called ``security & privacy,'' also known as ``cyber insurance,'' one of the few growth markets in the U.S. property and casualty industry, and while sources suggest that the current market is $2 billion in gross written premium, this number is actually hard to verify due to the fact that the coverage can be offered blended with other coverages in addition to stand-alone. The product was first introduced about 15 years ago and has its roots in technology errors and omissions, a third party financial damage coverage, and as privacy regulations evolved, companies found that they were incurring costs, first party costs, to respond to privacy events and comply with these regulations, so cyber policies were developed to respond to this blend of first and third party costs arising from breaches and privacy events. In January of this year, the Insurance Information Institute reported that market capacity for cyber is on the rise, and while this optimism is understandable, given the visibility of these issues, the reality is that the shape of the marketplace continues to shift. Number one, capacity is in flux, so in the Dowling & Partners' report in October, they said that over 60 carriers wrote the coverage, but that number has since decreased as some excess markets are pulling out of the product or reevaluating their appetite, and reinsurers are doing the same. Pricing is in flux. The insurance industry lacks robust actuarial data around the loss experience for a product that is still in its nascency. Unlike general liability policies, which all commercial enterprises carry, the buyers of this coverage are largely in a few key industry sectors, such as health care, and in the large company space, over $1 billion in revenue. Loss experience is developing. Highly publicized breaches have led to direct damages in the hundreds of millions of dollars of costs which continue to rise, and liability costs have yet to be determined, so what these recent breaches show us is that there is a severity potential as well as this unknown element as liability issues are resolved in court. Coverage and aggregation challenges remain. It is important to understand the history of the product as financial loss insurance, as the total scope of exposures presented by a cybersecurity event currently are beyond the scope of the current coverage. For example, a cyber attack may cause physical damage, and while some limited coverage is available in the marketplace, current security and privacy forms generally exclude bodily injury and property damage. The scope of the exposures is too broad to be solved by the private sector alone, not all exposures are transferrable to an insurance policy. That leads us to the emerging issues of aggregation tracking and emerging exposures. Multiple lines of insurance may be impacted by a security event. For example, if a public company has a significant breach and then has a stock drop as a result, they may face a shareholder derivative suit, which can then come in as a claim under their directors' and officers' liability policy. That leads us to the public/private sector cooperation. In 2015, the World Economic Forum report stated ``The global risks transcend borders and spheres of influence and require stakeholders to work together.'' This echoes Chairman Thune's comments from the February 4 hearing on the NIST Framework, ``Real progress can be made by continuing to enhance public/private cooperation and improving cyber threat information sharing.'' Work in this arena, as Mr. Beeson said, includes working groups at the Departments of Homeland Security and Treasury on the issue of data repositories, which may need to take a couple of different forms--sharing of cyber event data, such as attack vectors, and cyber insurance data, including claims and underwriting information by sector. While it is too early to assert any definitive conclusions, the potential upside of these repositories would be more comprehensive information could help the insurance industry develop broader coverage and broader risk management solutions for our customers. Thank you. [The prepared statement of Ms. Mulligan follows:] Prepared Statement of Catherine Mulligan, Senior Vice President, Management Solutions Group, Zurich (North America) Good morning Chairman Moran, Ranking Member Blumenthal and members of the Subcommittee. My name is Catherine Mulligan and I am Senior Vice President of the Management Solutions Group for Zurich (North America). I lead the market facing team of underwriters responsible for working with brokers and customers on the placement of ``cyber'' insurance. I appreciate the opportunity to speak to the Subcommittee on the state of the cyber insurance marketplace and to share thoughts on some of the challenges we are seeing. As a brief introduction, Zurich Insurance Group (Zurich) is a leading multi-line insurance provider with a global network of subsidiaries and offices. Founded in 1872, Zurich is headquartered in Zurich, Switzerland with approximately 55,000 employees serving customers in more than 200 countries and territories. While Zurich is named after the Swiss city where it was founded, we are quite proud of our U.S. roots and our global platform for diversifying risk. In 1912, Zurich entered the U.S. as the first non- domestic insurance company and quickly became a leading commercial property and casualty insurance carrier. Over the last 103 years, Zurich has grown and its U.S. companies now employ more than 8,500 people in offices throughout the country with major centers of employment in the metropolitan areas of Chicago, New York City, Kansas City, Atlanta, Dallas, and Baltimore. Mr. Chairman, as I am sure you are aware, we employ nearly 400 people throughout the state of Kansas and write coverage in every single state. Zurich's U.S. insurance group accounts for roughly 40 percent of its total global business. As a result, Zurich is the fourth largest commercial property and casualty insurer in the United States by gross written premium. It is the fourth largest writer of commercial general liability insurance, which includes coverages that, among a wide array of other risks, protect U.S. manufacturers, importers and retailers against product liability losses. In addition to this capacity, Zurich also protects many U.S. construction projects throughout the country as the third largest fidelity and surety insurer. Zurich protects hundreds of thousands of U.S. employees and their employers as the fifth largest workers compensation insurer. With this context as to who Zurich serves, it was two years ago when Zurich's senior leadership decided to act to address the risk management questions and concerns raised by many of our cyber customers. This began a global thought leadership initiative with the Atlantic Council and resulted in a white paper report titled: Beyond Data Breaches: Global Interconnectedness of Cyber Risk. This report was released in April 2014, and Zurich has shared its findings and recommendations with its stakeholder community to generate dialog and steps forward to address the cyber threats. As cyber attacks occur in ever changing forms on business and industry that compromise increasing amounts of sensitive information, this hearing is extremely timely to level set what cyber insurance is, what it is not, and most importantly some of the challenges marketplace actors are seeing. I will dive into specifics later in my testimony, but overall here is how I see the market. Unsurprisingly given recent high profile breaches, so-called cyber insurance is quickly becoming a need for commercial customers. However, as a new market it faces a number of challenges. Some are somewhat more straightfoward, such as capacity and pricing, which are in flux as the industry grows and learns of new challenges. Yet, others reflect the complexity of the challenge. The term cyber insurance is a misnomer. A network security and privacy event--the more accurate term of cyber insurance--can also be caused by something simple such as improper disposal of paper records. At the same time, one cyber event can trigger multiple types of claims, for multiple insureds within one company, and even cause physical damage to a manufacturer or utility. The lesson can be boiled down to the simple fact that the scope of the challenge is too broad to be solved by the private sector alone. Not all losses from a cyber attack will be or even could be covered by an insurance policy. This market is new and evolving daily which will require time to fully mature. Market overview In October 2014, Dowling and Partners called security & privacy (also known as ``cyber'') insurance ``one of the few growth markets in the U.S. Property and Casualty Industry'' with growth potential up to $10B Gross Written Premium.\1\ Sources, including Dowling and Guy Carpenter,\2\ suggest the current market is $2 billion with five or six carriers offering primary coverage. Guy Carpenter also states that the six largest carriers have 70 percent of the market share, a statistic that remained relevant throughout 2014. These premium numbers are difficult to verify. The coverage can be offered on a stand-alone basis or blended with other coverages, such as Errors & Omissions. --------------------------------------------------------------------------- \1\ ``Cyber Security: with CEO Jobs Now on the Line, It's No Longer Just an `IT' Issue.'' Dowling & Partners IBNR Weekly #39, October 20, 2014 \2\ Guy Carpenter's State of the Tech/Cyber market report (2012) and Management Liability--Market Overview report (Oct. 2013) --------------------------------------------------------------------------- Coverage overview and history The product was first introduced about 15 years ago and has its roots in technology errors & omissions coverage. This is a third party liability coverage designed to respond to financial damages resulting from negligent acts, errors, and omissions in the deliverance of a product or service. As our world and economy became more networked, privacy issues came to the fore, which led to the development of privacy regulations. Companies found they incurred first-party costs to respond to privacy events and to comply with these regulations. Network Security & Privacy Liability policies were developed to respond to this blend of first and third-party costs. The product in its current iteration has been in the marketplace since around 2009. There is no industry standard policy language, but the core elements of the coverage are as follows:The third-party liability costs arising from network breaches and privacy events as well as some media liability events; The first-party or direct costs a company incurs in responding to a breach. These include forensics analysis, legal guidance in compliant breach response, credit and identity monitoring costs, and the costs associated with a call center and public relations. First-party coverages have further expanded to include Business Interruption and Extra Expense. This is a familiar coverage on most commercial property policies, but here, instead of responding in the event of physical loss or damage, this optional coverage can apply to direct damages arising from downtime caused by a network security breach. Marketplace shifts In January of this year, the Insurance Information Institute reported that market capacity for cyber insurance is on the rise.\3\ While this optimism is understandable given the visibility of the issues and the attention significant breaches have garnered from Boards of Directors and C-Suite executives \4\, the reality is that the shape of the insurance marketplace continues to shift: --------------------------------------------------------------------------- \3\ ``Insurance Industry Leaders Believe Market Capacity For Cyber Insurance On The Rise, U.S. Economic Growth On the Upswing, I.I.I. Survey Finds.'' Insurance Information Institute, January 14, 2015 \4\ ``Cyber Security: with CEO Jobs Now on the Line, It's No Longer Just an `IT' Issue.'' Dowling & Partners IBNR Weekly #39, October 20, 2014 --------------------------------------------------------------------------- Capacity is in flux. Dowling & Partners stated more than 60 carriers wrote the coverage as of October 2014. Subsequently, our broker partners tell us a number of excess markets pulled out of the product line or limited their appetite. Business Insurance has reported on major insurers restricting their appetites for challenging industry segments. The London market was tapped out for retailers by December; although capacity refreshed in 2015, the pressure was on to find strong support for growing programs. Reinsurers are also paying careful attention to their aggregations, and some have amended their appetites for supporting the coverage. Pricing is in flux. The insurance industry lacks robust actuarial data around the loss experience for a product that is still in its nascency. Unlike general liability policies, which all commercial enterprises carry, the buyers of this coverage are largely in a few key industry sectors (such as health care, financial institutions, technology, and retail) and in the larger company space (ie. companies with annual revenues over $1 billion). As loss experience emerges, and underwriters identify new attack vectors, pricing becomes more refined. Some segments, notably retail \5\, are experiencing significant increases in premiums as high profile breaches in the past 12 months have generated substantial first party loss dollars, which continue to rise. --------------------------------------------------------------------------- \5\ ``Data breaches prompt insurers to boost cost of retailers' cyber coverage,'' Business Insurance, Sept. 28, 2014 --------------------------------------------------------------------------- Loss experience is developing One major retailer, who suffered a highly publicized breach in late 2013, is reported to have incurred over $250 million in first- party costs in responding to the attack. Those costs reportedly continue to rise, and the liability costs associated with the breach--including liability to consumers and financial institutions--has yet to be determined. This example demonstrates the severity potential as well as the element of the unknown as the liability issues play out in court. Moreover, we see attack vectors shifting, for example, approximately 30 percent of breaches originate with a business partner or vendor, presenting challenges to underwriting the exposures and controls and to responding to breaches. Coverage and aggregation challenges remain It is important to understand the history of this product. The total scope of exposures presented by a cyber security event is beyond the current scope of coverage. Richard Clarke's acronym \6\ for causes of cyber security events remains applicable. He described them as C.H.E.W.: Crime, Hactivism, Espionage, and War. --------------------------------------------------------------------------- \6\ Richard Clarke, ``Cyber War: The Next Threat to National Security & What to Do About it'', published 2012 While most security & privacy policies do not focus on attribution, the trigger of coverage must still be a network security breach or privacy event. We eschew the term ``cyber'' for three --------------------------------------------------------------------------- reasons: 1. It is not a defined term in most policies; 2. Privacy events may be triggered by an analog event such as improper disposal of paper records containing personally identifiable information; 3. A broad term such as ``cyber'' erroneously may suggest that the coverage could respond to every type of damage caused by an attack on a network. We understand that customers have a range of exposures that exist beyond the financial loss coverage that is provided under a Security & Privacy policy. Top areas of concern include Bodily Injury and Property Damage: A cyber attack may cause physical damage to a manufacturer or utility. For example, a December 2014 malware attack to a German iron plant caused fire damage when a furnace's controls were compromised.