[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
THE ROLE OF CYBER INSURANCE IN RISK MANAGEMENT
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON
CYBERSECURITY, INFRASTRUCTURE
PROTECTION, AND SECURITY
TECHNOLOGIES
OF THE
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
SECOND SESSION
__________
MARCH 22, 2016
__________
Serial No. 114-61
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.gpo.gov/fdsys/
__________
U.S. GOVERNMENT PUBLISHING OFFICE
22-625 PDF WASHINGTON : 2016
________________________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
COMMITTEE ON HOMELAND SECURITY
Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas Bennie G. Thompson, Mississippi
Peter T. King, New York Loretta Sanchez, California
Mike Rogers, Alabama Sheila Jackson Lee, Texas
Candice S. Miller, Michigan, Vice James R. Langevin, Rhode Island
Chair Brian Higgins, New York
Jeff Duncan, South Carolina Cedric L. Richmond, Louisiana
Tom Marino, Pennsylvania William R. Keating, Massachusetts
Lou Barletta, Pennsylvania Donald M. Payne, Jr., New Jersey
Scott Perry, Pennsylvania Filemon Vela, Texas
Curt Clawson, Florida Bonnie Watson Coleman, New Jersey
John Katko, New York Kathleen M. Rice, New York
Will Hurd, Texas Norma J. Torres, California
Earl L. ``Buddy'' Carter, Georgia
Mark Walker, North Carolina
Barry Loudermilk, Georgia
Martha McSally, Arizona
John Ratcliffe, Texas
Daniel M. Donovan, Jr., New York
Brendan P. Shields, Staff Director
Joan V. O'Hara, General Counsel
Michael S. Twinchek, Chief Clerk
I. Lanier Avant, Minority Staff Director
------
SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY
TECHNOLOGIES
John Ratcliffe, Texas, Chairman
Peter T. King, New York Cedric L. Richmond, Louisiana
Tom Marino, Pennsylvania Loretta Sanchez, California
Scott Perry, Pennsylvania Sheila Jackson Lee, Texas
Curt Clawson, Florida James R. Langevin, Rhode Island
Daniel M. Donovan, Jr., New York Bennie G. Thompson, Mississippi
Michael T. McCaul, Texas (ex (ex officio)
officio)
Brett DeWitt, Subcommittee Staff Director
John Dickhaus, Subcommittee Clerk
Christopher Schepis, Minority Subcommittee Staff Director
C O N T E N T S
----------
Page
Statements
The Honorable John Ratcliffe, a Representative in Congress From
the State of Texas, and Chairman, Subcommittee on
Cybersecurity, Infrastructure Protection, and Security
Technologies:
Oral Statement................................................. 1
Prepared Statement............................................. 3
The Honorable Cedric L. Richmond, a Representative in Congress
From the State of Louisiana, and Ranking Member, Subcommittee
on Cybersecurity, Infrastructure Protection, and Security
Technologies:
Oral Statement................................................. 4
Prepared Statement............................................. 8
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Ranking Member, Committee on
Homeland Security:
Prepared Statement............................................. 9
Witnesses
Mr. Matthew McCabe, Senior Vice President, Network Security and
Data Privacy, Marsh FINRPO:
Oral Statement................................................. 10
Prepared Statement............................................. 11
Mr. Adam W. Hamm, Commissioner, National Association of Insurance
Commissioners:
Oral Statement................................................. 14
Prepared Statement............................................. 16
Mr. Daniel Nutkis, Chief Executive Officer, Health Information
Trust Alliance:
Oral Statement................................................. 22
Prepared Statement............................................. 24
Mr. Thomas Michael Finan, Chief Strategy Officer, Ark Network
Security Solutions:
Oral Statement................................................. 28
Prepared Statement............................................. 30
For the Record
The Honorable Cedric L. Richmond, a Representative in Congress
From the State of Louisiana, and Ranking Member, Subcommittee
on Cybersecurity, Infrastructure Protection, and Security
Technologies:
Statement of Brian E. Finch, Esq., Partner, Pillsbury Winthrop
Shaw Pittman LLP............................................. 5
THE ROLE OF CYBER INSURANCE IN RISK MANAGEMENT
----------
Tuesday, March 22, 2016
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Cybersecurity, Infrastructure Protection,
and Security Technologies,
Washington, DC.
The subcommittee met, pursuant to call, at 10:14 a.m., in
Room 311, Cannon House Office Building, Hon. John Ratcliffe
[Chairman of the subcommittee] presiding.
Present: Representatives Ratcliffe, Perry, Clawson,
Donovan, Richmond, and Langevin.
Mr. Ratcliffe. Good morning, everyone. Before we begin
today, I want to take a moment and recognize a moment of
silence to remember the victims of the terror attacks this
morning in Brussels.
Thank you.
You know, attacks like these really cement the need for
this committee to move forward with urgency on all fronts to
try and prevent and protect Americans from attacks like these
here in the United States.
With that, the Committee on Homeland Security, the
Subcommittee on Cybersecurity, Infrastructure Protection, and
Security Technologies will come to order. The subcommittee
today is meeting to examine the potential opportunities to
promote the adoption of cyber best practices and more effective
management of cyber risks through cyber insurance. I now
recognize myself for an opening statement.
The House Homeland Security Committee, Subcommittee on
Cybersecurity, Infrastructure Protection, and Security
Technology meets today to hear from key stakeholders about the
role of cyber insurance in managing risk. Just yesterday, the
Bipartisan Policy Center came out with a publication on the
room for growth in this market and the barriers that it faces.
Specifically, today we hope to hear about the potential for
cyber insurance to be used to drive companies of all sizes to
improve their resiliency against cyber attacks and develop a
more effective risk management strategy, thereby leading to a
safer internet for all Americans.
The cyber insurance market is in its infancy, but it is
easy to envision its vast potential. Just as the process of
obtaining home insurance can incentivize homeowners to invest
in strong locks, smoke detectors, and security alarms, the same
could be true for companies seeking to obtain cyber insurance.
It is for that reason that I look forward to hearing from our
witnesses today on the current state of the cyber insurance
market and what can be done to develop and to improve and to
expand the availability of cyber insurance in the future.
As news of the recent hacks and breaches and data
exfiltrations demonstrates, cyber vulnerabilities impact every
American and cause significant concern. The interconnectedness
of society exposes everyone to these risks now. The
interconnectedness of society--the breaches at Home Depot,
Target, and JPMorgan Chase are just a few examples of the cyber
incidents that have significantly impacted Americans every day.
According to the World Economic Forum's 2015 Global Risk
Report, technological risks in the form of data fraud, cyber
attacks, or infrastructure breakdowns, rank in the top 10 of
all risks facing the global economy. In light of these risks
and their enormous significance to individuals, families, and
companies, we really need to be exploring market-driven methods
for improving the security of companies that store all of our
personal information. I believe cyber insurance to be one such
solution.
The very process of considering, applying for, and
maintaining cyber insurance requires entities to assess the
security of their systems and to examine their own weaknesses
and vulnerabilities. The process is constructive, not only for
obtaining a fairly-priced policy, but also as a means of
improving the company's security in the process. Obtaining and
maintaining cyber insurance may be a market-driven means of
effecting a rising tide to lift all boats, thereby advancing
the security of our entire Nation.
Today, those acquiring cyber insurance largely consist of
leading companies that have the most to lose. These market
leaders have looked down the road and recognize that the best
way to mitigate their own vulnerabilities is to ensure against
as many cyber risks as possible. However, we need to explore
ways for this marketplace to expand to create a wide array of
diverse, affordable products that will benefit small and
medium-sized entities as well.
The Department of Homeland Security's Cyber Incident Data
and Analysis Working Group, or CIDAWG, has facilitated
discussions with relevant stakeholders, including many of the
witnesses today, to find ways to further expand the cyber
insurance market's ability to address emerging risk areas. The
DHS working group has examined the potential value of creating
a cyber incident data repository to foster the voluntary
sharing of data about breaches, business interruption events,
and industrial control system attacks to aid mitigation and
risk-transfer approaches. Additionally, they are looking to
develop new cyber risk scenarios, models, and simulations to
promote the understanding about how a cyber attack might
cascade across infrastructure sections.
Last, they are examining ways to assist organizations of
all sizes in better prioritizing and managing their top cyber
risks.
Over the next several decades, I hope to see a matured
insurance ecosystem that incentivizes companies of all sizes to
adopt stronger cybersecurity best practices and more effective
management of cyber risks against bad actors in cyber space. We
look forward to your perspectives on these efforts and what the
private sector is doing to make it easier for Americans to more
effectively manage cyber risks.
As Chairman of this subcommittee, I am committed to
ensuring that legislators help facilitate, but not mandate,
solutions to better protect our private-sector networks against
cyber adversaries. As I see it, the private sector has always
led the way with respect to innovation and investment in this
space, and we have an obligation to continue leaning heavily on
this wealth of front-line expertise.
I have no doubt that this is only the beginning of our
conversation on cyber insurance. This market is growing and it
is new. I'm hopeful that we will continue to find ways to
facilitate the healthy, market-driven maturation of the cyber
insurance market as an effective means of improving our
Nation's cybersecurity posture.
[The statement of Chairman Ratcliffe follows:]
Statement of Chairman John Ratcliffe
March 22, 2016
The House Homeland Security Committee, Subcommittee on
Cybersecurity, Infrastructure Protection, and Security Technologies
meets today to hear from key stakeholders about the role of cyber
insurance in managing risk. Just yesterday the Bipartisan Policy Center
came out with a publication on the room for growth in this market and
the barriers that it faces. Specifically, we hope to hear about the
potential for cyber insurance to be used to drive companies of all
sizes to improve their resiliency against cyber attacks and develop a
more effective risk management strategy, leading to a safer internet
for all Americans.
The cyber insurance market is in its infancy. But it's easy to
envision its vast potential. Just as the process of obtaining home
insurance can incentivize homeowners to invest in strong locks, smoke
detectors, and security alarms, the same could be true for companies
seeking to obtain cyber insurance. It is for that reason that I look
forward to hearing from the witnesses today on the current state of the
cyber insurance market, and what can be done to develop, improve, and
expand the availability of cyber insurance in the future.
As news of the recent hacks, breaches, and data exfiltrations
demonstrates, cyber vulnerabilities impact every American and cause
significant concern. The interconnectedness of society exposes everyone
to these risks. The breaches at Home Depot, Target, and JPMorgan Chase
are just a few examples of cyber incidents that significantly impacted
everyday Americans. Further, according to the World Economic Forum's
2015 Global Risk Report, technological risks in the form of data fraud,
cyber attacks, or infrastructure breakdown rank in the top 10 of all
risks facing the global economy.
In light of these risks and their enormous significance to
individuals, families, and companies, we must explore market-driven
methods for improving the security of the companies that store our
personal information.
I believe cyber insurance may be one such solution. The very
process of considering, applying for, and maintaining cyber insurance
requires entities to assess the security of their systems and examine
their own weaknesses and vulnerabilities. This process is constructive,
not only for obtaining a fairly-priced policy, but also as a means of
improving the company's security in the process. Obtaining and
maintaining cyber insurance may be a market-driven means of enabling
``all boats to rise,'' thereby advancing the security of the Nation.
Today, those acquiring cyber insurance largely consist of leading
companies that have the most to lose. These market leaders have looked
down the road and recognized the best way to mitigate their own
vulnerabilities is to insure against as many cyber risks as possible.
However, we need to explore ways for this marketplace to expand to
create a wide array of diverse, affordable products that will also
benefit small and medium-sized entities.
The Department of Homeland Security's Cyber Incident Data and
Analysis Working Group has facilitated discussions with relevant
stakeholders, including many of the witnesses today, to find ways to
further expand the cyber insurance market's ability to address emerging
risk areas. The DHS working group has examined the potential value of
creating a cyber incident data repository to foster the voluntary
sharing of data about breaches, business interruption events, and
industrial control system attacks to aid risk mitigation and risk
transfer approaches. Additionally, they are looking to develop new
cyber risk scenarios, models, and simulations to promote the
understanding about how a cyber attack might cascade across
infrastructure sections. Lastly, they are examining ways to assist
organizations of all sizes in better prioritizing and managing their
top cyber risks.
Over the next several decades, I hope to see a matured cyber
insurance ecosystem that incentivizes companies of all sizes to adopt
stronger cybersecurity best practices and more effective management of
cyber risks against bad actors in cyber space.