\7\ In 2014, Insurance Service Offices (ISO) issued exclusions on their general liability forms to clarify that cyber events are not meant to be covered on the general liability policy. While some limited coverage is available in the marketplace, current security and privacy forms generally exclude bodily injury/property damage. --------------------------------------------------------------------------- \7\ ``Cyberattack on German Iron Plan Causes `Widespread Damage': Report,'' The Wall Street Journal, December 18, 2014 The scope of the exposures is too broad to be solved by the private sector. Not all causes of loss can be transferred to an insurance policy. Emerging issues Aggregation tracking and emerging exposures Multiple lines of business may be impacted as the result of a cyber security event. For example, a significant breach to a public company might result in a stock drop, which leads to a derivative suit that comes in as a claim under a Directors & Officers Liability Coverage. Also, one event might impact multiple insureds. For example, a recent breach at a large health insurer has resulted in claims under policies for a variety of companies who have business relationships with that insurer. The current coverage structure and pricing will continue to evolve as carriers gain a more comprehensive understanding of the full scope of the potential. The insurance industry is working with the public sector to shape policies around these issues. Public sector The 2015 World Economic Forum report states that ``global risks transcend borders and spheres of influence and require stakeholders to work together.'' \8\ The focus of the report on ``risk interconnections and the potentially cascading effects they create'' echoes the theme of the Atlantic Council's 2014 study on cyber risk.\9\ The WEF report echoes Chairman Thune's comments from the February 4th hearing on the NIST framework: ``Real progress can be made by continuing to enhance public-private cooperation and improving cyber-threat information sharing.'' --------------------------------------------------------------------------- \8\ ``Global Risks 2015--10th Edition'', World Economic Forum, January 2015 \9\ ``Risk Nexus. Beyond data breaches: global interconnections of cyber risk'', Atlantic Council, April 2014 --------------------------------------------------------------------------- Work in this arena includes working groups at the Department of Homeland Security and the Department of Treasury on the issue of data repositories. Data sharing may need to take a few different forms: sharing of cyber event data, such as attack vectors and scope, and cyber insurance data, such as claim and underwriting information by sector. While it is too early to assert any definitive conclusions, the potential upside of these discussions is that more comprehensive information will assist insurers in developing both coverage and risk management solutions and best practices for our customers. Senator Moran. Thank you very much. Ms. Sage? STATEMENT OF OLA SAGE, FOUNDER AND CEO, e-MANAGEMENT Ms. Sage. Good morning, Chairman Moran, Ranking Member Blumenthal, and to the other members of the Subcommittee. It is an honor for me to be here today, and thank you for the opportunity to testify on behalf of my company, e-Management, as a small business consumer of cybersecurity insurance products. My company's journey into the cybersecurity insurance market began in 2013. Small businesses had become the fastest growing segment for cyber attacks, and I was advising other small businesses to obtain appropriate business and legal protections, such as cybersecurity insurance. However, my company, a 15-year-old IT services and cybersecurity firm, was not covered. I decided that needed to change. Working through our insurance broker, we began researching cybersecurity insurance products but could not find products designed specifically for small businesses. We submitted applications to several large insurance companies, and these applications varied in length and substance with very little consistency in the questions asked. Comparing the policies against one another was virtually impossible, as the language used in one policy was quite different from the next, and it was unclear whether or not they covered the same conditions. Regrettably, I cannot tell you that our selection of a cybersecurity insurance product was based on a simple and easy analysis of options, and I also cannot say with confidence that we picked the best policy for us. Our process took 4 months and our policy cost over $10,000. This was a significant investment for a company our size. We recently passed our one year anniversary, and this time around, the process started with a letter from the insurance company informing us that our coverage would not automatically renew. The abbreviated three page application included one cyber-related question that asked about changes regarding the security and protection of our facility and network. Three weeks later, our policy was renewed. That was the good news. The surprising news was that our premium increased by 12 percent. Stunned, confused, and frustrated are just a few words that described our reaction. Our broker explained that there were a variety of factors that went into the underwriting process, and in our case, ironically, because our revenues grew in 2014 over 2013, that appeared to be the primary contributor to our increase. After a year of using the voluntary NIST Cybersecurity Framework and investing in processes and tools to improve our overall cybersecurity readiness, it was discouraging to be in essence rewarded with an increase in our premium. My experience though is not unique. As I speak to small business CEOs across the country, many elements of our story resonates. In addition, there is a general lack of awareness in four areas. One, the need for cybersecurity insurance for small businesses. Two, the availability of insurance products on the market. Three, what the various policies cover, and last, what these insurance products cost. I would like to offer three recommendations that I believe would encourage more small businesses to take greater advantage of cybersecurity insurance products. First, increase the awareness of cybersecurity insurance as a risk transfer option for small businesses. According to a recent industry survey, only a third of small and mid-sized businesses are even aware that cybersecurity insurance exists, and of that number, only 2 percent actually hold cybersecurity insurance. With the average annual cost of cyber attacks to small businesses reported to be close to $200,000 and the median cost of down time reported at $12,500, the majority of small businesses just cannot sustain these costs, leading many to close their doors. Cybersecurity insurance can be an important tool to help small businesses manage significant financial exposure. Second, make cybersecurity insurance affordable for small businesses. Cybersecurity insurance needs to provide meaningful coverage that small businesses can actually afford. We believe offering competitive cybersecurity products designed for the small business market will ultimately lead to better deals for small businesses. We recommend that insurance companies consider a company's use or application of the voluntary NIST Cybersecurity Framework as a best practice factor in their underwriting processes. Third, reward small businesses who are actively managing their cybersecurity risks and implementing reasonable security measures. Based on our own experience, we strongly believe that any small business that uses the NIST Cybersecurity Framework can significantly reduce their cybersecurity risk exposure and should be preferred candidates for lower premiums. In closing, I welcome and appreciate the emphasis that Congress, Federal, state, local agencies, and private sector organizations have placed on small business cybersecurity protection. As the threat and challenge to small businesses continues to persist, we at e-Management are committed to continuing to work with all parties to identify and develop simple and affordable solutions. Thank you again for the opportunity to testify, and I am ready to answer any questions you may have. [The prepared statement of Ms. Sage follows:] Prepared Statement of Ola Sage, Founder and CEO, e-Management Opening Remarks Good morning Chairman Moran, Ranking Member Blumenthal, and distinguished members of the Committee. It is an honor for me to be here today. My name is Ola Sage and I am the Founder and CEO of e-Management, a small business provider of high-end IT services and cybersecurity solutions to clients in the private and public sectors, including the largest U.S. Federal agencies. Founded in 1999 and headquartered in Silver Spring, Maryland, we employ close to 60 IT professionals who deliver services in our core areas of IT Planning, Engineering, Application Development, and Cybersecurity. In 2013 we were honored to receive the Department of Energy's Cybersecurity Innovative Technical Achievement award, highlighting the expertise of our cybersecurity experts in designing and implementing advanced cybersecurity detection and risk management capabilities. Our newest cybersecurity risk intelligence software solution, CyberRx, automates the National Institutes of Standards and Technology (NIST) Cybersecurity Framework (CSF) and is designed to help small businesses easily measure their cybersecurity capabilities, manage their cybersecurity risks, and communicate their cybersecurity readiness to internal and external stakeholders. I am a champion and advocate for Small and Medium-Sized business (SMB) cybersecurity readiness. I currently serve as an elected member on the Executive Committee of the National IT Sector Coordinating Council (IT SCC). The IT SCC, comprised of the Nation's top IT companies, professional services firms, and trade associations, works in partnership with the Department of Homeland Security (DHS) to address strategies for mitigating cybersecurity threats and risks to our Nation's critical infrastructure, especially for organizations and businesses that are particularly vulnerable such as SMBs. I am also an 8-year member of Vistage, an international organization of 19,000 CEOs that control businesses with annual sales ranging from $1 million to over $1 billion. I regularly meet with and speak to small business CEOs in Vistage, and other small business forums about why cybersecurity should matter to them and how it can affect their ability to keep business, stay in business, or get new business. In the last 3 months alone, I have spoken to more than 100 SMB CEOs that represent a diverse mix of industries. Thank you for the opportunity to testify today on behalf of e- Management as a small business consumer of cybersecurity insurance products. In my testimony today, I will discuss: My company's involvement with cybersecurity insurance including our application and renewal process Perspectives that I have as a CEO and from other CEO's relative to cybersecurity insurance Opportunities for the cybersecurity risk insurance industry Concluding thoughts Our Driver My company's foray into the cybersecurity insurance market began in November 2013 as I prepared for a webinar on cybersecurity titled ``We've Tipped: 5 Ways to Increase Your Cybersecurity Resiliency.'' The webinar discussed the wave of cyber-attacks that were occurring across all industries, highlighting the significant increase in attacks on small businesses and the impacts--including financial, legal, and reputational--that they were having on all sizes of business, including the disproportionate and negative impact to small business. According to the Cyber Security Alliance, 60 percent of small businesses go out of business within 6 months of a significant cybersecurity event. Among the five key recommendations I made in the webinar was for businesses to make sure they had appropriate business and legal protections (e.g., business policies, insurance, etc.). I thought about my own company and whether we had taken appropriate steps to include business and legal protections in the area of cybersecurity. As a company, we had participated for more than a year with NIST as they worked with thousands of security professionals in government and private industry to develop the CSF. Upon release of the Preliminary Draft of the CSF, NIST encouraged companies and organizations to try it and provide feedback that could inform the final version (v 1.0 which was ultimately published in February 2014). We took the challenge. Methodology In our ``test drive'' of the CSF, we used the Framework as a way of assessing our cybersecurity readiness in the five core cybersecurity functions (Identify, Protect, Detect, Respond, and Recover) and mapped the results to the four Implementation Tiers to help us to understand how our current cybersecurity risk-management capabilities measured up against the characteristics described by the Framework and to assess the degree of risk management rigor we were applying to each of the five core functions. Overall, the CSF provided a common language that I could use with my management and IT teams in organizing our thinking around cybersecurity. We were able to distill where we needed to prioritize our efforts and focus our dollars. We found it to be a very effective and useful tool. Our Cybersecurity Insurance Experience In addition to technical and operational changes we made after our initial CSF readiness assessment, we decided to move forward with researching what cybersecurity insurance products were available on the market, specifically available offerings for SMBs. As I'm sure it will come as no surprise to anyone here, we could not find cybersecurity insurance products designed specifically for SMBs. The cybersecurity insurance industry was and is still in a nascent stage. Working through our insurance broker, we submitted applications to several large insurance companies. The applications varied in length and substance, with very little consistency in the questions asked. When the quotes arrived, they ranged from a couple thousand dollars from one insurer to twelve thousand plus for another. Comparing the policies against one other was virtually impossible as the language used in one policy was quite different from the next and it was unclear whether or not they covered the same conditions. As expected, all of the policies contained exclusion clauses, however it was not clear from policy to policy whether the exclusions were similar or not. Regrettably I cannot tell you that our selection of a cybersecurity insurance product was based on a simple and easy analysis of options. We ended up with a policy that combines cybersecurity liability and errors and omissions, but honestly, as I sit here today, I cannot say with confidence we have the right policy for us. All told, the process from start to finish took four months and cost over ten thousand dollars. This was a significant investment for a company our size. We continue to regularly monitor and manage our cybersecurity risks, and implement preventative measures based on the results of our Framework assessment. We call it ``operationalizing'' the CSF. We understand it is not possible to achieve 100 percent cybersecurity, but as a provider of IT and cybersecurity services, we believe it is important to convey to our employees, customers, and vendors that we take cybersecurity seriously and understand the potential damage it could cause to them. In addition to doing it for the right reason, we also see it as a competitive advantage. We have taken it a step further. Understanding the value the CSF gave us, we wanted to share our experience with other small businesses. Drawing on our entrepreneurial instincts, we created and brought to market a software solution that automates the CSF in a way that is simple and affordable for other small businesses to use. In two hours or less, a small business can conduct a ``fitness'' review of their cybersecurity readiness in the CSF's five core areas. In addition, the small business CEO receives information unique to their company that provides them insight into their level of technical, operational, and financial exposure. It is actionable risk intelligence. We call it CyberRx. CyberRx makes it easy for a small business to understand how prepared their business is to identify, protect, detect, respond, and recover from cybersecurity attacks and alerts them to areas that need attention. They quickly know what areas to focus on and what their next steps should be. We use CyberRx in our company today to continuously manage our own cybersecurity risks. Renewing our Cybersecurity Insurance This brings me back to our cybersecurity insurance experience. We have just passed our one year anniversary and this time around the process started with a letter from the insurance company informing us that our coverage wouldn't automatically renew. We received an abbreviated application (3 pages vs 15) which we completed and sent back. There was only one question around cybersecurity asking whether there had been any changes regarding the security and protection of our facility and network. The instructions indicated that if the response was ``Yes'', we needed to indicate if we had experienced a security breach? As we thankfully did not experience a breach (that we know of) we were able to answer no. We received our renewed policy in approximately three weeks, which was the good news. The surprising news was that our premium increased by 12 percent. Stunned, surprised, frustrated, confused, discouraged, etc. are all words that would accurately describe our reaction. After a year of investing in processes and tools to strengthen our cybersecurity posture, the result was an increase in premiums. Doing the right thing didn't seem to pay, literally. We went back to our broker to better understand how this could have happened and were informed that there were a variety of factors that went into the underwriting process. In our case, ironically, because our revenues grew in 2014 vs 2013, that appeared to be the primary contributor to the increase. When we asked whether or not using the CSF could be a factor, our broker wrote that ``although they do not specifically inquire as to whether or not an insured is following the voluntary cyber security framework provided by NIST, they obviously take into consideration any preventative measures an insured implements when underwriting a risk.'' SMB CEO Perspectives My experience is not unique. As I speak to small business CEOs across the country, there is a general lack of awareness about (1) the need for cybersecurity insurance; (2) what cybersecurity insurance products exist on the market; (3) what the various polices cover; and (4) what the costs are. 1. The need for cybersecurity insurance Many SMB CEOs just don't believe they have anything cyber hackers would want. ``We're too small,'' some will say, believing that hackers are only interested in the large companies where they can get more ``bang for their buck.'' Interestingly, another subset of SMB CEOs believe that cybersecurity insurance is already included in their professional liability coverage, and therefore do not see the need for additional or separate coverage. 2. Availability of cybersecurity insurance products Of the 100 or so SMB CEOs I have spoken to over the past three months, easily 70 percent were not aware of what cybersecurity insurance products are available on the market. Once informed they were curious to learn more. This aligns with a recent 2015 survey by Gartner company, Software Advice, who reported that after defining cyber insurance to the SMB decision-makers in their survey, they found that a combined 52 percent were either ``very'' or ``moderately'' intrigued, with another 32 percent ``minimally'' intrigued, giving an overall 84 percent who expressed some level of curiosity.\1\ --------------------------------------------------------------------------- \1\ http://www.softwareadvice.com/security/industryview/cyber- insurance-report-2015/ --------------------------------------------------------------------------- 3. Policy Coverage Understanding what the different cybersecurity insurance policies cover can be a challenge, not just for SMBs, but also for many brokers. There does not appear to be any common terminology or contract organization amongst carriers, thus making it difficult and costly to truly understand what an individual policy covers and to compare competing insurance products. 4. Cost of Coverage The cost of cybersecurity insurance varies widely. Our own experience with a range of quotes from $2,000-$13,000 is not uncommon. This large variance can discourage SMB CEOs from making needed investments in cybersecurity insurance. In addition, for many SMBs, such rates are cost prohibitive for what they might consider ``elective'' insurance. Given the challenges with understanding and comparing the scope and coverage of various insurance products on the market, SMBs may incur additional costs in connection with the placement or renewal of insurance in addition to the cost of the insurance itself. Opportunities for the Cybersecurity Risk Insurance Industry to Assist SMBs There is no 100 percent level of cybersecurity. At e-Management, we strongly believe cybersecurity readiness is about risk management. We offer the following straightforward recommendations that we believe would encourage SMBs to take greater advantage of cybersecurity insurance products. 1. Increase awareness of cybersecurity insurance as a risk transfer option for small businesses. Cybersecurity insurance can be an effective tool to help small businesses manage their financial risk and should be a key part of a company's cyber and information security practice. Several years ago, Symantec reported that the average annual cost of cyberattacks to small businesses was $188,242 with median cost of downtime for an SMB reported at $12,500 per day. These costs can be devastating, in many cases leading small businesses to shut their doors. However, a majority of small businesses are not aware of cybersecurity insurance. According to the 2015 survey by Software Advice, only a third of small and midsize businesses are even aware that cybersecurity insurance exists and of that number only 2 percent actually hold cybersecurity insurance. I understand that in the last year there have been extensive discussions among government, private companies, insurance groups, and other relevant stakeholders about expanding the role of cybersecurity insurance in public and private industry business agreements. While I think this is a necessary and important conversation to have, I encourage these discussions to continue to be as thorough and transparent as possible including a full review of potential impacts or consequences that particular policy decisions could have, particularly to SMBs. 2. Make cybersecurity insurance affordable for SMBs Cybersecurity insurance needs to provide meaningful coverage that SMBs can actually afford. Various industry reports indicate that SMBs continue to be the fastest growing segment of cyberattack victims, creating a huge vulnerability, not just for the SMBs, but for their customers, vendors, and suppliers. We believe offering competitive cybersecurity insurance products designed for the SMB market can lead to better deals for SMBS. We recommend that insurance companies consider a rating system based on the CSF that underwriters could consider as a factor in the underwriting process. SMBs that demonstrate use of the CSF could receive a higher rating as they have mitigations in place which line up with industry standards and best practices. 3. Reward SMBs who are actively managing their cybersecurity risks and implementing reasonable security measures. In 2014, the Online Trust Alliance indicated in a report that 90 percent of the year's breaches could have been prevented if organizations implemented basic cybersecurity best practices.\2\ The CSF is a model cybersecurity best practice and offers a defensible way to assess and manage cybersecurity risks. Based on our own experience, we strongly believe that any small business that uses the CSF can significantly reduce their cybersecurity risk exposure. Small businesses that are actively managing their cybersecurity risks should be preferred candidates for lower premiums and tax incentives. --------------------------------------------------------------------------- \2\ https://www.otalliance.org/news-events/press-releases/ota- determines-over-90-data-breaches-2014-could-have-been-prevented --------------------------------------------------------------------------- Conclusion At e-Management, we continue to find the CSF to be a useful tool in helping us and other SMBs organize the way we think about cybersecurity risks and the best practices we need to implement to reduce our overall cybersecurity risk exposure. We appreciate the emphasis that Congress, NIST and the DHS have placed on educating SMBs about the increasing cybersecurity threat and raising awareness of the CSF. We welcome continued efforts in this area and encourage the addition of cybersecurity insurance in the discussion as another tool that SMBs can consider along with other risk management solutions. While simply obtaining cybersecurity insurance cannot be viewed as a silver bullet, I believe cybersecurity insurance can be an important tool in helping SMBs manage significant financial exposure associated with a successful cyber attack. As the cybersecurity threat and challenge to small business continues to persist, we at e-Management are committed to working with government and industry to identify and develop simple and affordable solutions that enable small businesses to strengthen their cybersecurity readiness and posture. Thank you again for the opportunity to testify, and I am ready to answer any questions you may have. Senator Moran. Thank you very much. Mr. Menapace? STATEMENT OF MICHAEL MENAPACE, COUNSEL, WIGGIN AND DANA LLP, AND ADJUNCT PROFESSOR OF INSURANCE LAW, QUINNIPIAC UNIVERSITY SCHOOL OF LAW Mr. Menapace. Good morning, Senator Moran, Senator Blumenthal. Thank you for inviting me to today's hearing. I have submitted written testimony, but I appreciate the opportunity to highlight a few of the issues that I discussed in that testimony, including the evolution of cyber insurance and its cost drivers, breach notification requirements, data breach information sharing, and data protection standards. As you have heard, in the early 2000s, a small group of insurers did start offering cyber insurance. Those early insurers have now acquired somewhat significant experience and are sophisticated participants in this specialized market, but the market also has smaller insurers who are less experienced and do not necessarily have the same level of expertise as the market leaders, and have less mature books of business. When cyber insurance was first conceived, we originally thought the cost driver would be third-party litigation against insureds as well as first-party property losses. While litigation is still an important consideration, there was not an appreciation at that time of what would become the cost drivers. According to several industry sources, data breach response costs, sometimes referred to as ``crisis response costs,'' now account for up to 50 percent of the cost of data breaches. These response costs include technology forensics services, legal guidance, consumer notification, credit monitoring, call centers, public relations. With regard to the legal guidance and consumer notification, there is an available strategy to lower the costs. Currently, there are 47 states with separate breach notification laws, some of which are inconsistent with each other. As a result, when a breach occurs, businesses and insurance companies engage lawyers like me to perform 47 legal analyses based on the facts at hand. As you can imagine, 47 separate legal analyses can get expensive. Moreover, the diversity of the 47 states means that a consumer in one state may be notified while a consumer impacted by the same breach who lives in another state may not be notified. A single Federal standard that preempts the current patchwork could save time and expense and provide for the uniform treatment of consumers. With regard to data sharing, I mentioned that some insurers have mature books of business, and they rely on their own proprietary analytics to analyze the data they hold. Other market participants, however, could benefit by accessing a nationwide pool of data to help them decide which risks to underwrite and the appropriate premiums to charge. A nationwide database of cyber breach information, particularly with regard to the origins and causes of the breaches, could also assist non-insurance businesses as they assess their own processes and protocols and look to spot trends with the goal of avoiding loss. I appreciate the competing positions and interest on this issue, but whether the database is created and maintained by a public agency, the private market, or a public/private partnership, I do believe the market as a whole could benefit from sharing information about data breaches. Finally, I would like to say a few words about data protection standards. HIPAA provides one model, it provides the model of Government mandated data protection standards. Another model is the development of flexible industry led and voluntary guidance for specific industries, like we have with the