We look forward to hearing your perspectives on these efforts and
what the private sector is doing to make it easier for Americans to
more effectively manage cyber risks. As Chairman of this subcommittee,
I'm committed to ensuring that legislators help facilitate--but not
mandate--solutions to better protect our private-sector networks
against cyber adversaries. As I see it, the private sector has always
led the way with respect to innovation and investment in this space,
and we have an obligation to continue leaning heavily on this wealth of
front-line expertise.
I have no doubt that this is only the beginning of the conversation
on cyber insurance. This market is growing and it is new. I am hopeful
that we will continue to find ways to facilitate the healthy, market-
driven maturation of the cyber insurance market as an effective means
of improving our Nation's cybersecurity posture.
Mr. Ratcliffe. The Chair now recognizes the Ranking
Minority Member of our subcommittee, the gentleman from
Louisiana, my friend, Mr. Richmond, for any opening statement
that he may have.
Mr. Richmond. Thank you, Mr. Chairman, for holding this
hearing today on cyber insurance. I want to thank the witnesses
for taking their time and their testimony today.
Unfortunately, business and Government in America and
across the world have seen increased levels and frequencies of
cyber attacks, and the rapidly accelerating sophistication of
state-sponsored and privately-organized cyber criminals.
Over the past few years, this subcommittee has conducted
Government oversight and produced legislative initiatives and
worked diligently to provide the Department of Homeland
Security and other Federal agencies with the tools it needs to
protect our systems and our databases, and encourage the
participation of private industry, both in the critical
infrastructure sector and for information sharing.
Today, we are going to hear from private industry and a
representative of their State insurance regulatory
commissioners about cyber insurance. While the full committee,
and particularly this subcommittee, has no oversight or
legislative jurisdiction over the cyber insurance activities of
those actors and sectors, we do have an interest in how they
are doing. The statistics are familiar to us all.
The percentage of U.S. critical infrastructure assets owned
by private-sector firms is estimated to be somewhere in the
neighborhood of 85 percent. The way these assets are operated
and managed has vastly changed over the last few decades, due
to the impact of the digital revolution related to computer-
based information systems. These changes have increased the
efficiency associated with using our infrastructure assets. The
digital revolution, however, has also created serious risks to
the Nation's critical infrastructure due to actual and
potential cybersecurity breaches.
As noted by President Obama in his Executive Order on
cybersecurity on February 12, 2013, he stated: Repeated cyber
intrusions into critical infrastructure demonstrate the need
for improved cybersecurity. The cyber threat to critical
infrastructure continues to grow and represents one of the most
serious National security challenges we must confront.
Last year set a high bar for the size and scope of data
breaches, led by the theft of over 20 million Government
background checks, and with that high bar, an increasing
interest in how State and local governments and businesses,
large and small, can manage their risk and vulnerabilities when
they operate in cyber space. For example, recently, on a panel
on Lessons Learned From the Real-World Chief Information
Security Officers, the University of Virginia's Randy Marchany
explained that the increased and sophistication of the level of
today's cyber threats forces him to assume that hackers already
have access to his network, and the best he can do is to
monitor for when the latent threat becomes active.
With that said, let's cut to the chase. What would a cyber
insurance policy look like if an experienced chief information
security officer of a company or municipal government came to
your insurance agency with the proposition that it is likely
that his systems had already been hacked and the malware was
likely dormant, but he wanted to purchase insurance from you as
to mitigation and repercussions? Or to complicate things even
more, and to introduce the well-known moral hazard
consideration that accompanies many insurance policies, what if
a hypothetical chief information security officer knew he had
been hacked, but wasn't telling you or anyone else, and he knew
or suspected that the hacker intrusion was lying dormant and
would activate at some later date?
I am not the first to pose these kinds of questions, and
these are questions I am sure all of us have had, if you
contemplate the issue of cyber insurance at all. But the worst-
case scenarios, going forward, cyber insurance can play a key
role in helping businesses, especially small and mid-size
businesses, to assess their cybersecurity posture and
readiness, and their ability to be resilient and recover from
anticipated cyber threats and attacks.
We are engaged in an exceptionally complex and nuanced
policy arena. I am especially interested to see how the States
will handle the regulatory responsibilities that surround cyber
insurance and how the States can serve as incubators for
innovative solutions to the National, international, and
industry-wide challenge of cybersecurity for our Nation's
businesses and Government agencies.
Mr. Chairman, before I yield back, I would ask unanimous
consent to submit for the record a white paper on cyber
insurance from the George Washington University Center for
Cyber and Homeland Security. The author is Brian E. Finch, a
senior fellow, and member of the Center's Cybersecurity Task
Force. Mr. Finch is a senior partner at Pillsbury, Winthrop,
Shaw, and Pittman, and also serves as a senior adviser to the
Homeland Security and Defense Business Council.
Mr. Ratcliffe. Without objection.
[The information follows:]
Submitted For the Record by Hon. Cedric L. Richmond
Statement of Brian E. Finch, Esq., Partner, Pillsbury Winthrop Shaw
Pittman LLP
March 22, 2016
Chairman Ratcliffe, Ranking Member Richmond, distinguished Members
of the subcommittee, thank you for allowing me to submit a statement
for the record addressing the role cyber insurance can play in risk
management.
My name is Brian Finch and I am here today testifying in my
capacity as a partner with the law firm of Pillsbury Winthrop Shaw
Pittman LLP. I am also a senior fellow with The George Washington
University Center for Cyber and Homeland Security, where I am a member
of the Center's Cybersecurity Task Force, a senior advisor to the
Homeland Security and Defense Business Council, and a member of the
National Center for Spectator Sport Safety and Security's Advisory
Board.
As I have previously noted to Members of this subcommittee,
cybersecurity, cybersecurity best practices, and risk management
processes are critical to our Nation's economic security and physical
safety. Members of this subcommittee know all too well that our cyber
enemies are numerous, growing, and increasingly sophisticated. If we
have learned anything over the past few years with respect to the
threat posed by our cyber enemies, it is that even our most advanced
cyber defenses cannot keep up with the sophistication and innovation of
cyber attack methodologies. The result is a steady if not increasing
``cyber gap'' between defense and offense.
In that vein, we must confront the fact that too much focus has
been given to ``eliminating'' the cyber threat posed to America.
Indeed, no company has an ``Enterprise Risk Eliminator,'' so as the
title of this hearing implies, our efforts should be concentrated on
managing cyber risk.
I will leave it to the Members of this subcommittee and the
witnesses at the hearing to discuss critical facts related to what
cyber insurance as it currently exists has to offer, including with
respect to the amount of insurance that is available to anyone company,
much less in total.
What I would like to bring to the attention of the subcommittee
instead is that today's cyber insurance products are focused on the
wrong end of the problem. Cyber insurers, like many others, have
correctly assessed that cyber attacks will successfully strike a
company at some point. However, these cyber insurance models suffer a
fundamental disconnect in that they operate under the assumption that
cyber attacks will be sporadic and will rarely succeed.
The reality is that cyber attacks are a constant threat, seeking to
penetrate information systems and technologies from every direction and
through every possible entry. I would argue therefore that the
insurance market has been using incorrect models and assumptions when
developing policies for use in cyber risk management.
Rather than viewing cyber attacks as infrequent events like a fire
or natural disaster, I believe cyber risk management would be best
served if insurers looked towards policies that use a personal health
model. That means cyber insurers should look to establish an
infrastructure that supports constant care and promotes wellness, not
merely reimbursement for periodic losses. In my mind, it follows then
that cyber insurers should develop cyber policies using a health
maintenance organization or ``HMO'' model.
Under that model, the insurer's goal will be to promote the
``right'' kinds of claims--ones that encourage healthy behavior. This
model addresses the reality that inevitably some sort of cyber disease
will work its way into the blood stream by supporting interventional
care that prevents minor scratches from developing into a serious
infection.
Companies would gain access to the cyber HMO by paying monthly
premiums along with associated ``co-pays'', ``deductibles'', and
similar expenses typically associated with a health insurance plan.
That cyber HMO plan would give the insured access to a vast network
of cybersecurity vendors and professionals at discounted rates that
could be called upon in the event of a problem (the ``co-pays'' and
``co-insurance'' equivalents).
The cyber HMO plans would also provide low-cost or even free access
to basic ``cyber hygiene'' care, such as routine diagnostic examination
of information technology systems, perimeter defense systems, and other
basic defense systems (the annual physical and low-cost or free vaccine
equivalents).
More ``advanced'' defense systems could be subject to a higher co-
pay and deductible, and companies could even chose to go ``out of
network'' if they choose, but only by shouldering more of the cost.
I firmly believe that this subcommittee should look for ways to
support the concept of a ``cyber HMO,'' as a model that actively
promotes and rewards healthy cyber behavior--a Gordian knot that no
carrier has been able to untie yet using traditional insurance models.
That's a critical piece of the cybersecurity puzzle, as the challenge
has been how to get companies to engage in effective cybersecurity
rather than the most easily accessible form of it.
Best of all, using the cyber HMO model addresses a presumed
obstacle to cyber insurance: A lack of actuarial data. Through its mere
existence, the cyber HMO will gather the data needed to assess and
underwrite costs. This enables cyber benefits to be more finely tuned,
benefitting its members and society writ large.
At the very least, this approach has the benefit of trying to solve
the problem at hand, not simply forcing a square peg into a round hole.
If nothing else, maybe this idea will generate more discussion around
trying to take proactive security measures.
One other model I would like to present to the Members of the
subcommittee is the notion of creating cyber ``pools'' of insurance.
Through risk pooling, companies can work together to purchase more
insurance than might otherwise be available to them while also
establishing hard liability limits and sharing cyber defense resources.
Risk pooling mechanisms come in a number of forms, including ``risk
purchasing'' and ``risk retention'' groups. Those groups allow
collections of companies (usually similarly situated in terms of
industry sector) to jointly purchase or create insurance coverage that
would otherwise be unavailable or excessively expensive.
Such pools have been around for some time, and discussions with
respect to utilizing them in the context of cyber threats are picking
up steam. Where companies can take true advantage of these mechanisms
is to layer in additional risk mitigation tools such as threat
information sharing and statutory liability protection. Combining those
aspects could lead to a very powerful collective defense tool.
Here's how it can work:
(1) A group of similarly-situated companies agree to form a risk
purchasing or retention group in order to obtain cybersecurity
insurance.
(2) The companies agree to use certain security standards or
technologies (for instance SANS 20 controls, ``detonation
chambers'', information sharing via dedicated ``private
clouds'', the recent National Institutes of Standards and
Technologies voluntary cybersecurity framework, etc.)
(3) The companies then pool their resources either to jointly
purchase an existing cyber insurance policy or to create a pool
of insurance that they would collectively maintain.
(4) As part of the agreement, any company that fails to adhere to
the security standards will be asked to leave the group at the
next renewal period.
This proposal can potentially be extremely valuable to the most
vulnerable companies, namely small and medium-sized businesses that do
not have the resources to create their own robust cyber defenses. By
pooling both their financial resources to buy additional insurance but
also their technical capabilities to create a common defense, this
concept will work to strengthen the bonds between businesses and allow
them to collectively respond to and mitigate otherwise devastating
cyber attacks.
Further, this arrangement also potentially allows more of the
insurance funds to be used for ``first party'' losses the company has
directly suffered (damaged equipment, lost data, business interruption,
etc.) rather than losses suffered by third parties.
The pool arrangement also enables companies to collaborate and
establish a baseline of security that each would commit to maintaining,
and also allows for regular reviews to determine what security controls
need to be adjusted. The companies could even work with public/private
partnership resources within the Department of Homeland Security and
other Federal agencies such as NIST to help them refine their programs
and policies in order to achieve a greater cyber ``maturity'' level
than they might have otherwise reached.
Another benefit of this pool concept is that the insured group can
take advantage of the cyber information-sharing platform recently
created by the Cyber Information Sharing Act. The pools would be prime
candidates to benefit from that platform, and would likewise make
excellent candidates to serve as information-sharing and analysis
organizations, or ``ISAOs,'' within the CISA framework.
The pooling concept gives companies an excellent opportunity to
take charge of their security profile, and do so in a way that both
mitigates the likelihood of a successful attack as well as increase
resources to respond to or mitigate losses. Further, these pools can
serve as an excellent collective effort that can more fully take
advantage ofthe public/private partnership benefits offered through the
CISA legislation and the ISAO concept.
conclusion
Thank you for the opportunity to present my statement to the
subcommittee. I am happy to answer any question you might have
regarding my thoughts.
Mr. Richmond. With that, I yield back.
[The statement of Ranking Member Richmond follows:]
Statement of Ranking Member Cedric L. Richmond
March 22, 2016
Unfortunately, businesses and government in America, and across the
world, are seeing increased levels and frequencies of cyber attacks and
the rapidly accelerating sophistication of state-sponsored and
privately-organized cyber criminals. Over the past few years, this
subcommittee has conducted Government oversight and produced
legislative initiatives and worked diligently to provide the Department
of Homeland Security and other Federal agencies, with the tools it
needs to protect our systems and databases, and encourage the
participation of private industry both in the critical infrastructure
sector and for information sharing.
Today, we are going to hear from private industry, and a
representative of their State insurance regulatory Commissioners about
cyber insurance. While, the full committee, and particularly this
subcommittee, has no oversight or legislative jurisdiction over the
cyber insurance activities of these actors and sectors, we do have an
interest in how they are doing.
The statistics are familiar to us all, the percentage of U.S.
critical infrastructure assets owned by private-sector firms is
estimated to be somewhere in the neighborhood of 85 percent. The way
these assets are operated and managed has vastly changed over the last
few decades due to the impact of the digital revolution related to
computer-based information systems. These changes have increased the
efficiency associated with using our infrastructure assets.
The digital revolution, however, has also created serious risks to
the Nation's critical infrastructure due to actual and potential
cybersecurity breaches. As noted by President Obama in his Executive
Order on Cybersecurity, February 12, 2013: Repeated cyber intrusions
into critical infrastructure demonstrate the need for improved
cybersecurity. The cyber threat to critical infrastructure continues to
grow and represents one of the most serious National security
challenges we must confront.
Last year set a high bar for the size and scope of data breaches,
led by the theft of over 20 million Government background checks, and
with that high bar, an increasing interest in how State and local
governments, and businesses large and small, can manage their risks and
vulnerabilities when they operate in cyber space.
For example, recently on a panel on ``lessons learned'' from real-
world chief information security officers, the University of Virginia's
Randy Marchany explained that the increased and sophistication of the
level of today's cyber threats forces him to assume that hackers
already have access to his network, and the best he can do is to
monitor for when the latent threat becomes active.
With that said, let's cut to the chase--what would a cyber
insurance policy look like if an experienced chief information security
officer, or CISO, of a company or municipal government came to your
insurance company with the proposition that it is likely that his
systems had already been hacked and the malware was likely dormant, but
he wanted to purchase insurance from you as to mitigation and
repercussions?
Or, to complicate things even more, and introduce the well-known
``moral hazard'' consideration that accompanies any insurance policy--
what if a hypothetical CISO knew he had been hacked, but wasn't telling
you or anyone else, and he knew or suspected the hack or intrusion was
lying dormant and would activate at some later date? I am not the first
to pose these kinds of questions, and these are questions I am sure all
of us have had, if you contemplate the issue of cyber insurance at all.
But these are worst-case scenarios. Going forward, cyber insurance
can play a key role in helping businesses, especially small and mid-
sized business, to assess their cybersecurity posture and readiness,
and their ability to be resilient and recover from anticipated cyber
threats and attacks. We are engaged in an exceptionally complex and
nuanced policy arena. I am especially interested to see how the States
will handle the regulatory responsibilities that surround cyber
insurance, and how the States can serve as incubators for innovative
solutions to the National, international, and industry-wide challenge
of cybersecurity for our Nation's businesses and Government agencies.
Mr. Ratcliffe. I thank the gentleman. Other Members of the
committee are reminded that opening statements may be submitted
for the record.
[The statement of Ranking Member Thompson follows:]
Statement of Ranking Member Bennie G. Thompson
February 25, 2016
Cyber insurance is a way to share risks so when a cyber data breach
event occurs, the insured company receives a payment to compensate for
the losses.
The analysis of data breach claims helps cyber insurance companies
estimate the probability of a breach and the likely losses that can be
covered.
A cyber insurance company might use this experience to recommend
cybersecurity improvements to companies it insures.
Some suggest that cyber insurance companies can gather detailed,
technical information on breaches and use this knowledge to prevent
future breaches at other clients.
Others have had the idea to create insurance ``pools'' for use by
smaller and mid-sized businesses, in certain sectors, which could then
collectively purchase a cyber insurance policy. There are lots of
innovative ideas on the table.
Over the past 7 years, President Obama has been very involved on
the issue of protecting critical infrastructure. In 2013, the President
issued Executive Order 13636, ``Improving Critical Infrastructure
Cybersecurity''.
The Executive Order called for, what we now know as, the NIST
Cybersecurity Framework, developed by the Department of Commerce's
National Institute of Standards and Technology.
It is a set of voluntary industry standards and best practices to
help companies and entities manage cybersecurity risks, and it has
become a central tenant of the idea that cybersecurity insurance might
be possible in the real world.
We have been told the cybersecurity insurance market is growing at
30% a year by some estimates, and brokers and underwriters alike agree
that mid-size and small businesses are the next sector of business to
see a wide-spread adoption of cyber insurance.
I know I hear from many of the main-street businesses in my
District when I hold meetings on cyber--that many are struggling with
their cybersecurity efforts. They lack the resources, the time, and the
expertise to address this issue.
And I imagine they will have a more difficult time qualifying for
cyber insurance. I look forward to the testimony today on this complex
and necessary component of cyber and information security.
Mr. Ratcliffe. We are pleased to have with us today an
incredibly distinguished panel of witnesses on this very
important topic. Mr. Matthew McCabe is the senior vice
president for network security and data privacy at Marsh
FINRPO. Welcome, and as a former counsel to the Committee on
Homeland Security, maybe I should say welcome back.
Commissioner Adam Hamm is the North Dakota insurance
commissioner and is testifying on behalf of the National
Association of Insurance Commissioners. Commissioner Hamm,
thank you for being with us here today.
Mr. Daniel Nutkis is the chief executive officer for the
Health Information Trust Alliance. We appreciate you coming all
the way from the great State of Texas to be with us this
morning.
Last but not least, Mr. Tom Finan is the chief strategy
officer at Ark Network Security Solutions, and is also a former
Department of Homeland Security official. We welcome you back
as well.
I now ask the witnesses to stand and raise your right hand
so that I can swear you in to testify.
[Witnesses sworn.]
Mr. Ratcliffe. Let the record reflect that the witnesses
have answered in the affirmative. The witnesses' full written
statements will appear in the record.
The Chair now recognizes Mr. McCabe for his opening
statement.
STATEMENT OF MATTHEW P. McCABE, SENIOR VICE PRESIDENT, NETWORK
SECURITY AND DATA PRIVACY, MARSH FINRPO
Mr. McCabe. Thank you. Good morning, Chairman Ratcliffe,
Ranking Member Richmond, and Members of the subcommittee. My
name is Matthew McCabe, and I am a senior adviser for Marsh,
which is the global leader in risk management and insurance
brokering.
Every day around the world, Marsh advisers work with
clients to quantify and manage risk. Today, our prayers are
certainly with our colleagues in Brussels and, of course, with
all the citizenry in the wake of those terrible attacks.
My testimony today focuses on how Marsh helps clients
manage risk through cyber insurance. Broadly stated, there are
3 core components. First, a policy can pay costs to respond to
a cyber incident. These can be items like forensics, data
breach notification and credit monitoring, restoring corrupted
data, or even a cyber extortion demand.
Second, cyber insurance will cover fees and damages that
arise from litigation triggered by a cyber incident. Third,
cyber insurance reimburses revenue lost or expenses incurred
from disruption of network operations. However, the benefits of
coverage are not simply financial. Cyber insurance actually can
strengthen an organization's cyber preparedness.
As a threshold matter, as the Chairman recognized, applying
for coverage requires an assessment. Underwriters scrutinize
practices such as perimeter defenses, incident response plans,
patching software, access privileges, and network monitoring
before issuing a policy. In that assessment, we will help
determine the premium which incentivizes better practices. Once
coverage is bound, tethered to that coverage are vendor
services such as threat assessment and vulnerability scanning.
Most prominently, cyber insurance supports incident
response plans by providing services like forensics, legal
analysis, fraud mitigation, and crisis management. This feature
can be especially valuable for small and mid-size businesses
that may lack resources to carry their own incident response
plans. Notably, research indicates that nearly 60 percent of
cyber attacks target small and mid-size businesses.
Interest in cyber insurance is robust and climbing. In
2015, the number of U.S.-based Marsh clients purchasing cyber
insurance increased 27 percent when compared to 2014. That 27
percent number follows a 32 percent increase in the prior year,
and a 21 percent increase in the year before. Currently, cyber
insurance purchasing remains dominated by industries that
aggregate customer data, personally identifiable information.
But purchasing is climbing for industries with less data,
but which have a significant exposure for network disruptions.
Typical industries that can serve as examples would be electric
utilities and manufacturers. So this trend signals that more
companies see a growing exposure from cyber physical systems
where operational technology is remotely controlled via an
internet connection.
Marsh and McLennan recently considered this exposure in a
report titled ``Cyber Resiliency in the Fourth Industrial
Revolution,'' which it co-authored with FireEye and Hewlett
Packard Enterprise. The report examines how cyber threats are
morphing into a realm of physical assets and critical
infrastructure. With the escalation of attacks and increased
connectivity of devices, there is a clear need for critical
infrastructure companies to become more resilient to cyber
attacks.
The report concludes that one key for building cyber
resiliency is to have distinct cyber risk advisers, such as
threat intelligence, forensic assessment, systems architecture,
and risk transfer, provide an integrated strategy. They will
ask questions as what are your most critical assets? Who are
the bad actors targeting your network? What does your on-line
activity signal to the hackers out there? The responses to
those questions will yield data, and that data should inform
every asset of cyber risk management.
For the same rationale, Marsh has participated and supports
the DHS Cyber Incident Data Analysis Working Group. The
insurance industry is data-intensive, and advising clients
relies on our ability to model the likelihood and severity of
events. In fact, the strength of our industry is its emergence
as a leader in cyber incident analysis. So we believe the
repository could have several uses, including strengthening
underwriting, developing new products to close gaps in
coverage, and could support metrics around information sharing
and detecting threats.
In conclusion, cyber risk management depends on our ability
to quantify risk and provide analytics that support action
items. Thank you, and I look forward to answering any questions
that you might have.
[The prepared statement of Mr. McCabe follows:]
Prepared Statement of Matthew P. McCabe
March 22, 2016
introduction
Good morning Chairman Ratcliffe, Ranking Member Richmond, and
Members of the subcommittee. My name is Matthew McCabe, and I am a
senior advisory specialist in the field of cyber insurance broking for
Marsh. My testimony today will focus on defining the product of cyber
insurance, explaining how it supports resiliency to defend against
cyber threats, and how analysis of data related to cyber incidents
supports the industry. I am grateful for the opportunity to participate
in this important hearing.
Marsh & McLennan operates through 4 market-leading brands--Marsh,
Guy Carpenter, Mercer, and Oliver Wyman. Each organization provides
advice to clients across an array of industries in the areas of risk,
strategy, and human capital. As the leading insurance broker in the
world, Marsh has a unique perspective on the cyber insurance market.
Marsh's role is to work with clients to analyze their risk
exposures and, where appropriate, help our clients implement solutions
to address and mitigate the financial impact of a cyber incident.
Over the past decade, our Nation has witnessed an astonishing
evolution of cyber risk that continues to grow in size and
sophistication. It was aptly described by President Barack Obama as
``one of the great paradoxes of our Information Age--the very
technologies that empower us to do great good can also be used by
adversaries to inflict great harm.'' Technically-sophisticated actors
have the opportunity to carry out attacks at a relatively low cost, and
they do so repeatedly by frustrating attribution or enjoying the
protection of a jurisdiction where the ability to extradite or
prosecute bad actors remains evasive.
That paradigm resulted in an epic crime wave, with enormous
consequences for our clients. Companies have lost hundreds of millions
of customer records, suffered rampant pilfering of intellectual
property and endured the theft of funds and sensitive financial
information.