NIST Framework. Now, the existing NIST Framework cannot simply be applied to other industries, but it is an example of what a public/ private partnership can look like. That type of framework can inform businesses on their own practices, and even though they are largely subjective in nature and therefore of limited value to insurance actuaries, the goal and guidance in the Framework could be incorporated by insurers as part of their underwriting considerations. Appropriate data protection practices will likely evolve over time without government involvement, but government involvement or encouragement could be an efficient way to help the standard evolve more quickly across a variety of markets. I am happy to answer and respond to any questions. [The prepared statement of Mr. Menapace follows:] Prepared Statement of Michael Menapace, Counsel, Wiggin and Dana LLP; Adjunct Professor of Law, Quinnipiac School of Law Sen. Jerry Moran, Sen. Blumenthal, and other members of the Subcommittee-- I am pleased to provide testimony today concerning this Committee's interest in the growing cybersecurity insurance market, the evolution of the insurance coverage, opportunities to strengthen the insurance industry, and the insurance market's impact on cybersecurity. I would be pleased to respond to specific questions posed by the Committee and I would like to cover in my testimony several specific issues concerning the evolving cyber insurance marketplace. Specifically, I would like to discuss the cost-drivers for cyber insurance, the role that the insurance industry and the government can play in helping in the development and evolution of standards for breach notification, the sharing of data breach information, and flexible, industry-specific standards for protecting consumer data. The testimony I provide is my own and not necessarily that of any of my firm's clients. Background and Introduction I practice law at the law firm of Wiggin and Dana after having previously practiced at a large international law firm. In addition, for the past 6 years, I have taught Insurance Law at the Quinnipiac University School of Law and have published articles and books on a variety of property and casualty insurance issues. In my law practice, I, along with my colleagues, represent companies in a broad spectrum of industries by helping them develop data security and privacy protocols and procedures, and I represent insurance companies in several areas, including cybersecurity. In both my academic role and in private practice, I have the opportunity to work closely with businesses in many market segments, insurance companies, and regulators. Examining the intersection of insurance and cybersecurity is an important and timely topic for this Committee. Insurance often evolves slowly, but we are in the midst of a period in which technological advancements and the development of a relatively new product are occurring simultaneously. No doubt, we are living through a dynamic period in the insurance industry and we should not underestimate the importance of the insurance industry in terms of risk transfer and the information insurers provide to insureds on loss mitigation strategies and loss trends. The insurance industry is in a unique position to help regulators, businesses, and consumers assess and respond to the ever-growing threat of data breaches. Insurers can help businesses and consumers respond quickly and efficiently when breaches unfortunately, but inevitably, occur. Insurers have first-hand experience with large amounts of consumer data. Moreover, insurers are in the business of examining and responding to risks, tracking emerging trends, and finding ways to mitigate their impact. Indeed, insurers often provide information and best practices to their insureds to help avoid losses. By definition, insurers deal with events that are uncertain from the viewpoint of the insured. There is an element of fortuity at the heart of insurance that insureds cannot predict. While this element of uncertainty is present to insureds, insurers can pool large amount of data and experience to see trends as they evolve--this helps them price insurance policies appropriately and remain in a financial position to pay claims. In addition to the traditional goal of providing risk transfer, insurers can help insureds avoid loss in the first instance. For example, insurers have traditionally helped in the development of safety programs to help employers and employees avoid workplace injuries. Obviously, such programs help workers, but they also assist the purchasers of insurance by bringing down premiums. In all, the goal of the insurer is for their insureds to avoid losses and to make those losses that inevitably occur smaller and easier to rectify. The insurance market can play a similar role in cybersecurity with risk transfer products and sharing information and experience with their insureds. Evolution of Cyber Coverage There are some insurers, particularly the large insurers, who have been writing some form of cyber coverage for well over a decade. They have become quite sophisticated and efficient in providing excellent risk transfer products to a variety of markets. However, there are approximately 40 insurers in the U.S. that are currently providing cyber coverage, and among those insurers are some that are relatively small by comparison to the market leaders and who are less experienced and sophisticated in providing cyber insurance. While the insurance market as a whole could benefit from the topics we are discussing today, it is the smaller companies and those with a less mature book of business that would likely benefit the most--and, by extension, their insureds would see benefits in the form of lower premiums and thriving insurance marketplace. I will discuss breach notification standards, the sharing of data, and the development of data protection standards in a few moments, but I would first like to discuss how the cyber insurance market has evolved to where we find it today. During the ``dot com'' boom of the early 2000s, some insurers started offering insurance products for technology companies. Originally, those insurers provided first party property loss coverage along with some third party liability coverage. The first party property loss coverage was designed to cover, for example, losses the policyholder experienced for damage to its own technology equipment and infrastructure. The third party liability coverage was designed for exposure to third party lawsuits against the insureds. The early coverage was written that way because, in those nascent years, the insurance market believed that the liability losses would be driven by the cost of defending lawsuits and paying settlements or judgments as a result of those lawsuits. But the predictions on the cost-drivers were not entirely accurate and today's products have developed to reflect this reality. While third party lawsuits are still one factor insurers consider how they draft policy wordings and price the coverage they offer, we have seen that data breach response costs have come to the forefront in the minds of insurers and insureds alike. Neither insurers nor insureds anticipated that these breach response costs, sometimes called crisis service costs, would be the significant cost drivers that they have become. These breach response expenses have become costs drivers for several reasons, including the fact that many data breach lawsuits are dismissed in the early phases of litigation. These lawsuits are often dismissed because the plaintiffs cannot show or even plead concrete damages--in response to breaches, businesses or their insurers often provide credit monitoring at no cost to consumers and until actual damage to the consumer can be alleged as a result of the data breach, the damages are speculative. Obviously for those cases that are dismissed, there are no settlement or judgment costs borne by insurers and the defense costs are extinguished, whereas every breach will have breach responses expenses. According to a recent insurance industry survey, the initial crisis service costs account for about half of all data breach costs. Those breach response services include technical forensic investigations, attorney oversight, breach notification to and credit monitoring for affected consumers, call centers, and public relations services. The other half of the costs go towards legal defense and settlement, regulatory response and defense, regulatory fines, and fines imposed by credit and debit card issuers. A Federal Breach Notification Standard--Reducing the costs of breach responses and treating consumers equally As of today, the are 47 states, plus Puerto Rico, Washington D.C., and the Virgin Islands, that have requirements for notifying customers after the unauthorized access of personally identifiable information or protected health information. Many of these state requirements also require notification of the state attorney general when a certain number of residents have been impacted. But, these state requirements are not uniform in terms of when they are triggered and what information must be contained in the consumer notices. Therefore, when responding to a nationwide incident, lawyers like me must assess the impacted data and consumers under 47 different sets of requirements. Among the questions we must ask for each state are: Has the breach notification standard been triggered? Must the consumer(s) be notified under the facts of the incident? What information must be contained in the notification? Must we notify state regulators or attorneys general? Must notice be given in a specific timeframe? Are we required to provide specific consumer protection services such as identify theft insurance and/or credit monitoring? This 47-state exercise can be a costly endeavor and, frankly, can result in a situation where some consumers and state officials are notified in one state while consumers and officials in other states are not notified about the very same incident. As both industry members and regulatory authorities have noted, this current patchwork quilt of state breach notification requirements creates gaps in consumer protection as well as additional burdens for businesses that experience cyber-attacks A nationwide standard for breach notification that preempts state law requirements would eliminate the time, expense, and inconsistencies involved in the 47-state analysis for each breach and would provide for uniform treatment of consumers. I note, however, that any such Federal standard must carefully consider the time-frame within which business must notify consumers whose data may have been affected. The time-frame must balance the needs of timely notice to consumers with the concern of providing consumers with accurate information. Increasingly, large breaches involve complex attacks that require equally complex forensic investigations to determine the actual scope of data losses. Nationwide Data Clearinghouse--Assisting underwriting and spotting trends There are many lines of insurance that have fairly standardized coverage terms and conditions regardless of which insurer is issuing the coverage. For example, the vast majority of general liability policies purchased by businesses are based on standardized policy language. The Insurance Services Offices, Inc. (ISO), publishes standard liability policy language for many lines of property and casualty insurance. Insurers can choose to adopt the ISO forms and, in the case of general liability policies, most insurers do adopt the ISO policy or use policy wording that is very similar. However, there is no standard insurance policy language for cyber insurance. ISO did recently publish cyber coverage terms, but I know of no insurer that has adopted the ISO policy terms or has plans to do so in the near future. Among the approximately 40 insurers that offer cyber insurance, there are some with significant experience and who have policy language that they have developed over the course of more than a decade of experience. Those insurers are comfortable with their policies even though they will undoubtedly continue to evolve. Other insurers, some who are newer entrants into the cyber insurance market and others who are looking to differentiate themselves from their competitors, have their own policy language that has not been tested to the same extent as the policy terms used by the insurers with more mature books of business. Understanding these differences in policy language from one insurer to another can be a challenge to insurance purchasers and brokers, but the diversity in the market also gives purchases more choice to purchase insurance tailored to their specific needs. In and of itself, this diversity of policy terms and conditions is not problematic for individual insurers. What can be challenging for some insurers is making sure they have enough data to make prudent underwriting decisions when they sell policies. For insurers to have good underwriting in terms of deciding what risks to insure and how to price the coverage, it is important for them to have a good data set of past experience and loss information. There are some insurers who have been active in the cyber insurance space for a long time, they have developed their own database of loss experience, have a mature book of business, and have refined their criteria for underwriting decision. But, for the smaller insurers and for new entrants into the market, they do not necessary have the same foundation from which to make underwriting decisions. A nationwide database or clearinghouse for data breach information, specifically recording how each breach occurred and who was responsible for the breach, could be helpful to the insurance market generally and for businesses that are implementing their own data protection practices, processes, and protocols. Insurers could use the information to supplement their existing underwriting criteria. In addition, businesses in many industries could use the data to learn about the causes of other breaches and apply that information to improve their own efforts to keep consumer information safe. All market participants would be able to use the data, for example, to spot trends in cyber- attacks and hopefully respond before those attacks are repeated. I do not intend to imply that insurers are making underwriting decisions in a cavalier or uninformed manner. But there is no doubt that not all breach incidents receive national attention in the press and a nationwide database to which business could report information and from which they could learn from others could be a positive force in combating the evolving threat of cyber intrusion and data misappropriation. The Federal Government could play a role in encouraging the creation of and participation in such a clearinghouse. I can envision several ways the database or clearinghouse could be established and administered, either by private market participants, the Federal Government, or a public-private partnership. I do not have a view on the best method to accomplish this, and I concede there is debate on whether this kind of sharing is prudent, but there is a valid argument that more information can be a net