Many metaphors have been invoked to describe this phenomenon. Is
this an epidemic? Is this the modern-day risk of catastrophic fire? My
preference is piracy. Simply put, a new generation of raiders committed
to plunder have taken to the virtual high seas. These raiders may enjoy
tacit or direct support of a nation-state. Victimized merchants expect
their government to address this menace and are considering how they
can pursue their own recourse. However, even that metaphor has come
full circle. This week, security experts found that actual pirates have
been hacking into a global shipping company in order to target specific
ships with the most valuable cargo.\1\ There is no company or industry
that is not affected by cyber risk.
---------------------------------------------------------------------------
\1\ See [sic] (accessible at http://www.verizonenterprise.com/
resources/reports/rp_data-breach-digest_xg_en.pdf).
---------------------------------------------------------------------------
For this committee, the paramount concern is that cyber threats
have now unquestionably escalated into a genuine threat against the
homeland. The growing prominence of cyber physical systems--where
operational technology connections become increasingly accessible
through the internet--gives rise to an escalated risk to the control
physical processes. The threat to U.S. critical infrastructure arising
from the exposure of cyber physical systems has quickly morphed from
speculative, to rumored, and now actual events. Recent examples include
the 2013 attack against a New York dam, last year's attack against a
Ukrainian electric utility and railways, and purportedly a recent
threat against a South Korean rail system. In short, the stakes in this
game have risen quickly.
Marsh & McLennan recently considered this challenge in a report
titled ``Cyber Resiliency in the Fourth Industrial Revolution'', which
it co-authored with FireEye and Hewlett Packard Enterprises. (See
Appendix A.) As noted in the report, with most experts predicting that
the number of internet-connected devices will eclipse 30 million by
2020, there will be a broad expansion of the attack surface against
critical infrastructure. Realizing that this boom in connectivity must
be met with a better approach for securing the backbone systems that
support critical infrastructure, the authors considered the challenge
of how the private sector can develop greater resiliency in the face of
cyber threats.
Our conclusion is that cyber-risk advisers must come together to
create a unified approach for building cyber resiliency of these
systems. Much like the NIST Framework presents a process for end-to-end
assessment, the different disciplines of cyber-risk management must
coalesce into an integrated solution. Each stage of cyber risk advising
should inform and reinforce the others. Thus, cyber insurance should
not be viewed as a stand-alone solution; it is instead a key component
of cyber-risk management around which experts can coalesce and which
can provide strong market incentives to pursue greater security.
The many benefits of cyber insurance are apparent to the private
sector. The number of Marsh U.S.-based clients purchasing stand-alone
cyber insurance increased 27% in 2015 compared with 2014. That followed
a 32% increase of clients purchasing cyber insurance in 2014 over 2013,
and a 21% increase from 2012 to 2013. This purchasing is supported by
more than 50 carriers from around the world that potentially can
provide more than $500 million in capacity.
Because of the incessant stream of data breaches that have targeted
U.S. companies, purchasing is dominated by industries that aggregate
customer data, such as retailers, financial institutions, and health
care providers. However, take-up rates are climbing for industries with
small amounts of data but that are exposed to significant risk of
network outage, such as electric utilities or manufacturers. In short,
the sharp increase in cyber insurance purchasing has increased rapidly
and continues its growth as a vital part of risk-based cybersecurity
management strategies.
the value of cyber insurance
Broadly stated, there are 3 core components of cyber insurance.
First, cyber insurance will reimburse the costs that a company pays to
respond to a cyber incident. These expenses may come in the form of
complying with requirements to notify and protect affected individuals
in the wake of a data breach; paying the expense to recreate corrupted
or destroyed data; or even paying the demand of an extortionist.
Second, cyber insurance covers the fees and damages that a company may
pay in response to litigation resulting from a cyber incident. Third,
cyber insurance reimburses revenues lost or expenses incurred due to a
disruption related to a cyber incident.
However, the benefits of cyber insurance extend far beyond
reimbursement for financial loss. Cyber insurance has evolved into a
product that serves as a key touchpoint for an organization to assess
its cyber practices and coordinate its incident response plan to cyber
incidents. The Department of Commerce Internet Policy Task Force
recently commented that cybersecurity insurance is potentially an
``effective, market-driven way'' of increasing cybersecurity in the
private sector.
For demonstrative purposes, the benefits attached to cyber
insurance can be explained in the context of the NIST Cybersecurity
Framework by mapping the components of a policy to the five
cybersecurity domains proposed in the Framework: Assessment,
prevention, detection, response, and recover.
As a threshold matter, the very act of applying for insurance
forces an assessment of the applicant's cyber practices. The
underwriting process will scrutinize a company's technical defenses,
incident response plan, procedures for patching software, policies for
limiting access to data and systems, monitoring of the vendor network
and more. Applying for cyber insurance is therefore an important risk
mitigation tool. Further, carriers assess the applicant's security
practices and provide premiums based on their interpretation. Thus,
cyber insurance premiums provide an important incentive that drives
behavioral change in the marketplace.
Once a cyber insurance program is implemented, the insured can
avail themselves of services and solutions to further mitigate cyber
risk and strengthen cyber hygiene. The insurance marketplace thereby
enhances access to detection and mitigation solutions and the large
network of vendors that provide threat intelligence, vulnerability
scanning, system configuration analysis, and technology to block
malicious signatures.
Most prominently, cyber insurance can support an organization's
incident response plans. In the example of a data breach, most cyber
insurance policies provide the services needed to respond to breaches,
including forensics to determine what customer records have been
compromised, legal analysis of the insured's responsibilities,
notification to affected individuals, and credit monitoring and
restoration to protect its customers. A well-executed response plan
will actually reduce the overall cost of a data breach and avoid many
of the problems that may later surface in resulting litigation or
regulatory scrutiny. These services can be especially valuable for
small- and mid-size enterprises that will require a cyber incident
response plan, but lack the resources to implement one on their own.
In short, using market-driven incentives, cyber insurance serves to
build greater resiliency within the private sector. This can be
especially critical for small- and mid-size businesses that would
experience a significant financial burden to retain and execute all of
these services own their own. Notably, recent research indicates that
as many as 60% of cyber attacks target small- and mid-size
businesses.\2\ With cyber insurance, these businesses can rely on
experienced cyber security vendors in the wake of a cyber incident and
respond and recover more quickly from the incident.
---------------------------------------------------------------------------
\2\ See Symantec Internet Security Report 2014 (accessible at
http://www.symantec.com/content/en/us/enterprise/other_resources/b-
istr_main_report_v19_21291018.en-us.pdf).
---------------------------------------------------------------------------
the role of data analysis
As this committee has recognized through its important work to pass
legislation on the sharing of cyber threat indicators, enhanced
information sharing between industry and Government is an important
component of a comprehensive risk mitigation strategy. For this
purpose, Marsh has participated in and supported the Department of
Homeland Security's (DHS) Cyber Incident Data Analysis Working Group,
and, prior to that, Cyber Insurance Workshops conducted by DHS.
As the committee is aware, the insurance industry is data-
intensive. There are both internal and external drivers for strong
modeling to enable more accurate forecasting for the likelihood and
severity of events. As a rule of thumb, better data leads to better
decisions. For this reason, Marsh has participated in the DHS working
groups that have proposed the creation of a repository that would
collect anonymized data to track cyber incidents.
Importantly, the committee should not interpret the desire to
collect more actuarial data or to strengthen modeling as an indication
that the cyber insurance industry is currently without tether to a
strong appreciation of the underlying risk. One strength of the cyber
insurance industry is that the underwriting process generates data on
threats, vulnerabilities, and potential consequences for each
applicant. Indeed, the cyber insurance industry has risen to become a
leader in incident analysis for informing trends in cyber threats and
correlate best practices with the amount of loss.
However, a centralized repository could offer several benefits to
both Government and industry. As proposed, the data repository would
provide a centralized platform to share the information that many
companies retain about hacking activity.
Making this data available centrally can inform analysis of long-
term trends for insight into the effectiveness of security practices.
For example, companies, carriers, and regulators could potentially
analyze whether certain security protocols or practices have
effectively mitigated cyber risk. For example, Government and industry
could undertake an analysis as to whether organizations that have
implemented cyber practices using the NIST Framework have proven more
resilient in withstanding cyber attacks. Further, in the wake of the
recent passage of information-sharing legislation, Government, and
industry, could explore whether the greater availability of cyber
threat indicators has enabled organizations to fend off malevolent
actors.
From the perspective of Government, analyzing the successes and
challenges related to cyber risk strategies could provide a basis for
shaping future Federal policy. Increasingly, network systems tie
together an ever broader and more sophisticated global supply chain,
yielding greater complexity and more latent risk. Accordingly, any new
requirement for protecting supply chains should be founded in data
analysis and consider potential consequences of regulations on the
marketplace and the likelihood for accomplishing intended security
goals.
From the perspective of the insurance industry, the greater
availability of cyber incident data to strengthen underwriting may also
facilitate market forces to address current and future risks, and
eventually encourage further carrier participation. Better data could
also enable the insurance industry to introduce solutions to close gaps
in current coverages and to determine how to best to detect and
mitigate future incidents, or to reduce incident response times and
facilitate recovery.
Thank you for allowing me to present this testimony. I am happy to
take your questions.\3\
---------------------------------------------------------------------------
\3\ Appendix to Marsh & McLennan Companies Testimony A. Report:
``Cyber Resiliency in the Fourth Industrial Revolution'' is available
at: http://info.resilientsystems.com/ponemon-institute-study-the-cyber-
resilient-organization-ppc?utm_campaign=CyberResiliencePonemonReport-
&utm_source=google&utm_medium=cpc&gclid=CP3F2Lf61MsCFRNahgodl98LrA.
Mr. Ratcliffe. Thank you, Mr. McCabe. The Chair now
recognizes Commissioner Hamm for his opening statement.
STATEMENT OF ADAM W. HAMM, COMMISSIONER, NATIONAL ASSOCIATION
OF INSURANCE COMMISSIONERS
Mr. Hamm. Good morning, Chairman Ratcliffe, Ranking Member
Richmond, and Members of the committee. Thank you very much for
the opportunity to testify today.
So to begin, State insurance regulators are keenly aware of
the potentially devastating effects that cyber attacks can
have, and we have taken a number of steps to enhance data
security expectations across the insurance sector. We
understand the pressure these increased risks put on other
industries, creating unprecedented demand for products to
manage and mitigate some of their cybersecurity risks through
insurance.
Most businesses carry commercial insurance policies, but
may not realize cybersecurity risks are not covered. To cover
these unique risks, businesses need to purchase a special,
customized cybersecurity policy. My written testimony details
the structure of financial and market regulation for U.S.
insurers writing these types of policies.
Ours is a Nationally-coordinated, State-based system that
relies on extensive peer review, communication, and
collaboration among regulators to produce checks and balances
in oversight, always with the fundamental tenet of protecting
policy holders by ensuring that companies are solvent and can
pay claims when they come due.
When it comes to regulation, cybersecurity policies are
scrutinized just as closely as other insurance contracts. Their
complexity and new product language will present some novel
issues, but policy forms and rates are still subject to review
to ensure the contracts are reasonable and not contrary to
State laws. We also have market conduct authorities to examine
insurers and policies, as well as strong enforcement powers.
Cybersecurity risk remains difficult for insurance
underwriters to quantify, due in large part to a lack of
actuarial data. Today, in the absence of that data, insurers
compensate by pricing that relies on qualitative assessments of
an applicant's operations, vendors, risk management procedures,
and security culture. As a result, the policies for cyber risk
tend to be more customized than others, and therefore more
costly.
From a regulatory perspective, we would like to see these
qualitative assessments coupled with a more robust actuarial
data system based on actual incident experience. As it is still
developing, accurately assessing the exposure or the size of
the cybersecurity insurance market is a work in progress. That
is why the NAIC has developed a new mandatory data supplement.
This supplement requires all insurance carriers, writing either
identity theft insurance or cybersecurity insurance, to report
on their claims, premiums, losses, expenses, and in-force
policies in these areas.
With this data, regulators will be able to more
definitively report on the size of the market and identify
trends that will inform whether more tailored regulation is
necessary. As with any new requirement, we expect that the
terminology and reporting will mature over time.
State insurance regulators are also ramping up our efforts
to tackle other cybersecurity issues and reduce risk in the
insurance sector through a number of initiatives. In the past
year, the NAIC has adopted 12 principles for effective
cybersecurity, a roadmap for consumer cybersecurity
protections, updated guidance for examiners regarding IT
systems and protocols. Most recently, we exposed for public
comment a new insurance data security model law. We have done
all of this through the NAIC's open and transparent process,
and we continue to welcome all stakeholder input on these
projects.
The expansion of cyber risks and the growth of the
cybersecurity insurance market are a tremendous opportunity for
the insurance sector to lead in the development of cyber
hygiene across our National infrastructure. Insurance has a
long history of driving both best practices and
standardization. It creates economic incentives through the
pricing of products, and the underwriting process can test risk
management techniques and encourage policy holders to make
their businesses more secure.
As insurers develop more sophisticated tools for
underwriting and pricing, State regulators will continue to
monitor and study cybersecurity products, always remembering
that our fundamental commitment is to ensuring that policy
holders are protected and treated fairly by financially sound
insurance companies.
In conclusion, State insurance regulators remain
extensively engaged to promote an optimal regulatory framework,
and cybersecurity insurance is no exception. I want to thank
you again, Chairman Ratcliffe, for the opportunity to testify
today, and I look forward to answering your questions.
[The prepared statement of Mr. Hamm follows:]
Prepared Statement of Adam W. Hamm
March 22, 2016
introduction
Chairman Ratcliffe, Ranking Member Richmond, and Members of the
subcommittee, thank you for the invitation to testify today. My name is
Adam Hamm. I am the commissioner of the Insurance Department for the
State of North Dakota and I present today's testimony on behalf of the
National Association of Insurance Commissioners (NAIC).\1\ I am a past
president of the NAIC, and I have served as the chair of the NAIC's
Cybersecurity Task Force since its formation in 2014.\2\ On behalf of
my fellow State insurance regulators, I appreciate the opportunity to
offer our views and perspective on cybersecurity challenges facing our
Nation and the role cybersecurity insurance can play in risk
management.
---------------------------------------------------------------------------
\1\ The NAIC is the United States standard-setting and regulatory
support organization created and governed by the chief insurance
regulators from the 50 States, the District of Columbia, and 5 U.S.
territories. Through the NAIC, we establish standards and best
practices, conduct peer review, and coordinate our regulatory
oversight. NAIC members, together with the central resources of the
NAIC, form the National system of State-based insurance regulation in
the United States.
\2\ Attachment A--NAIC Cybersecurity (EX) Task Force Membership
List.
---------------------------------------------------------------------------
the cyber threat landscape creates demand for coverage
On one hand, threats to data privacy are not new for businesses,
regulators, or the consumers we protect. Regulators and legislatures
have required businesses to protect consumer data for decades. On the
other hand, the modern size, scale, and methods of data collection,
transmission, and storage all present new challenges. As society
becomes more reliant on electronic communication and businesses collect
and maintain ever more granular information about their customers in an
effort to serve them better, the opportunity for bad actors to inflict
damage on businesses and the public increases exponentially. Rather
than walking into a bank, demanding bags of cash from a teller, and
planning a speedy getaway, a modern thief can steal highly-sensitive
personal health and financial data with a few quick keystrokes or a
well disguised phishing attack from the comfort of his basement couch.
Nation states also place great value on acquiring data to either better
understand or disrupt U.S. markets, and are dedicating tremendous
resources to such efforts.
As these cyber threats continue to evolve, they will invariably
affect consumers in all States and territories. State insurance
regulators are keenly aware of the potential devastating effects cyber
attacks can have on businesses and consumers, and we have taken a
number of steps to enhance data security expectations across the
insurance sector, including at our own departments of insurance and at
the NAIC. We also understand the pressure these increased risks are
putting on other industries, creating unprecedented demand for products
that allow purchasers to manage and mitigate some of their
cybersecurity risks through insurance. Whether attacks come from nation
states, terrorists, criminals, hacktivists, external opportunists or
company insiders, with each announcement of a system failure leading to
a significant business loss, awareness grows, and companies will seek
additional coverage for security breaches, business interruptions,
reputational damage, theft of digital assets, customer notifications,
regulatory compliance costs, and many more liabilities that arise from
doing business in the modern connected universe.
Most businesses carry and are familiar with their commercial
insurance policies providing general liability coverage to protect the
business from injury or property damage. What they may not realize is
that most standard commercial lines policies do not cover many of the
cyber risks mentioned above. To cover these unique cyber risks through
insurance, businesses need to purchase a special cybersecurity policy.
I want to urge some caution regarding the term ``cybersecurity
policy'' because it can mean so many different things--while it is a
useful short-hand for purposes of today's conversation, I want to
remind the committee that until we see more standardization in the
marketplace, a ``cybersecurity policy'' will really be defined by what
triggers the particular policy and what types of coverage may or may
not be included depending on the purchaser and insurer. Commercial
insurance policies are contracts between 2 or more parties, subject to
a certain amount of customization, so if you've seen 1 cybersecurity
policy, you've seen exactly 1 cybersecurity policy.
All these nuances mean securing a cybersecurity policy is not as
simple as pulling something off the shelf and walking to the cash
register. Insurers writing this coverage are justifiably interested in
the risk-management techniques applied by the policy holder to protect
its network and its assets. The more an insurer knows about a
business's operations, structures, risks, history of cyber attacks, and
security culture, the better it will be able to design a product that
meets the client's need and satisfies regulators.
insurance regulation in the united states--``cops on the beat''
The U.S. insurance industry has been well-regulated at the State
level for nearly 150 years. Every State has an insurance commissioner
responsible for regulating that State's insurance market, and
commissioners have been coming together to coordinate and streamline
their activities through the NAIC since 1871. The North Dakota
Insurance Department, which I lead, was established in 1889 and employs
approximately 50 full-time staff members to serve policy holders across
our State. It is our job to license companies and agents that sell
products in our State, as well as to enforce the State insurance code
with the primary mission of ensuring solvency and protecting policy
holders, claimants, and beneficiaries, while also fostering an
effective and efficient marketplace for insurance products. The
strength of our State-based system became especially evident during the
financial crisis--while hundreds of banks failed and people were forced
from their homes, less than 20 insurers became insolvent and even then,
policy holders were paid when their claims came due.
Conceptually, insurance regulation in the United States is
straightforward. Americans expect insurers to be financially solvent,
and thus able to make good on the promises they have made. Americans
also want insurers who treat policy holders and claimants fairly,
paying claims when they come due. In practice, the regulation of an
increasingly complex insurance industry facing constantly-changing
risks and developing new products to meet risk-transfer demand becomes
challenging very quickly. The U.S. State-based insurance regulatory
system is unique in that it relies on an extensive system of peer
review, communication, and collaboration to produce checks and balances
in our regulatory oversight of the market. This, in combination with
our risk-focused approach to financial and market conduct regulation,
forms the foundation of our system for all insurance products in the
United States, including the cybersecurity products we are here to
discuss today.
Treasury Deputy Secretary Sarah Bloom Raskin stated at an NAIC/CSIS
event last fall that ``State insurance regulators are the cops on the
beat when it comes to cybersecurity at insurance companies and the
protection of sensitive information of applicants and policy holders.''
We take very seriously our responsibility to ensure the entities we
regulate are both adequately protecting customer data and properly
underwriting the products they sell, and we continue to convey the
message to insurance company C-suites that cybersecurity is not an IT
issue--it is an Enterprise Risk Management Issue, a board of directors
issue, and ultimately a CEO issue.
regulation of cybersecurity policies
Having discussed increasing demand for coverage, we can turn to the
role my fellow insurance commissioners and I play as regulators of the
product and its carriers. Let me start by putting you at ease: When it
comes to regulation, cybersecurity policies are scrutinized just as
rigorously as other insurance contracts. While they may be more complex
than many existing coverages and new product language will present some
novel issues, when insurers draft a cybersecurity policy, they are
still required to file forms and rates subject to review by the State
Department of Insurance. State insurance regulators review the language
in the contracts to ensure they are reasonable and not contrary to
State laws. We also review the pricing and evaluate the benefits we
expect to find in such policies. State regulators also retain market
conduct authorities with respect to examinations of these insurers and
policies in order to protect policy holders by taking enforcement
measures against bad actors.
Insurance regulation involves front-end, on-going, and back-end
monitoring of insurers, products, and insurance agents (or producers).
The system's fundamental tenet is to protect policy holders by ensuring
the solvency of the insurer and its ability to pay claims. Strict
standards and keen financial oversight are critical components of our
solvency framework. State regulators review insurers' material
transactions for approval, restrict key activities, have explicit
financial requirements, and monitor compliance and financial condition
through various solvency surveillance and examination mechanisms, some
of which we recently updated to incorporate cybersecurity controls. We
can also take corrective action on insurers when necessary through a
regulatory intervention process.
Financial Regulation
Financial regulation is focused on preventing, detecting, and
resolving potentially troubled insurers. Insurance regulators carefully
monitor insurers' capital, surplus, and transactions on an on-going
basis through financial analysis, reporting requirements, actuarial
opinions, and cash flow testing. State insurance laws also restrict
insurers' investments and impose capital and reserving requirements.
The monitoring of insurers is done through both on-site
examinations and analysis of detailed periodic insurer reporting and
disclosures. Insurers are required to prepare comprehensive financial
statements using the NAIC's Statutory Accounting Principles (SAP). SAP
utilizes the framework established by Generally Accepted Accounting
Principles (GAAP), but unlike GAAP which is primarily designed to
provide key information to investors of public companies and uses a
going-concern concept, SAP is specifically designed to assist
regulators in monitoring the solvency of an insurer. The NAIC's
Accounting Practices and Procedures Manual includes the entire
codification of SAP and serves as the consistent baseline accounting
requirement for all States. Each insurer's statutory financial
statements are filed with the NAIC on a quarterly and annual basis and
include a balance sheet, an income statement, and numerous required
schedules and exhibits of additional detailed information.
The NAIC serves as the central repository for an insurer's
financial statement data, including running automated prioritization
indicators and sophisticated analysis techniques enabling regulators
around the country to have access to National-level data without the
redundancy of reproducing this resource in every State. This
centralized data and analysis capability has been cited by the IMF as
world-leading.
Cybersecurity risk remains difficult for insurance underwriters to
quantify due in large part to a lack of actuarial data. This has
potential implications for on-going regulation and the market for the
product. If a product is priced too low, the insurer may not have the
financial means to pay claims to the policy holder. If too high, few
businesses and consumers can afford to purchase it, instead opting to
effectively self-insure for cyber incidents, limiting the ability of
the insurance sector to be used as a driver of best practices. Today,
in the absence of such data, insurers compensate by pricing that relies
on qualitative assessments of an applicant's risk management procedures
and risk culture. As a result, policies for cyber risk tend to be more
customized than policies for other risks, and, therefore, more costly.
The type of business operation seeking coverage, the size and scope of
operations, the number of customers, the presence on the web, the type
of data collected, and how the data is stored will all be among the
factors that dictate the scope and cost of cybersecurity coverage
offered. From a regulatory perspective, though, we would like to see
insurers couple these qualitative assessments with robust actuarial
data based on actual incident experience.
Prior to writing the policy, the insurer will want to see the
business' disaster response plan and evaluate it with respect to
network risk management, websites, physical assets, intellectual
property, and possibly even relationships with third-party vendors. The
insurer will be keenly interested in how employees, contractors, and
customers are able to access data systems, how they are trained, and
who key data owners are. At a minimum, the insurer will want to know
about the types of antivirus and anti-malware software the business is
using, the frequency of system and software updates performed by the
business, and the performance of the firewalls the business is using.
Examination Protocols and Recent Updates
Last year, the NAIC, through a joint project of the Cybersecurity
Task Force and the IT Examination Working Group, undertook a complete
review and update of existing IT examination standards for insurers.
Prior to this year, regulatory reviews of an insurer's information
technology involved a 6-step process for evaluating security controls
under the COBIT 5 framework. Revisions for 2016 to further enhance
examinations are based in part on the NIST framework ``set of
activities'' to Identify, Protect, Detect, Respond, and Recover.
Specific enhancements were made to the NAIC Financial Examiner's
Handbook regarding reviews of insurer cybersecurity training and
education programs, incident response plans, understanding
cybersecurity roles and responsibilities, post-remediation analyses,
consideration of third-party vendors, and how cybersecurity efforts are
communicated to the Board of Directors.
Also evolving are regulators' expectations of insurance company C-
suites--specifically chief risk officers and boards of directors.