positive for the market in general. Flexible and Industry-Specific Data Protection Guidelines--Assisting Businesses and Underwriters As this Committee and the other witnesses here today know, there are data protection standards that have been imposed on, or adopted by, certain business segments. For example, HIPAA provides, among other things, a set of national standards to protect personal health information and applies to ``covered entities'' and ``business associates.'' This is an example of government imposed standards. On the other hand, the NIST Cybersecurity Framework that was published about a year ago provides a different model from HIPAA. As this Committee is aware, the NIST Cybersecurity Framework was a collaborative effort between industry and government and consists of processes, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk. The Framework is not a fixed, uniform standard, but instead is a generalized framework for managing cyber-risk based on a continuous cycle of threat assessment and risk mitigation measures which can be customer by industry sector and by each organization. While still evolving, the Framework may over time become a baseline or benchmark of cybersecurity preparedness in some sectors. There are other markets and industries that have neither legally- mandated nor widely-adopted voluntary security standards and guidance. For example, the mobile apps industry, education institutions and retailers do not yet have industry-specific guidance on what protections they should employ to protect the data they collect, use, and store. As a result of recent `mega' data breaches, such as Target and Home Depot, we may see more coordinated industry efforts in this regard. Industry guidance, even if voluntary, can serve several purposes. One, it could provide a standard that businesses can use to gauge their own policies, protocols, and procedures. Two, the insurance market can look to that industry-specific guidance during the underwriting process to assess whether to underwrite a specific business and what price is appropriate for coverage. The NIST Framework contains subjective criteria--it is not a list of quantifiable metrics. Nevertheless, businesses can look to such frameworks as they examine their own business practices and as they consider what to expect when applying for cyber insurance. Insurance company actuaries may find the Framework less helpful, but guidance like the NIST Framework can provide some common expectations that insurers and insureds alike can use. Three, when government sponsored guidelines are industry-led, market participants can have some confidence in the standard that will be applied by a regulatory body in a post-breach inquiry. And, four, the standards could be a useful tool as private litigants and courts look to the appropriate standard of care that a business should be held to. It seems that the intent of any guidance or standards is to provide businesses with data protection expectations or best practices. But as a secondary benefit, insurers could choose to use the guidance as part of the criteria considered during the underwriting process. Any data protection guidance or framework, however, consistent with the approach of the NIST Framework, must be industry specific. For example, the data protections guidelines applicable to retailers are different than those applicable to entertainment companies, banks, education institutions, or health care providers to name just a few industries with uniquely specific needs. In addition, the industry standards must remain flexible to accommodate the size of the company, the data at issue, and technology as it emerges. Software will change, existing technology will continue to evolve, and we will see the use of wearable technology, drones, and the Internet of Things expand in use. Therefore, any government- sponsored or encouraged security guidance must be able to adapt in real time and should be technology-neutral and risk-based. Insurers understand already that business should not be required to use specific software or hardware. Instead, when deciding whether to cover a particular business or how much the coverage should cost, insurers sometimes are more interested generally in the business's culture towards data protection. If a company is committed to securing the data it holds, that company will likely update its software, its procedures, and its processes, making insurers more likely to underwrite coverage for that business. In examining the data protection culture of a business, cybersecurity frameworks, like the NIST Framework, can be useful tools even though, as stated earlier, they will not provide the actuaries with objective metrics on a particular insured or industry. If the government decides not to move forward with security guidelines for particular industries, such industry-specific standards and expectations will nevertheless likely develop over time in the marketplace. But, a partnership between the government and private industry could accelerate the development and adoption of flexible guidelines that will, ultimately, benefit consumers without restricting innovation. Getting businesses to examine their own practices in the course of purchasing insurance does have a recent precedent. Several years ago, when insurers started asking their business customers how they viewed their susceptibility to climate change impacts and what they were doing to address those risks, some business began looking at those issues for the first time and responded accordingly. There was no government mandate for insurers to ask these questions, but insurers did so because they saw that climate change risks could impact their customers and, by extension, themselves. The insurance market could spur the type of self-examination by businesses with cybersecurity measures and there does seem to be a role that the government can play to encourage this outcome. In the end, if insurers are confident that their concerns have been incorporated into any cyberssecurity guidance that is developed and they adopt that guidance as part of their underwriting processes, businesses will be encouraged and incentivized to address those issues even if security standards are not mandated by the government. I thank you for the opportunity to provide this testimony and am available to try to address any specific questions the Committee has for me on these or related topics. Senator Moran. Thank you very much. We appreciate the testimony. I look forward to the dialogue that now will occur with you. Let me start with a typical congressional question, which is about legislation. You, Mr. Menapace, talked about the standard, the information sharing. Mr. Beeson, you indicated the industry would be supportive. As you heard me say and maybe know, this subcommittee had a hearing a few weeks ago on those topics, what the standard should be, how it should be enforced. Let me ask, if you were in our shoes, and this is really a question to all the witnesses, if you were in the shoes of a Member of Congress, what is the legislative solution that would drive the increase in an insurance market, and what I think would be the consequence of that would be better security practices and less opportunity for breach. What public policy should we pursue, what legislation should be passed by Congress that would enhance the chances for that scenario to occur? You do not sound like you are from Kansas City, but we consider you one of us. Mr. Beeson. Thank you, Chairman. I think as you heard in my testimony, there is a real linkage between improved cybersecurity and potentially the growth of the insurance market itself. I was arguing that more statistics can help drive that, more data can help drive that, but equally, if there was legislation passed that helps industry improve its security posture, which I believe the proposed legislation to do with threat indicator information sharing between industry and Government and between industry. As we have seen, that has been very effective already in some of these ISACs, information sharing analysis centers, within the private sector. Actually, it would help industry improve its security and thereby help the insurance market sign onto risks, if you like, that it otherwise would not have done. That would in and of itself help grow the market. Senator Moran. Anyone else? Ms. Mulligan? Ms. Mulligan. Thank you, Mr. Chairman. I would support what Mr. Menapace said around a national database of information because the breaches right now are really outpacing the usual time it would take for an insurance product and pricing to develop. That information would help us, as Ms. Sage points out, differentiate the pricing and the coverage for different sizes of insurance and industry segments. Senator Moran. You agree with Mr. Menapace about the national standard as compared to 40 some states? Ms. Mulligan. I agree with him actually on both points, the national standard for notification, because that would streamline the process and the cost for insureds, but also on a data repository of sharing information. Senator Moran. I am actually surprised that there is enough information in today's current world for you to price an insurance policy. What is out there that allows you to have this market to the degree that it exists today? Mr. Beeson. As you heard from Mr. Menapace, the cyber insurance market has been around for roughly 15 years, and really since the first breach notifications in California in 2003, the market has built up data. Specifically, it is important to delineate this, because there are different types of assets at risk here. The cyber insurance market is focused primarily on the risks of handling personal data, consumer, patient, employee. There is quite a bit of data around to model, ``data'' being statistics, around frequency severity, to model the risk in that area. The problem at the moment is there is a dearth of information now as the risk has morphed, for example, into the risk of physical assets. On the utility, maybe I am not so worried or that is not my primary concern, handling of personal data. I am more worried about physical damage to the turbine from a cyber attack, for example. That is very challenging right now, and frankly, ambiguous as well for the insurance industry in terms of how to handle that. Senator Moran. While the industry is growing, it is growing everywhere, but different from segment to segment, it is coverage to coverage, the type of risk that you are insuring? Mr. Beeson. As I say, to some extent, this is a symptom of the insurance industry, it is fairly siloed and risks are looked at in different boxes, if you like, with different specialist underwriters. Cyber is a challenge, of course, because it sits across just about everything, and it is only recently, and thanks really to the Federal Government shining the light on the issue through the creation of the NIST Framework, that cyber is being viewed in a much broader perspective. It is not just about data breaches. It is actually now also--I think this in many ways should be seen perhaps as a greater concern to Government. It is a critical infrastructure industry, many of which are more worried about physical damage, business interruption loss, bodily injury, as Ms. Mulligan hinted on as well. That is where there is a real challenge right now in the marketplace, and where the focus is shifting. I am not saying the handling of personal data is not an issue. It certainly is, and we have seen that over the last year. There is no doubt about that. It is much broader than that now. Senator Moran. Do the suggestions that you have made regarding public policy improve the circumstances for all the silos you described? Mr. Beeson. Certainly, as I mentioned before, I support the threat indicator legislation. I think frankly if you talk to experts in the security industry in particular, they will tell you security has to become more intelligence based to tackle this problem, and clearly threat information is key to that. There is a whole debate about legacy defenses around firewalls' intrusion detection systems, which is still important, but they are not enough. How do we provide industry with that type of intelligence, and I think public policy or legislation proposed around threat information would be hugely helpful. Senator Moran. Across the board? Mr. Beeson. Yes. Senator Moran. Senator Blumenthal? Senator Blumenthal. Thank you. Just to follow up on that question, Mr. Beeson. What would that threat indicator or intelligence look like? A requirement by the insurance company that there be access to government intelligence or what specifically would that be? Mr. Beeson. In order to help facilitate an insurance company to underwrite the risk? Is that the premise of your question, Senator? Senator Blumenthal. Yes. Mr. Beeson. I will quickly, and then I am going to defer to the underwriter here, but in my opinion, in Lockton's opinion, I think there needs to be a change in the way insurance companies have been underwriting this risk, which has been much more, as I think we have heard from Ms. Sage already, a snapshot or questionnaire, which is a sort of static look at security, which now needs to change to something that is much more dynamic, which is a partnership with both government and probably the security industry to provide that type of intelligence as part of the underwriting process. Actually, as we heard from the Chairman in his opening remarks, that has already started with this firm BitSite. Senator Blumenthal. What do you think about that, Ms. Mulligan? Ms. Mulligan. I think Ms. Sage's testimony rightly points out the challenges underwriters have, asking the questions. We are trying to evaluate in an efficient way, people, process, and technology. Right now, we have an issue where attack vectors are changing more quickly than I think we know how to ask the right questions. Historically, the assumption at the enterprise level was that it was an IT issue, and that is something that has changed in the last 18 months, where now boards of directors are really on notice that there has to be a high level governance of this problem. We really encourage a culture of awareness from the board room to the mail room. Protection is probably not 100 percent possible for any one company. We really look to help companies move to resiliency rather than just protection. Are we asking the right questions, can we ask the right questions tomorrow when the attack vector has changed or the attacker has changed, and then are we able to design coverage that can respond to all the consequences of an attack? The issues are outpacing where we are right now, so the availability of information, underwriters think in trends, so it is not necessarily that I need to know the specifics from a government perspective for just Ms. Sage's industry sector or some other sector. It helps me to think in terms of trends, where is the frequency, where is the severity, and then that helps me design coverage and pricing. Senator Blumenthal. Let me ask Mr. Menapace, because you emphasized in your testimony the importance of culture, are companies asking the right questions? Obviously, as Ms. Mulligan says, they have