Regulators expect improved incident response practice exercises,
training, communication of cyber risks between the board and
management, and incorporation of cybersecurity into the Enterprise Risk
Management processes. There is now an expectation that members of an
insurer's board of directors will be able to describe how the company
monitors, assesses, and responds to information-security risks.
Market Regulation
Market regulation is focused on legal and fair treatment of
consumers by regulation of product rates, policy forms, marketing,
underwriting, settlement, and producer licensing. Market conduct
examinations occur on a routine basis, but also can be triggered by
complaints against an insurer. These exams review producer licensing
issues, complaints, types of products sold by insurers and producers,
producer sales practices, compliance with filed rating plans, claims
handling and other market-related aspects of an insurer's operation.
When violations are found, the insurance department makes
recommendations to improve the insurer's operations and to bring the
company into compliance with State law. In addition, an insurer or
insurance producer may be subject to civil penalties or license
suspension or revocation. To the extent that we see any of these issues
arising from claims made on cybersecurity policies, regulators will be
able to address them promptly through our suite of market conduct
tools, and enhancements made to the Financial Examiner's Handbook are
expected to be incorporated into the Market Conduct Examiner's Handbook
this year.
Surplus Lines
It is worth mentioning that some cybersecurity coverage is
currently being written in the surplus lines markets. A surplus lines
policy can be issued only in cases where the coverage cannot be found
in traditional insurance markets because the coverage is unique or
otherwise difficult to underwrite. Surplus lines insurers that are
domiciled in a U.S. State are regulated by their State of domicile for
financial solvency and market conduct. Surplus lines insurers domiciled
outside the United States may apply for inclusion in the NAIC's
Quarterly Listing of Alien Insurers. The carriers listed on the NAIC
Quarterly Listing of Alien Insurers are subject to capital and surplus
requirements, a requirement to maintain U.S. trust accounts, and
character, trustworthiness, and integrity requirements.
In addition, the insurance regulator of the State where the policy
holder resides (the home State of the insured) has authority over the
placement of the insurance by a surplus lines broker and enforces the
requirements relating to the eligibility of the surplus lines carrier
to write policies in that State. The insurance regulator can also
potentially sanction the surplus lines broker, revoke their license,
and hold them liable for the full amount of the policy.
Like any other insurance market, as the cybersecurity market grows
and more companies offer coverage, we anticipate the regulation will
continue to evolve to meet the size and breadth of the market as well
as the needs of consumers. State insurance regulators have a long
history of carefully monitoring the emergence and innovation of new
products and coverages, and tailoring regulation over time to ensure
consumers are appropriately protected and policies are available.
cybersecurity insurance market--new reporting requirements
As a still nascent market for coverage, accurately assessing
exposure or the size of the cybersecurity insurance market is a work in
progress. To date, the only analyses of the cybersecurity market come
from industry surveys and estimates that consistently place the size of
the market in the neighborhood of $2-3 billion. In light of the
uncertainty and many questions surrounding these products and the
market, the NAIC developed the new Cybersecurity and Identify Theft
Coverage Supplement \3\ for insurer financial statements to gather
financial performance information about insurers writing cybersecurity
coverage Nation-wide.
---------------------------------------------------------------------------
\3\ Attachment B [This attachment is retained in the committee
files].
---------------------------------------------------------------------------
This mandatory new data supplement, to be attached to insurers'
annual financial reports, requires that all insurance carriers writing
either identity theft insurance or cybersecurity insurance report to
the NAIC on their claims, premiums, losses, expenses, and in-force
policies in these areas. The supplement requires separate reporting of
both stand-alone policies and those that are part of a package policy.
With this data, regulators will be able to more definitively report on
the size of the market, and identify trends that will inform whether
more tailored regulation is necessary. We will gladly submit a follow-
up report to the committee once we have received and analyzed the first
batch of company filings, which are due April 1, and will keep all
stakeholders apprised as we receive additional information. As with any
new reporting requirement, we expect the terminology and reporting to
mature over time as carriers better understand the specific information
regulators need.
Having this data will enable regulators to better understand the
existing cybersecurity market, and also help us know what to look for
as the market continues to grow, particularly as we see small and mid-
size carriers potentially writing these complex products.
naic efforts beyond cybersecurity insurance
The NAIC and State insurance regulators are also ramping up our
efforts to tackle cybersecurity issues in the insurance sector well
beyond cybersecurity insurance. We understand that the insurance
industry is a particularly attractive target for hackers given the kind
of data insurers and producers hold, and to that end we are engaged on
a number of initiatives to reduce these risks.
The NAIC adopted 12 Principles for Effective Cybersecurity:
Insurance Regulatory Guidance in April 2015.\4\ The principles set
forth the framework through which regulators will evaluate efforts by
insurers, producers, and other regulated entities to protect consumer
information entrusted to them.
---------------------------------------------------------------------------
\4\ Attachment C [This attachment is retained in the committee
files].
---------------------------------------------------------------------------
We also adopted an NAIC Roadmap for Consumer Cybersecurity
Protections in December 2015 to describe protections the NAIC believes
consumers should be entitled to from insurance companies and agents
when these entities collect, maintain, and use personal information and
to guide our on-going efforts in developing formal regulatory guidance
for insurance sector participants.\5\
---------------------------------------------------------------------------
\5\ Attachment D [This attachment is retained in the committee
files].
---------------------------------------------------------------------------
Most recently, on March 3, the Cybersecurity Task Force exposed its
new Insurance Data Security Model Law for public comment--written
comments should be submitted by Wednesday, March 23, and feedback will
be discussed at the open meeting of the task force on April 4 in New
Orleans.\6\ The purpose and intent of the model law is to establish the
exclusive standards for data security, investigation, and notification
of a breach applicable to insurance licensees. It lays out definitions
and expectations for insurance information security, breach response,
and the role of the regulator. Recognizing that one size does not fit
all, the model specifically allows for licensees to tailor their
information security programs depending on the size, complexity,
nature, and scope of activities, and sensitivity of consumer
information to be protected. Perhaps most importantly, the model is
intended to create certainty and predictability for insurance consumers
and licensees as they plan, protect information, and respond in the
difficult time immediately following a breach. We welcome all
stakeholders' input as we continue the model's development through the
open and transparent NAIC process.
---------------------------------------------------------------------------
\6\ Attachment E [This attachment is retained in the committee
files].
---------------------------------------------------------------------------
Related to the NAIC's new model, we are aware Congress is
considering a number of Federal Data Breach bills. While Congress held
its first hearings on data breaches 20 years ago, there has been no
successful legislation on the issue. Meanwhile, 47 States have acted to
varying degrees, and some are on the fourth iteration of data security
and breach notification laws. Some of these bills, including S. 961/
H.R. 2205, the Data Security Act, would lessen existing consumer
protections in the insurance sector and could undermine our on-going
and future efforts to respond to this very serious issue.
coordinating with our federal colleagues
Lastly, we understand that State insurance regulators are not alone
in any of our efforts. We work collaboratively with other financial
regulators, Congress, and the administration to identify specific
threats and develop strategies to protect the U.S. financial
infrastructure. State insurance regulators and NAIC staff are active
members of the Treasury Department's Financial Banking and Information
Infrastructure Committee (FBIIC), where I recently gave a presentation
on insurance regulators' efforts in this space.
We are also members of the Cybersecurity Forum for Independent and
Executive Branch Regulators, where we meet with White House officials
and other regulators to discuss best practices and common regulatory
approaches to cybersecurity challenges across very different sectors of
the U.S. economy. While we certainly do not have all the answers yet,
rest assured that regulators are communicating and collectively focused
on improving cybersecurity posture across our sectors.
current state of play
I recently met with a group of insurance CEOs to discuss the NAIC's
on-going efforts in data and cybersecurity. Several baseball metaphors
were used in the meeting, so when the discussion pivoted to cyber
insurance, I asked how far along they felt that market was in its
development. One CEO said it was only the top of the first inning, and
the lead-off batter has just grabbed a bat from the rack before the
first pitch has even been thrown--the rest of the room nodded in
agreement. We are on the first leg of a long race when it comes to
cybersecurity insurance.
There is no question that the expansion of cyber risks and the
maturation of the cybersecurity insurance are a tremendous opportunity
for the insurance sector to lead in the development of risk-reducing
best practices and cyber hygiene across our National infrastructure.
Insurance has a long history of driving best practices and
standardization by creating economic incentives through the pricing of
products, and the underwriting process can test the risk management
techniques and efficacy of a policy holder making a broader range of
businesses secure. As insurers develop more sophisticated tools for
underwriting and pricing, State regulators will continue to monitor and
study cybersecurity products, always remembering that our fundamental
commitment is to ensuring that policy holders are protected and treated
fairly, and that insurance companies are able to pay claims when they
come due.
conclusion
As insurance markets evolve, State insurance regulators remain
extensively engaged with all relevant stakeholders to promote an
optimal regulatory framework-cybersecurity insurance is no exception.
As the cybersecurity insurance market develops, we remain committed to
effective regulation and to making changes when necessary. State
insurance regulators will embrace new challenges posed by a dynamic
cybersecurity insurance market and we continue to believe that well-
regulated markets make for well-protected policy holders. Thank you
again for the opportunity to be here on behalf of the NAIC, and I look
forward to your questions.
Attachment A.--Cybersecurity (EX) Task Force
Adam Hamm, Chair, North Dakota
Raymond G. Farmer, South Carolina
Jim L. Ridling, Alabama
Lori K. Wing-Heier, Alaska
Allen W. Kerr, Arkansas
Dave Jones, California
Marguerite Salazar, Colorado
Katharine L. Wade, Connecticut
Karen Weldin Stewart, Delaware
Stephen C. Taylor, District of Columbia
Kevin M. McCarty, Florida
Gordon I. Ito, Hawaii
Dean Cameron, Idaho
Anne Melissa Dowling, Illinois
Ken Selzer, Kansas
Brian Maynard, Kentucky
Eric A. Cioppa, Maine
Al Redmer, Jr., Maryland
Mike Hothman, Minnesota
John M. Huff, Missouri
Monica J. Lindeen, Montana
Bruce R. Ramge, Nebraska
Barbara Richardson, Nevada
Roger A. Sevigny, New Hampshire
Peter L. Hartt, New Jersey
John G. Franchini, New Mexico
Maria T. Vullo, New York
Wayne Goodwin, North Carolina
Mary Taylor, Ohio
John D. Doak, Oklahoma
Teresa D. Miller, Pennsylvania
Angela Weyne, Puerto Rico
Elizabeth Kelleher Dwyer, Rhode Island
Larry Deiter, South Dakota
Julie Mix McPeak, Tennessee
David Mattax, Texas
Todd E. Kiser, Utah
Susan L. Donegan, Vermont
Jacqueline K. Cunningham, Virginia
Mike Kreidler, Washington
Ted Nickel, Wisconsin
NAIC Support Staff: Eric Northman/Sara Robben/Tony Cotto/Cody Steinwand
Mr. Ratcliffe. Thank you, Commissioner Hamm.
The Chair now recognizes Mr. Nutkis for his opening
statement.
STATEMENT OF DANIEL NUTKIS, CHIEF EXECUTIVE OFFICER, HEALTH
INFORMATION TRUST ALLIANCE
Mr. Nutkis. Good morning, Chairman Ratcliffe, Ranking
Member Richmond, and the distinguished Members of the
subcommittee. I am pleased to appear today to discuss the role
of cyber insurance in risk management, and initiatives underway
by HITRUST and the health care industry to expand and leverage
its role.
I am Dan Nutkis, CEO and founder of the Health Information
Trust Alliance, or HITRUST. While I prepared my written
statement for the record, I would like to share with you a few
of the highlights.
HITRUST helps elevate the health care industry's cyber
awareness, improve cyber preparedness, and strengthen risk
management posture. In particular, I want to point out how
cyber insurance is integral to this process.
There should be no question as to the significance of
managing cyber risk, and an organization's ability to respond
efficiently and effectively to cybersecurity incidents plays in
cyber resilience. To aid industry in cyber risk management,
threat preparedness, and response, HITRUST implemented numerous
programs in coordination with industry stakeholders, including
our risk management framework, or HITRUST RMF.