been on notice for a while about these threats. Are they doing enough? Are they asking the right questions, and are they acting sufficiently? Mr. Menapace. I think there are two areas where insurers are looking into. One, as we talk about the national database, it would be helpful in a sense to look at industries. Is this potential insured a retailer, are they a health care provider, are they a manufacturer, and a national database will help the insurers identify those trends. When you get to the specific level of that insured, however, insurers are trying to keep up with what are the right questions that we want to ask of this potential insured, and that is much trickier, there is no doubt about that. I have no doubt that the collection and sharing of data will help in that regard. A number of underwriters now are looking toward what is the business' culture toward data protection as opposed to do you have this particular piece of software in place. That question is almost useless. Senator Blumenthal. Software changes and it is so dynamic. Mr. Menapace. Yes. Senator Blumenthal. Are there not sort of fundamental questions? The question I heard asked repeatedly in the wake of the Anthem breach was, why was there no encryption? In the wake of the Target breach, why are retailers not using chip and PIN rather than swipe technology? Evidently, chip and PIN technology is widely used, maybe almost universally used in Europe. Costs and the sharing of costs and the allocation of costs has been an obstacle. Lack of agreement on allocation of costs. It strikes me there are certain elements to protection that are changing. Technology is changing, the type of encryption is changing, but the complete absence of certain techniques maybe is reflected in the culture. Maybe that is what you mean by ``culture.'' Mr. Menapace. That is exactly what I mean. When an underwriter can go into a business and speak with the IT, the management, everybody, all the stakeholders, they will be able to get a sense of that culture in the sense of what they have now is fine, but everyone needs to realize that three months from now, that may not be fine. Both the insurers and the insureds need to understand this is a continuous process because the technology is advancing so quickly, and the threats are evolving so quickly. My guess is the questions that insurers like Zurich and others are asking today are going to be different questions that they will be asking 6 months or 12 months from now of their applicants. Senator Blumenthal. I have other questions which I hope to ask on a second round, but I am going to defer to my colleagues who are here, because they are on schedules as well. Senator Moran. Senator Blunt? STATEMENT OF HON. ROY BLUNT, U.S. SENATOR FROM MISSOURI Senator Blunt. Thank you, Chairman. Thank you and the Ranking Member for holding this hearing. Obviously, cyber and all elements of cyber need to get a lot of attention. I am hopeful this Congress can move forward in a couple of different areas, data breach, as well as information sharing. My view on this is if we have a dramatic cyber event and have not legislated, we will overreact, so this is an important time for us to be having this discussion so we have something in place when this happens. Mr. Menapace, one of the things in the bill we voted out of the Intelligence Committee that I serve on last week, and I am not sure how available that bill is, but I do know one of the topics in the bill is allowing competitors to share information in this area, with no concerns about price fixing or any of the things we would normally be concerned about there, but for them to be able to share with others in the industry the kinds of attacks they are having, fighting off successfully or not. Do you want to make a brief comment on that as a concept? Mr. Menapace. Certainly, Senator. The idea of sharing would be helpful in several areas. Insurers generally are not in the game of guessing. They rely on actuarial analyses. Without the data to back that up, that is impossible to do. Some insurers have robust and mature books of business but newer entrants do not. The sharing of the data would allow new entrants into the market, and for those existing insurers would provide more certainty and more available data to incorporate into their own underwriting to make sure that the premiums charged are appropriate. The other area where the sharing can be helpful is for non- insurance businesses. They, too, if they had access to the data would be able to test what is going on, what are the trends, spot the trends, and then compare that to what are we doing right now. If we see this trend, are our protections robust enough that we would be able to respond, mitigate, or even avoid that kind of loss. Senator Blunt. Mr. Beeson, one of the things we have consistently talked about here is some liability protection if you followed the standards that a new Federal law would set forth for cyber protection, and that would be one of the elements I am sure we want to look at, but another thing I am wondering about, is there any evidence yet of insuring against the actual loss? Is there anything publicly available frankly that any of you know about these data breaches that we have already had that would give us a sense of how much might be lost in terms of the destruction to your internal system, the equipment, the information, the cost it takes to replace that, and is this something you are seeing people interested in trying to insure against as well? Mr. Beeson. Yes. The insurance market outside of insuring the costs of a data breach or a violation of an individual's privacy has also provided coverage for what is called ``non- physical damage business interruption.'' Attacks that bring down corporate networks or impact corporate networks, impact revenue, and other related costs such as the cost to restore data. Those types of attacks we know now exist. The actual costs, as you asked, is not public knowledge, I think, other than between a client and its insurance broker. When you see some of these losses disclosed in 10-Ks, what have you, as public filings, typically they seem to appear as a total amount. It does not seem to break down those costs, unfortunately. In my experience, I will say at least to date, the biggest component of a cost from a breach that involves personally identifiable data, protected health information, is dealing with that itself, rather than the cost on your infrastructure. I think that is starting to change, and we have seen a precedent from that last year where the attacks were becoming more destructive or could certainly become more destructive, rather than just about what they call ``exfiltrating,'' stealing data to monetize it. This goes back to how the attacks are changing and what will be the consequential losses from that. Senator Blunt. Exactly. I think that is something that we are seeing as a growing problem. Mr. Chairman, I am already out of time. Senator Moran. Thank you. Senator Klobuchar, welcome. STATEMENT OF HON. AMY KLOBUCHAR, U.S. SENATOR FROM MINNESOTA Senator Klobuchar. Thank you very much, Mr. Chairman, for holding this important hearing. I think we all know this is an issue whose time has come, and we also need to spur the private sector to increase the securities and protections. I want to start out with actually a small business question. We have a lot of big businesses in my state, some of which has been kind of notable for having some cybersecurity attacks, as you may know. While those kinds of attacks get attention in the headlines and affect millions of customers, many small businesses and community banks are also the victims of these kinds of cyber attacks. Ms. Sage, how would the insurance agency help these businesses manage the risk of cyber attacks and provide insurance at a reasonable rate? What do you see as the unique challenges facing small and medium-sized businesses, and what can we do to help them? Ms. Sage. Thank you, Senator. I agree with a number of the comments that have been made about company culture, and the need to really understand what the perspective is of the management of these small businesses toward cybersecurity risks. In my submitted testimony and also in my oral testimony this morning, there were a number of themes that I have been hearing in my travels and talks with small businesses. For example, there is a segment of the small business community that just does not believe this applies to them and have the sense that they do not have information that anybody would want. I think it really does speak to culture. I think this is where insurance can have a role in making it a priority for small businesses to think about. Senator Klobuchar. OK. Ms. Mulligan, even larger companies with policies from several different insurance providers cannot find policies to cover their cybersecurity needs. I know some of our companies may often have to purchase multiple policies with different retention levels and still have to partially self-insure. How does the lack of the availability of a comprehensive cyber insurance policy affect a company's ability to manage risk? Ms. Mulligan. Every company will manage their risk differently, so the idea of risk transfer is really only one element of a risk manager's tool, available in their toolbox. There will be decisions to self-insure, but this is where we get back to the information sharing. The availability of information that would help a company like Zurich determine appropriate pricing for capacity would then allow for an expansion of capacity, and as Mr. Menapace pointed out, for new entrants to come into the marketplace to build out more robust programs. We are not there yet. Senator Klobuchar. Also, 90 percent, Mr. Beeson, of the critical infrastructure in our country is privately held, and these companies are on the front line, and every exercise we have ever had where we talked with our national security people, it is always about some kind of a private infrastructure company. I believe it is in their own best interest to establish robust policies. In general, do you believe critical infrastructure sectors in the economy and companies are taking appropriate steps? What more do you think they should be doing? Mr. Beeson. I think there are a lot of challenges there. I have spent quite a bit of time looking at certain industries, such as energy, for example, over the last couple of years. The more you dive into that, the more you see the challenge. I think number one is risk awareness, education on these risks throughout the organization. Does the board realize the differences between, for example, corporate information technology and what is called ``industrial control systems,'' operational technology. They are very different. One is built to be available and one is built to be secure, but they are interlinked, and the challenges that go around that. I would say there is a lot of work to be done in this area, and it goes back to what I said earlier about cyber risk, cyber insurance needs and can be an incentive to help that process, but to do that, if we are going to look at other enterprise assets that the insurance industry can address, and if you look at critical infrastructure, you are now talking about physical damage, business interruption loss. I agree with my fellow witnesses here we need more data and more information to help drive that process. Senator Klobuchar. For the first time, some of our smaller rural electric companies raised cybersecurity with me, which I think is a sign that people are starting to see it and understand they need to start preparing for it. Thank you very much. Senator Moran. Thank you, Senator. Ms. Sage, do you know, and in a broader question to the panel, do the insured know what is covered? Can you tell from your policy that if something happens, it is either included or excluded in coverage? Ms. Sage. Chairman, the answer is no. It is very difficult, and not just the cost of the policy, but legal assistance to help us understand the policy, so now you have costs on top of the policy itself to understand what your policy covers and does not cover. Senator Moran. What do you think your policy covers? What events, what might happen to your company that you feel pretty certain are covered and ones you have doubt about? Ms. Sage. I think some of the costs associated with let's say there was an attack and there was equipment potentially that was compromised, those costs might be covered. I believe costs associated with notification and things like that might also be covered. What is more unclear is what is not covered. We keep hearing, well, it is claim-specific. Well, you do not know what your claim is going to be until you have that, and hopefully you never have that. That is a little bit of a challenge in understanding. Senator Moran. I do not know your business, but would you be subjected to litigation by those damaged by the cybersecurity, your customers or clients? Ms. Sage. Possibly. We provide services to the Government as well as the private sector. I think there is exposure, we hold information that is perhaps sensitive, business sensitive, et cetera. In terms of what we are seeing in our Government contracts, it is really a mix. Some agencies are more focused on cybersecurity and including language in contracts that address that. Others do not have anything that speaks specifically to cybersecurity and just speak to security in general, and in protecting the Government's information. I think really right now it is a mix. Senator Moran. You have heard Ms. Sage's testimony plus her response to me. My question to the rest of the panel, are the policies any more standardized now than when Ms. Sage described what she went through with different companies? Mr. Menapace? Mr. Menapace. No, there is no standardized policy language. You may be aware, there is an organization called ISO, the Insurance Services Office, that does provide standardized wording for a whole line or many lines of insurance. ISO recently did issue cyber policy wording. However, I know of no insurer who has adopted the ISO form, and I know of no insurer who plans to adopt the ISO form. What we have out in the marketplace are 40 or 50 different policy wordings for these coverages. I have to say this is an area where brokers are important, and this is where they earn their money, to help the insureds assess their own risks and then match those up to the different protections that are being offered. Senator Moran. Do agents know--does the agent in my home town know when the businessman or woman came to him or her-- would they be knowledgeable about this topic? Mr. Menapace. Certainly, the big insurers do. Excuse me, the big brokers do, certainly. The smaller brokers, if they have taken the time to educate themselves, are valuable, and certainly there is a group of smaller brokers who I refer clients to for this very reason, because they have taken the time to understand the coverages, and they take the time to go into the businesses and assess what their risks really are, rather than pulling something off the shelf and saying here is cyber insurance. Senator Moran. You said 40 or 50 companies, the market is not yet