Our perspective on evolving cybersecurity threats facing
the health care industry is formed based on our deep engagement
with the industry around information protection. That
engagement includes data from over 14,000 security assessments
done in 2015 alone, leveraging the HITRUST RMF, as well as
operating the industry's information-sharing and analysis
organization, or ISAO, and running CyberRX, now in its third
year, which is a series of industry-wide exercises developed by
HITRUST to simulate cyber attacks on health care organizations,
and evaluate the industry's preparedness against attempts to
disrupt U.S. health care industry operations. In 2015, over
1,000 organizations participated in CyberRX.
The HITRUST RMF incorporates a risk-based control
framework, specifically the HITRUST CSF, which is a scalable,
prescriptive, and certifiable, risk-based information, privacy,
and security control framework. It provides an integrated,
harmonized set of requirements tailored specifically for the
health care industry. The HITRUST RMF is adopted by
approximately 80 percent of the hospitals and health plans,
making it the most widely adopted in the industry.
Leveraging HITRUST's knowledge and role in understanding
and aiding industry in risk management, HITRUST approached
Willis Towers Watson, a leading insurance brokerage, to explore
ways to leverage the HITRUST RMF to allow insurers to better
and more effectively evaluate cyber risk. HITRUST and Willis
established a detailed approach to educate and substantiate the
value of leveraging the HITRUST RMF as the basis for their
cyber underwriting programs in the health care industry. I have
outlined 8 points in my written testimony that provides details
on this approach and process.
Over the last 5 months, HITRUST and Willis have worked to
educate cyber insurers regarding the use of the HITRUST RMF in
supporting the cyber risk underwriting process. Insurers have
found the HITRUST CSF to offer many advantages over the
existing approaches, including providing a comprehensive and
mature controls framework, aligning strong controls with risk,
and accurately and consistently measuring residual risk.
Allied World was the first company to offer preferred terms
and conditions based on meeting the HITRUST CSF certification
standards. After review and analysis, Allied World has
determined that the CSF framework and CSF insurance methodology
will insure its underwriting program in terms of efficiency,
consistency, and accuracy, allowing it to better align the
effectiveness of an organization's security controls with cyber
insurance premium levels.
The review also concluded that organizations that had
obtained a HITRUST CSF certification posed lower cyber-related
risks than organizations that had not. The comprehensiveness
and improved risk reporting enabled by the HITRUST CSF and the
CSF assessment summary scores in place of many of the standard
information security application questions creates a more
streamlined and consistent application process. Allied World
will also provide HITRUST with loss data in order to ensure the
HITRUST CSF control guidance accurately reflects the associated
risks.
In addition, we are in discussions with 5 other cyber
underwriters regarding leveraging this approach with an
expectation that 2 more will be participating by mid-year. It
is clear that this approach is a win-win for the health care
industry, underwriters, and, of course, the members and
patients whose information they are responsible for
safeguarding.
For health care organizations, it drives better behavior in
the industry, supports better control selections, and helps
prioritize remediation activity, which ultimately provides
better protection for patients. For cyber insurance
underwriters, it ensures premium costs are proportionate to
risk, provides more targeted coverage relevant to actual risks,
and ultimately provides a more sustainable underwriting model.
HITRUST also believes this current cyber insurance platform
could provide the risk management focus to encourage health
care organizations to invest in maturing their information
protection programs, once they understand the impact residual
risk has on cyber insurance premiums.
With that, Mr. Chairman, I am pleased to answer any
questions.
[The prepared statement of Mr. Nutkis follows:]
Prepared Statement of Daniel Nutkis
March 22, 2016
Chairman Ratcliffe, Ranking Member Richmond, and distinguished
Members of the subcommittee, I am pleased to appear today to discuss
the role of cyber insurance in risk management, and initiatives
underway by HITRUST and the health care industry to ensure its role is
enhanced. I am Daniel Nutkis, CEO and founder of the Health Information
Trust Alliance, or HITRUST. I founded HITRUST in 2007, after
recognizing the need to formally and collaboratively address
information privacy and security for health care stakeholders
representing all segments of the industry, including insurers,
providers, pharmacies, PBMs, and manufacturers. HITRUST endeavored--and
continues to endeavor--to elevate the level of information protection
in the health care industry, ensuring greater collaboration between
industry and Government, and raising the competency level of
information security professionals.
In my testimony today, I would like to highlight how HITRUST helps
elevate the industry's cyber awareness, improve cyber preparedness and
strengthen the risk management posture of the health care industry. In
particular, I want to point out how cyber insurance is integral to this
process.
There should be no question as to the significance that managing
cyber risk and an organization's ability to respond efficiently and
effectively to cybersecurity incidents plays in cyber resilience. To
aid industry in cyber risk management, threat preparedness, and
response, HITRUST has implemented numerous programs in coordination
with industry stakeholders as part of its overall risk management
framework (RMF).
The HITRUST RMF provides a risk-based control framework,
specifically the HITRUST CSF, which is a scalable, prescriptive, and
certifiable risk-based information privacy and security control
framework. It provides an integrated, harmonized set of requirements
tailored specifically for health care.
Health care organizations are subject to multiple regulations,
standards, and other policy requirements, and commonly-accepted best
practice standards, including implementing the NIST Cybersecurity
Framework. However, these ``authoritative sources'' often overlap in
the depth and breadth of their requirements, which, when integrated and
harmonized, can often be mutually reinforcing when intelligently
applied in the intended environment.
To ensure the HITRUST CSF remains relevant, it is reviewed and
updated at least annually. The review not only takes into account
changes in underlying regulations and standards, but it also considers
best practices and lessons learned from security incidents, incident
response exercises, and industry post-data breach experiences.
This level of comprehensiveness, relevance, and applicability is
why over 80 percent of hospitals and health plans, as well as many
other health care organizations and business associates, have adopted
the HITRUST CSF, making it the most widely adopted privacy and security
framework in health care.
Also distinctive to the HITRUST RMF, the HITRUST CSF Assurance
Program delivers a comprehensive, consistent, and simplified compliance
assessment and reporting program for regulatory requirements, such as
HIPAA, HITECH, and other Federal and State requirements, and the
sharing of assurances between and amongst covered entities and business
associates. Specifically designed for the unique regulatory and
business needs of the health care industry, the HITRUST CSF Assurance
Program provides health care organizations and their business
associates with a common approach to manage privacy and security
assessments that enables efficiencies and contains costs associated
with multiple and varied information protection requirements. The CSF
Assurance Program incorporates specific guidelines to allow a broad
array of leading industry professional services firms to perform
services, while allowing HITRUST to oversee quality assurance processes
to ensure assessments are rigorous, consistent, and repeatable.
An additional benefit of using the HITRUST RMF is that it supports
assessment and reporting for multiple and varied purposes,\1\ such as
the evaluation of AICPA's Trust Services Principles and Criteria and
SSAE-16 SOC 2 reporting ``scorecards'' against regulatory requirements
and best practice frameworks, such as HIPAA, the NIST Cybersecurity
Framework, and State-based covered entity privacy and security
certifications like the SECURETexas program.\2\
---------------------------------------------------------------------------
\1\ Health care organizations have been saving roughly 25-30% of
audit costs when leveraging a HITRUST RMF Certification and a SSAE-16
SOC2 audit. Similar underwriting and auditing savings are also
envisioned as the cyber insurance industry matures.
\2\ SECURETexas is the first State program of its kind in the
country offering privacy and security certification for compliance with
State and Federal laws that govern the use of protected health
information (PHI).
---------------------------------------------------------------------------
Just last month, HITRUST announced the availability of a new guide
to assist health care organizations in implementing the NIST
Cybersecurity Framework. This new guide was developed in consultation
with the Healthcare and Public Health (HPH) Sector Coordinating Council
(SCC) and Government Coordinating Council (GCC), along with input from
other sector members and the DHS Critical Infrastructure Cyber
Community (C3), to help HPH Sector organizations understand and use the
HITRUST RMF to implement the NIST Cybersecurity Framework in the HPH
Sector and meet its objectives for critical infrastructure protection.
I would also note that the availability of the HITRUST CSF, HITRUST
CSF Assurance program and this implementation guide also provides an
excellent basis for the Department of Health and Human Services (HHS)
to leverage ``voluntary, consensus-based, and industry-led guidelines,
best practices, methodologies, procedures, and processes that serve as
a resource for cost-effectively reducing cybersecurity risks for a
range of healthcare organizations.''
HITRUST has spearheaded initiatives in other areas of cybersecurity
as well. In 2012, after identifying the need for coordination among
stakeholders, HITRUST launched a cyber-threat intelligence-sharing and
analysis program to provide threat intelligence, coordinated incident
response and knowledge transfer specific to cyber threats pertinent to
the health care industry. This program facilitates the early
identification of cyber attacks and the creation of best practices
specific to the health care environment and maintains a conduit through
the Department of Homeland Security (DHS) to the broader cyber-
intelligence community for analysis, support, and the exchange of
threat intelligence. HITRUST was also the first to track
vulnerabilities related to medical devices and electronic health record
(EHR) systems, which are both emerging areas of concern.
This program became the foundation for the HITRUST Cyber Threat
XChange (CTX), which significantly accelerates the detection of and
response to cyber threat indicators targeted at the health care
industry. HITRUST CTX automates the process of collecting and analyzing
cyber threats and distributing actionable indicators in electronically-
consumable formats (e.g. STIX, TAXII, and proprietary SIEM formats)
that organizations of almost all sizes and cybersecurity maturity can
utilize to improve their cyber defenses. HITRUST CTX acts as an
advanced early warning system as cyber attacks are perpetrated on the
industry. The HITRUST CTX is now offered free of charge to the public
and has gained wide acceptance within the health care industry. HITRUST
is also a Federally-recognized Information Sharing and Analysis
Organization (ISAO), has strong relationships with DHS and the Federal
Bureau of Investigation (FBI), and considers them integral partners in
better addressing the threat landscape facing health care today and
strengthening the continuum of care.
HITRUST also developed CyberRX, now in its third year, which is a
series of industry-wide exercises developed by HITRUST to simulate
cyber attacks on health care organizations and evaluate the industry's
preparedness against attempts to disrupt U.S. health care industry
operations. These exercises examine both broad and segment-specific
scenarios targeting information systems, medical devices, and other
essential technology resources of the HPH Sector.\3\ CyberRX findings
are analyzed and used to identify general areas of improvement for
industry, HITRUST, and Government and to understand specific areas of
improvement needed to enhance information sharing between health care
organizations, HITRUST, and Government agencies.
---------------------------------------------------------------------------
\3\ See https://www.dhs.gov/healthcare-and-public-health-sector.
---------------------------------------------------------------------------
I only share this information to provide context on our engagement,
experience, knowledge, and commitment in supporting the health care
industry around cyber risk management.
Now to the specifics of the topic at hand. We can all agree that
managing the risks associated with cyber threats requires a
comprehensive approach to risk management, including the implementation
of strong security controls such as the HITRUST CSF, continuous
monitoring of control effectiveness, and routine testing of cyber
incident response capabilities, such as in CSF Assurance and CyberRX.
Commonly applied ``network hygiene'' only covers what is referred to as
``basic blocking and tackling.'' Cyber information sharing, such as
that facilitated by HITRUST CTX, is designed to help organizations go
beyond basic ``hygiene'' by alerting organizations to potential cyber
threats, however, information sharing is very much dependent on the
maturity of participating organizations and their ability to consume
and respond to the potential threat indicators that have been
identified.
While there is not a perfect solution to cybersecurity; the best
strategy is to prevent, detect, and respond before the adversary
achieves their objective.
A data breach in the health care industry not only has financial
and reputational effects on the company targeted by the threat actors,
but the effects could be dramatic for members, patients, and their
families due to the nature of the data disclosed. Personal health
information or identities could be stolen directly from hospitals,
insurance companies, pharmacies, and from any business associate
supporting these organizations. Beyond the privacy implications of data
breach incidents, these breaches have the potential to disrupt
operations of a health care facility or affect patient care. The
various complexities, interdependencies, and unique attributes all
create various risk levels that need to be considered across the
continuum of care.
And HITRUST firmly believes cyber insurance and cyber insurance
underwriters can play a key role in supporting an organization's
overall risk management strategy and help provide for the ``adequate
protection'' of patient information.