sophisticated enough to say these are the companies that have the best policies. Have we narrowed this down to those who know what they are doing and those that do not? Mr. Menapace. I am even underestimating the 40 to 50 companies, because each of those companies offer different policy coverages depending on the size of the business, what sector of the business they are in, and what their needs are. The matching up of the risks and the needs will continue to be a problem, and it is certainly something that large businesses look at extensively, but with smaller businesses, it takes resources to do this kind of analysis, and it takes resources on the insurance companies as well to do individual underwriting. That is really hard to look at individual small businesses one at a time. Ms. Mulligan. Mr. Chairman, the data that I have says that five or six carriers write the coverage on a primary basis, and those five or six carriers write approximately 70 percent of the gross written premium, so while there is 40 or 50 markets who may offer the coverage, it is really sort of centralized with those markets. The other thing I would say on your coverage question is this is where the history of the product becomes useful and understanding what may be covered in the event of a claim. It was designed originally to respond to third party liability costs arising from a network breach or a privacy event, and now there has been the inclusion of first party costs to a privacy breach remediation and response, which can include some business interruption costs in the event of a network security breach. That is really where it stands right now. Senator Moran. Is the market mature enough that there has been litigation related to the coverage issue? Ms. Mulligan. Yes. Well, I am not sure to the coverage issues, but the litigation around liability has been evolving. If we had been having this conversation three years ago, I would have told you the cases were not getting through to discovery. That is not the case now. The plaintiff's bar is asserting new theories of liability; they will continue to do that. Senator Moran. That would be in instances maybe where it was not even necessarily the intention of the insured to have that coverage, but you look at the policy and maybe this is covered and then you litigate it? Ms. Mulligan. Well, no. I am thinking specifically around security and privacy liability policies, meaning the liability is arising from alleged mishandling of data or breached personal data. Those are still evolving in courts. We do have some publicly available information about the significant breaches that have happened in the last 12 to 18 months. One major retailer reported recently that their first party costs are over $250 million and rising right now, but their liability costs to their customers and potentially to financial institutions are still playing out in the courts. We do not know where that will land at the moment. Senator Moran. Do the policies provide limitations on coverage, an amount not to exceed something? Mr. Beeson. Could I just make an additional comment? I do not want the Committee to get the perception that all these insurance policies are different, some are covering one thing, and some are covering another. That is not actually the case. Yes, I absolutely agree the actual policy language is different from one insurance company to another, but if you really boil it down, the specialist policies are trying to cover fundamentally three things. Number one, costs of dealing with the breach response, notification, forensics, credit monitoring, that type of thing. The other two buckets really fall into liability coverage, to your point, Chairman, the second one being privacy regulatory action, you are sued by a regulator, and it is the cost of defending yourself against that and any civil fine you could be hit with. Finally, the third one being civil action, for example, a suit in class. It could be from the banks, the individuals who own the data. Really most of the policies in the marketplace are trying to address those three things. Yes, they are doing it sometimes in different ways. Yes, there are exclusions here where there might not be in another, and a broker has to navigate that on behalf of their client, and that is where one broker is better than another. I think it is important just to say although it is not commoditized and it is not commoditized because frankly it is still a new area of risk, there is some sort of streamlining in that regard. Senator Moran. Thank you. Senator Blumenthal? Senator Blumenthal. Thank you. Those three areas, the first two areas seem very much alike in terms of both being responses, that is to say notification, aid for consumers who may be harmed, and then the regulatory response. The third is somewhat different. Is that correct? Mr. Beeson. The biggest difference between one and two and three is that one is a first party loss, so it is under your legal obligation typically at state level to notify individuals. The first party, costs you have associated with that, follow on from that. The other two are liability. A third party, whether that is a regulator or somebody else, has to come along and take action against you. That is the fundamental difference between one and two and three, if that makes sense. Senator Blumenthal. How would you define the third? Mr. Beeson. It is a civil action, so it could be a bank suing a merchant for the cost of canceling and reissuing credit cards. It could be the victims who own the credit cards who sue in a class action to recoup their costs. There is another area that is emerging, but it is starting to emerge, which is of course the board now gets sued potentially as well under a derivative action from the shareholders. That is something that is starting to emerge as well. Senator Blumenthal. Mr. Menapace, I do not know whether you had the same kind of analysis in your statement, and I do not have it in front of me, that more than half the costs of a breach involve the responses like technical forensics investigations, attorney oversight, breach notification, credit monitoring, call centers, public relations services, and the other half being legal defense, settlement, regulatory response. In effect, you are saying half the costs are in that first category of responses? Mr. Menapace. The industry surveys that I have seen have it ranging anywhere from 45 to 50 percent, and some slightly more than 50 percent, but that is what we have seen to be the cost drivers. I am not sure that amount or those statistics cover what Mr. Beeson was talking about, however, which is the cost of damaged infrastructure, which there is not public information about that, but certainly with the reportable and the discoverable data that we have been able to find, that is accurate, Senator. Senator Blumenthal. I understand that in talking about captive insurance, it is basically self-insurance or very much like self-insurance, because a company establishes in effect a wholly-owned subsidiary or an entity to protect itself from risks, and it is insured through that captive entity. My concern is that these types of arrangements could result in private companies in effect reaping the financial benefits of collecting personal data, but the costs could still be spread or socialized among consumers and taxpayers if they underestimate the risks. In other words, the benefits go to the company but the costs hit the consumers. If companies use this self-insurance approach, cyber insurance, but do not have the funds to adequately cover the costs of cyber incidents, the companies would not have funds available to compensate consumers whose information has been stolen. In other words, in that sort of category of costs where consumers, third parties, are impacted. Are you aware of captive insurance being used in the cyber insurance market? Mr. Menapace. That is an interesting issue with the captive insurance companies, as you have stated it. Certainly, for companies that have difficulty placing their risks or need additional capacity or perhaps have a large self-insured risk before insurance attaches, and those companies have or will set up captive insurers. I would be interested to see how that plays out, and I think that is an area where state regulators who do regulate these captives as they do what we think of as regular insurance companies--we will have to take a look at that to see if companies are shifting this risk to their captive insurers. As insurers have difficulty, both pricing and setting reserves for losses, captives who would necessarily have even less data to go on, this would have to be taken very seriously by the regulators if we do see a trend in people or businesses transferring the risk via the captive insurer. Senator Blumenthal. Is there active discussion of the use of captive insurance for cyber? Mr. Menapace. I know that the NAIC is looking at the cyber insurance marketplace in general. I do not know if there is specific discussion within that group with the captive insurers. It would be interesting to know if some of the large--I do not know but I would be interested to know if the regulators, the individual state regulators, who have large captive populations domiciled in their states are looking at that. We also know many captives are regulated offshore in other countries. I do not have statistics on that, but it does raise a good point, an important point, which is are these captives set up and appropriate for that kind of risk. Senator Blumenthal. Right, exactly. Thank you, Mr. Chairman. Senator Moran. Thank you, Senator Blumenthal. On a national database, on that concept, there are some who have general concerns about the Federal Government running that database, and then if you reach the conclusion they should, then the question becomes who is that, is that the Department of Homeland Security or Treasury. Is there a public/private partnership. Is there an outsider that could effectively run a database that we could then rely on? I think the National Association of Insurers is working on this topic. Is there a conclusion or direction they are going? Ms. Mulligan. I can comment that the Department of Homeland Security has had three different working groups over the last 2 years, and now has commenced another group. We have had one meeting so far. We are just starting off. Because your questions are exactly right, these are the details that need to be ironed out really. In theory, the idea of a data repository is a good one, but the question of ownership, who has access, what kind of information would be put in there, how would it be anonymized, and then how would it be made most useful to the insurance community and the non- insurance community. These are all the questions that we have on the table right now as part of the working group. Senator Moran. On information sharing analysis centers, does the insurance industry have one? Ms. Mulligan. We do not have one centralized place for this line of business. Mr. Menapace mentioned ISO. ISO is an organization that has information about a multitude of insurance. As I mentioned in my testimony, this line of business is something that is largely purchased by specific industry segments, so we do not have data for every single company irrespective of industry, irrespective of size. We just do not have that data that way, so we are unable to really create those trends from ISO or anywhere else. Individual insurers are relying on the data that we have about our cyber customers, and we can use information and extrapolate it from general liability and other lines of business where we have experience. That is quite fragmented. Senator Moran. Should it be a public policy goal of having ISACs in a wide array of arenas, industries, businesses? Ms. Mulligan. Well, to the extent that it would help us differentiate coverage, and as Ms. Sage pointed out, price, by industry segment, that might be useful. Again, I think we have an issue of a lot of details that would need to be ironed out. Senator Moran. Ms. Sage, do you participate in an ISAC? Ms. Sage. Not officially. I think one of the challenges for a lot of small businesses is we do not fit neatly into specific industry segments. I know that was part of the discussion around the ISAOs, of which ISACs are considered a type. As a small business, we are on the ground. We are really just trying to get new customers, keep our customers, et cetera. Some of these activities that require a lot of resources, participating in working groups, attending meetings, these are things that typically we just do not have a lot of time and resources for. Senator Moran. Senator Gillibrand and I have discussed legislation that would create a tax credit for the participation in an organization like that. Does that have any appeal to you or to the industry? Ms. Sage. Absolutely. As I mentioned in my testimony, even things like the voluntary NIST Cybersecurity Framework, if insurers could even consider that, like the other ISO, the international standards organization, that sometimes is used as a way of understanding what areas of emphasis an organization has, whether it is quality, risk management, et cetera. Using something like the Cybersecurity Framework could be a factor, so we do not have to worry now about what specific questions do we have to ask this company or that company. At least it could begin to move us in that direction. Offering incentives for small businesses to use the Framework, for example, would really be helpful. Senator Moran. Thank you. I am going to see if Senator Blumenthal has any additional questions in another round, and before we conclude, I want to give you a chance to tell us things you wish you would have said or you wish we would have asked you. Senator Blumenthal. I do not have any further questions, but I may follow up in writing with some, and I want to simply thank everyone on the panel for being here and contributing so well today. Senator Moran. Anything you would like to make certain that we know? Mr. Beeson. I would just leave the thought that certainly at Lockton we view the opportunity as a market incentive as much as anything to where the insurance industry has a role right now to help drive better security. That is the key component, I think, as far as we are concerned. Thank you for the opportunity to testify today. Senator Moran. Thank you for your testimony. Anyone else? Ms. Mulligan. Thank you. I would just comment the importance of the public and private sector cooperation in this arena, this problem is just too large to be solved by just an insurance solution. Having said that, the insurance community really is in a great position to contribute to the risk management conversations and issues, and I think it is essential to get the conversation out of the IT focus only, so we can really help companies move to a place of a culture of awareness and resiliency rather than protection. Senator Moran. Thank you. Ms. Sage. I would just thank you again for this opportunity. There is a saying, if you are not at the table, you might be on the menu. As small businesses, we appreciate the attention and consideration of small businesses in any legislation that you are considering. Senator Moran. Ms. Sage, I felt very guilty when you told me that in a sense your every day effort is to survive, get new customers, and grow, which I very much support. I feel badly that we invited you to Washington, D.C. Ms. Sage. I actually live locally. Senator Moran. Very good. Mr. Menapace, anything? Mr. Menapace. Senator, I appreciate the fact that you commented before that you had taken a look at our written testimony, which is obviously more extensive than we were able to present here today. I stand on that testimony, but I am willing to provide answers to any written questions that the Committee may have afterwards. Senator Moran. Thank you very much. In that regard, the record will remain open for 2 weeks for members to submit questions, and we would ask you to respond to those as quickly as possible. With that, the Subcommittee hearing is adjourned. [Whereupon, at 11:19 a.m., the hearing was adjourned.] A P P E N D I X Response to Written Questions Submitted by Hon. Jerry Moran to Ben Beeson Question 1. What challenges do brokers like Lockton face when determining whether to participate in the cyber insurance marketplace? What types of information would be helpful to better analyze risk? Answer. The primary barrier to entry for a broker seeking to advise their client is education. Driven by the fear of lost business and the high profile of cyber risks that now exists many brokers are developing a greater knowledge base and understanding. However, it is probably fair to say that you can still count on one hand those brokers that have the resources to handle a Fortune 500 client. The biggest challenge to brokers once they begin to advise clients is risk quantification. What is the consequential loss value to the client following some form of cyber event? There is some ability to quantify losses that involve personally identifiable information or protected health information. However, no actuarial data exists at all for losses involving property damage, business interruption or bodily injury. The insurance industry also a very little information on the frequency and severity related to the types of attack vectors, and the mitigation tools used that were or were not successful. The net result means that brokers have a difficult time explaining to clients how much money they should invest in cyber security, particularly the cost of transferring residual risk through insurance. Question 2. Are there countries outside of the U.S. who have developed a functioning cyber insurance market? What lessons can we learn from those countries? Answer. No. The U.S. is really the only fully functioning cyber insurance market driven by mandatory data breach notification laws. Internationally the requirement to disclose is sporadic and businesses do not yet perceive enough of a severity risk to warrant buying insurance. However, the emergence of physical damage risks from cyber attacks suggest that international take up could now accelerate. Question 3. How has the NIST framework helped your company to participate in the cyber risks insurance marketplace? Answer. Yes very much so. The NIST framework has helped Lockton articulate a governance and enterprise wide risk management approach to boards of directors and senior executives. Cyber insurance forms part of that discussion. Question 4. One cost in addressing a data breach is legal support to comply with the patchwork of state data breach notification laws. Would a uniform national data breach notification standard improve the cyber insurance marketplace? Why or why not? Answer. Yes. It would help our clients--businesses--respond faster to those whose data has been compromised. Improved incident response should also help our clients mitigate both their regulatory and civil liability, leading to fewer losses to insurers and ultimately a more competitive premium structure for buyers. ______ Response to Written Questions Submitted by Hon. Jerry Moran to Catherine Mulligan Question 1. Are there countries outside of the U.S. who have developed a functioning cyber insurance market? What lessons can we learn from those countries? Answer. There are a number of countries in addition to the U.S. that have functioning cyber insurance markets. The UK, France, and Australia have experienced moderate Gross Written Premium growth over the past few years due to an increase in interest and buying behavior from companies operating in highly exposed industries such as finance/ banking, retail, healthcare and hospitality. Markets are also beginning to take shape, albeit more slowly, in a number of other countries such as Canada, Hong Kong, Singapore, Spain, Germany, Switzerland, Italy, and Mexico just to name a few. Buyers of cyber insurance outside the U.S. tend to place more value on first party coverage grants such as privacy breach costs and business income loss as opposed to third party liability coverage. This is generally due to lower frequency of litigation resulting from data breach incidents. However, this may change as more and more countries pass more stringent data privacy laws. Ex-US buyers also perceive significant value in pre and post breach service capabilities offered by each carrier, or service providers with whom carriers partner, relative to risk assessments, forensic investigations, fraud remediation, legal advice, and public relations. Question 2. How has the NIST framework helped your company better understand the preparedness of the companies you seek to insure? Answer. The NIST framework is a useful tool for risk managers to use in identifying their exposures and any gaps in best practices. This mapping process may help them take corrective action if necessary and make decisions around risk transfer. It creates a common vernacular for IT professionals, risk managers, and underwriters to use in the discussion of cyber security and privacy event exposures and controls. To the extent this tool brings forth information about a company's awareness of their risk landscape, it creates a good dialogue with underwriters. But good cyber security and privacy practices are not just an IT issue; an underwriter must review people, process, and technology. We look for an overall culture of awareness, which cannot be summarized in any one document or tool. Moreover, the exposure landscape is moving too fast for the underwriting community rely on one single tool or method. Still, the NIST framework has established an effective methodology for building our collective understanding of the exposures and controls in this space. Question 3. One cost in addressing a data breach is legal support to comply with the patchwork of state data breach notification laws. Would a uniform national data breach notification standard improve the cyber insurance marketplace? Why or why not? Answer. A company cannot rely on one single approach to responding to data breaches due to the variety of reporting requirements under the various state statutes. There is no single definition of Personally Identifiable Information, nor is there a standard requirement around the way notification must be sent, to whom it must be sent (including the States' Attorneys General), and in what time frame. Companies express confusion around which laws apply to them in different circumstances. There is also confusion about when and how to report an event to their insurers under the policy requirements. A uniform standard could streamline process for the enterprise, consumers, and the insurance community. This would help get information to consumers in a timely fashion as well as mitigating tools such as credit and identity monitoring. There could be cost benefits to the company and their underwriters, which could contribute to the development of improved pricing methodology for this line of insurance. ______ Response to Written Questions Submitted by Hon. Jerry Moran to Ola Sage Question 1. What are the biggest challenges for a small or medium- sized business like yours in determining whether or not you need cyber risk insurance? Answer. There are three primary questions that a small business like e-Management should answer in considering cybersecurity insurance. (1) Do We Really Need It? According to a threat awareness poll of small businesses conducted by Symantec, 50 percent of small to medium-sized businesses don't feel they are at risk because they are a small business and are therefore not a target for cyberattacks. The reality is very different. Over the past few years, small businesses represent the fast growing segment for cyber-attacks according to data from Verizon's annual data breach report. There are many reasons that small businesses are richer targets for cyber criminals. A very common experience is that many small businesses do not have the resources to invest in the same level of protection that some larger organizations do, thereby making them easier targets to compromise. At the core is the question, ``what do small businesses have that cyber criminals want?'' The answer is data. This data can be about the small business itself (e.g., employee information, personal information about the principals of the business, confidential or proprietary business information, etc.) or it can be data about people or companies that the small business is connected to (e.g., professional colleagues, high profile customers or celebrity clients, vendors or suppliers, professional organizations, etc.). Armed with this knowledge, every small business must then ask the question, what would our legal and financial exposure be if the data we hold or have access to is compromised? Industry reports indicate that the average cost to a small business to recover from a significant cybersecurity attack is estimated at $300,000. For many small businesses the cost exceeds their ability to cover such exposure and significantly increases the likelihood that a small business shuts its doors. Cybersecurity insurance can be an effective tool in helping to mitigate financial risks associated with a cyber-breach. Small businesses are wise to at least learn what cybersecurity insurance products are available and consider whether or not it make sense for their business. While this type of insurance is relatively new, several leading insurance providers now offer separate cybersecurity insurance policies that small businesses can take advantage of. (2) Does It Cover What We Need? During our process of comparing policies, we found it virtually impossible to compare policies against one another as the language used in one policy differed from the next. An experienced and knowledgeable broker is a must have to help interpret what the different insurance products cover. Having a multi-faceted cybersecurity policy is ideal. This type of policy covers costs associated with notification, incident response, legal, regulatory fines, etc. Keep in mind that costs associated with equipment replacement or refurbishment may already be covered by other general liability or business insurance. Importantly, small businesses must understand that cybersecurity insurance is not a silver bullet and cannot cover things like company downtime, reputational damage, loss of business, or intellectual property theft. (3) Can We Afford It? The cybersecurity insurance market is in its infancy with only about 50 insurance carriers issuing policies.\1\ As a result, the cost to purchase a policy can range from a couple thousand dollars to tens of thousands for a small business. This is out of range for a large number of small businesses. However, we believe cybersecurity is about risk management. It boils down to how much risk a small business willing or able to take. The question small businesses should ask is ``can we afford NOT to invest in cybersecurity insurance?'' As small businesses answer this question, they should consider, at a minimum, what industry or sector their business is in (e.g., critical infrastructure like energy, financial services, healthcare), what valuable data could be compromised, are there other alternatives to cybersecurity insurance to reduce or transfer some of the financial risk? --------------------------------------------------------------------------- \1\ Cyberattack Insurance a Challenge for Business, The New York Times, June 8, 2014 In addition, small businesses should make sure they communicate to their insurance underwriters, directly or through their brokers, what they are doing to implement reasonable cybersecurity measures or what steps they have taken to strengthen their cybersecurity posture. These are factors that insurance underwriters can take into consideration when evaluating an application, and may result in more affordable --------------------------------------------------------------------------- pricing. Summary At e-Management, we considered these three questions and came to the conclusion that for our business, cybersecurity insurance was a necessary business investment. We recognize that for a variety of reasons, cybersecurity insurance may not be the right solution for all small businesses. However we encourage small businesses from start-up phase to those who are planning an exit, to at least start the conversation about whether or not cybersecurity insurance is right for their business based on their answers to these three straightforward questions. Question 2. Has the process of seeking cyber risk insurance helped your company improve its cyber posture? If so, how? Answer. At e-Management, we are using the NIST Cybersecurity Framework to improve our cyber posture. We view improving our posture as good cyber hygiene, a competitive differentiator, and an indication to our clients and partners that we take protecting their information seriously. Cybersecurity insurance is one of several tools in our risk mitigation portfolio to help reduce or transfer some of the financial risk associated with a potential breach. We believe cybersecurity risk insurance can play an important role in driving companies to improve their cyber posture by stipulating specific requirements. Examples could include policies and procedures that address cybersecurity, baseline technical requirements for company network infrastructures, and demonstration of a company's ongoing cybersecurity risk management approach. Question 3. One cost in addressing a data breach is legal support to comply with the patchwork of state data breach notification laws. Would a uniform national data breach notification standard improve the cyber insurance marketplace? Why or why not? Answer. It is unclear how much a national data breach notification standard would ``improve'' the cyber insurance marketplace. Conceivably, having some degree of consistency among the approximately 48 current state notification breach laws could help companies doing business in multiple states lower legal costs associated with interpreting and complying with the various notification requirements. Over time, this could provide insurance carriers with better data about the costs associated with breach notifications which are covered by most cybersecurity insurance policies today. Ultimately better data should lead to better decision-making, resulting in better pricing of cyber insurance products over the long term. [all]