Organizations have relied heavily on cyber insurance as one of the
means to reduce the overall financial impact of cyber-related incidents
or breaches. But after numerous cyber-related breaches affecting health
care organizations over the past few years, it is clear that health
care data is one of the prime targets of malicious cyber threat actors
who strive to monetize the data they seize. As a result of increased
targeting by threat actors and recent incidents, underwriters have
determined the risks were greater than they had anticipated given the
methods leveraged to evaluate risk and, subsequently, health care
organizations' cyber insurance premiums have increased dramatically.
In many cases, companies who underwrite cyber insurance struggle
with an effective way to evaluate cyber risk and the full extent of a
company's cybersecurity controls.
Every cyber insurer customarily uses a specific application for
insurance, and each application differs substantially. These tools are
intended to be used to help insurers gain an understanding of key risk
controls, but are not intended to be used as part of a comprehensive
assessment. Additionally, many cyber insurance carriers rely on a wide
array of supplemental questionnaires intended to provide them with
additional insight to support coverage and pricing decisions. However,
the industry lacks a consistent underwriting process, given that the
questions and applications can vary significantly from one carrier to
the next.
Insurance underwriters have always been investigating ways to
efficiently and accurately evaluate risk and help health care
organizations ensure health information systems and services are
adequately protected from cyber risks.
Leveraging HITRUST's role in aiding industry in risk management,
HITRUST approached Willis Towers Watson (Willis), a leading insurance
broker, to explore ways to leverage the HITRUST RMF to allow insurers
to better evaluate cyber risk and to also address 3 concurrent needs:
(1) Ensure people, processes, and technology elements completely
and comprehensively address information and cybersecurity
risks;
(2) Identify risks from the use of information by the
organization's business units; and
(3) Facilitate appropriate risk treatments, including risk
avoidance, transfer, mitigation, and acceptance.
HITRUST and Willis established the following approach to educate
and substantiate the value of leveraging the HITRUST RMF as the basis
for their cyber underwriting programs in the health care industry:
(1) Compare the use of the HITRUST RMF, and the HITRUST CSF in
particular, to current application-based risk evaluation and
pricing methodology;
(2) Map the HITRUST CSF to insurer applications to demonstrate how
it addresses the current application process and the additional
depth it provides;
(3) Show how superior risk evaluation efficiency and consistency
can be achieved using assessment scores and summaries without
sacrificing detail;
(4) Identify where the HITRUST CSF assessment scores and summaries
can replace current application elements and other risk
management-gathering methods;
(5) Use test cases to substantiate accuracy and efficiency of the
HITRUST CSF as a key underwriting resource in risk evaluation
that allows an underwriter to compare an application-based risk
evaluation to HITRUST CSF assessment-based risk evaluation;
(6) Correlate claims with HITRUST CSF scores for test cases in
support of a pricing framework aligned with the scores;
(7) Provide feedback to HITRUST on successful attack scenarios to
bring underwriter experience and any key concerns into the
HITRUST CSF development process to improve risk management; and
(8) Explore a pricing framework based on HITRUST CSF certification
and various levels of control maturity in the certification
process.
By leveraging a standardized approach to control selection and risk
assessment and reporting, underwriters and other stakeholders can
obtain risk estimates that are accurate, consistent, repeatable, and
evolving, that is, risk estimates that take evolving risks and threats
into consideration.
The goal is to integrate risk management into the underwriting
process without adding confusion or unneeded complexity. HITRUST and
Willis studied the relationship between HITRUST CSF and CSF Assurance
control assessment scores, risk, coverage, and premiums to provide a
simple, but effective data point to complement existing underwriting
models.
After many months analyzing the benefits of an underwriting program
leveraging a robust risk management framework, both HITRUST and Willis
saw immediate value in the approach and began educating underwriters on
a cybersecurity assessment methodology that would provide the industry
with consistent, repeatable, reliable, and precise estimates of cyber-
related risk. The HITRUST CSF and CSF Assurance program would provide
underwriters with the information they could use to better understand
an organization's residual cyber risk, and apply to their underwriting
process.
The benefits of the HITRUST RMF-based underwriting model for cyber
insurance in the health care industry allows organizations to maximize
the benefits of demonstrating an enhanced information security posture.
Ultimately, the better controls you have in place, the less likely you
are to experience a breach. If a breach does occur, the potential
impact will likely be contained and mitigated. This will translate into
lower premiums and broader coverage for organizations who meet certain
criteria defined by the HITRUST CSF. This is in many respects analogous
to a ``good driver discount program''.
In addition to streamlining the underwriting process by leveraging
their existing risk assessment, it also encourages organizations to
consider the financial implications of cyber-related risks.
Specifically, analyzing the impact on premium from investments reducing
their cyber risks. Which is the mindset and behavior we would like to
see organizations engage.
Over the past 5 months, HITRUST and Willis have worked to educate
cyber insurers regarding the use of the HITRUST CSF and CSF Assurance
program in supporting the cyber risk underwriting process. Insurers
have found the HITRUST CSF to offer many advantages over the existing
approaches, including providing a comprehensive and mature controls
framework, aligning strong controls with risk, and accurately and
consistently measuring residual cyber risk.
Allied World was the first company to offer preferred terms and
conditions based on meeting the HITRUST CSF certification standards.
After review and analysis, Allied World U.S. has determined that the
HITRUST CSF framework and CSF Assurance methodology, will enhance its
underwriting program in terms of efficiency, consistency, and accuracy,
allowing it to better align the effectiveness of an organization's
security controls with cyber insurance premium levels.
The review also concluded that organizations that had obtained a
HITRUST CSF Certification generally posed lower cyber-related risks
than those organizations that have not. The comprehensiveness and
improved risk reporting enabled by the HITRUST CSF and the CSF
Assessment summary scores in place of many of the standard information
security application questions create a more streamlined and consistent
application process. Allied World will also provide HITRUST with loss
data in order to ensure the HITRUST CSF control guidance accurately
reflects the associated risks.
In addition, Willis and HITRUST are in discussions with 5 other
cyber underwriters regarding leveraging this approach, with an
expectation that 2 more will be participating by mid-year. It is clear
that this approach is a win-win for the health care industry,
underwriters, and of course, the members and patients whose information
they are responsible for safeguarding.
For health care organizations, it drives better behavior in the
industry, supports better control selection, and helps prioritize
remediation activity, which ultimately provides better protection for
patients. For cyber insurance underwriters, it ensures premium costs
are proportional to risk, provides more targeted coverage relevant to
actual risks, and ultimately provides a more sustainable underwriting
model.
As you can see, the cybersecurity and risk management challenges
facing the health care industry are complex and in some cases daunting,
in many cases unique to industry dynamics, and they evolve at a pace
that is unrealistic to manage by regulations and strict Governmental
policy or high-level policy document.
HITRUST, in partnership with industry, has been constantly working
to establish programs to aid industry in mitigating cyber risks and is
committed to be the link between the public and private sector that
will continue to provide value and strengthen our industry, our
Government, our economy, and our Nation as a whole against the growing
cyber threats we face.
HITRUST saw an opportunity to bring relevant industry stakeholders
together to help health care organizations better manage cyber risk and
help the insurance industry better align cyber insurance premiums with
this risk by leveraging a formal framework, like the HITRUST RMF. Risk
management methodologies help companies address applicable regulations,
standards, and best practices, and health care and insurance industry
threat data helps identify high-risk controls requiring executive
attention and link incidents to controls guidance. In many ways, this
breach data helps inform insurance loss experience and allows cyber
underwriters to play a key role in understanding where losses are
occurring.
HITRUST also believes this current cyber insurance platform could
provide the risk management focus to further drive innovation and
encourage health care organizations to invest in maturing their
information protection programs. HITRUST is working with underwriters
to improve actuarial data and provide better estimates of risks while
using threat and incident data to improve control selection within the
HITRUST RMF. While we believe we have a novel approach and are
leveraging new partners to grow its acceptance, mandates have the
potential to stifle the innovations taking place in the marketplace.
This market-based approach will provide a better insurance product for
policy holders while allowing organizations to grow and mature their
information security programs.
HITRUST, through its many tools and programs, remains committed to
ensure that the health care industry can properly address these
challenges. Cyber insurance will be a key component in HITRUST's
approach to cybersecurity and cyber risk management, and we are excited
about pioneering this approach to strengthen risk management.
Thank you again for the opportunity to join you today and share
these insights. I look forward to your questions.
Mr. Ratcliffe. Thank you, Mr. Nutkis. The Chair now
recognizes Mr. Finan for his opening statement.
STATEMENT OF THOMAS MICHAEL FINAN, CHIEF STRATEGY OFFICER, ARK
NETWORK SECURITY SOLUTIONS
Mr. Finan. Chairman Ratcliffe, Ranking Member Richmond, and
Members of the subcommittee, thank you very much for inviting
me to address the role of cybersecurity insurance in risk
management. I am greatly honored to share my perspectives with
you about this very important topic.
I am the chief strategy officer with Ark Network Security
Solutions in Dulles, Virginia, but until recently I served as a
senior cybersecurity strategist and counsel with DHS's National
Protection and Programs Directorate, where I led the
Department's Cyber Incident Data and Analysis Working Group for
the last 4 years.
DHS engaged the cybersecurity insurance market early on
because of its tremendous potential to incentivize better cyber
risk management, and our starting point really was the fire
insurance market. Through years of collective claims
information, insurers have been very successful in identifying
the fire safety controls that need to be in place to protect
lives and property. Those controls have become the gold
standard. You can't get a permit to build a commercial
building, and you can't get fire insurance for that building
unless you have those controls in place.
We wanted to know if the cybersecurity insurance market
could do the same thing. Specifically, could it help identify
the cyber risk control equivalents of sprinkler and other fire
suppression systems? We discovered that while the insurance
industry will certainly get there, there is still more work to
do.
DHS initiated a series of public workshops from October
2012 through the spring of 2014, to determine what obstacles
are impeding the market's progress. Brokers and underwriters
identified 4, including a lack of actuarial data: The absence
of common cybersecurity standards, best practices and metrics;
a lack of knowledge about critical infrastructure dependencies
and interdependencies; and an on-going failure by many
companies to include cyber risk within their existing
enterprise risk management programs.
In response, brokers and underwriters look to see if a
company has an effective cyber risk culture to determine if it
is a safe insurance bet. They identified 4 pillars of such a
culture, including what roles executive leadership, education
and awareness, technology, and relevant information sharing
play in securing the business environment. Given these
findings, we asked our insurance participants what we could do
to help advance the cyber insurance market. They told us that
we should turn our attention to the concept of a cyber incident
data repository, one where companies could anonymously share
their cyber incident data so it could be aggregated and
analyzed for maximum risk management benefit.
In December 2014, DHS accordingly established the CIDAWG to
bring together brokers, underwriters, CISOs, and other
cybersecurity professionals to discuss the repository idea.
Throughout 2015, the group discussed 3 major topics: The value
proposition for a cyber incident data repository, the kinds of
data a repository would need to be successful, and how to
overcome likely obstacles to repository sharing. A fourth
topic, how a repository should actually be structured, will be
the subject of a DHS workshop next month.
We published 3 white papers last year that detailed the
CIDAWG's findings. The first, on the value proposition,
identified 5 kinds of analysis that would benefit brokers,
underwriters, CISOs, and others. Specifically, analysis that
identifies top cyber risks and the controls that are most
effective in addressing them; analysis that informs peer-to-
peer benchmarking, promotes sector differentiation, supports
cyber risk forecasting, trending and modeling, and advances
cyber risk management culture. The group then spent several
months identifying 16 data categories that the CIDAWG believed
would help deliver on that value, and we released them publicly
in September of last year.
In December, the CIDAWG published its third white paper on
likely obstacles to repository sharing and ways to overcome
them. They included assuring anonymization of the repository,
ensuring the security of the data it holds, cultural and
regional challenges that could result in skewed data
contributions, perceived commercial disadvantage to repository
participation, internal process hurdles, the perceived value of
a repository, assuring appropriate, adequate, and equitable
participation, and technical design issues.
The CIDAWG was very successful in breaking down barriers
between the insurance industry and technical cybersecurity
professionals. I strongly believe that the same model could be
adopted to help address the cybersecurity needs of mid-size and
small businesses that today are struggling to keep up. Although
they are often key players in the global supply chain, and a
source for the continued growth of the cybersecurity insurance
market, they too often lack the budgets, expertise, staff, and
time to adequately and consistently address their cyber risks.
As a result, mid-size and small businesses tend to have weaker
security that makes them not only easier to attack, but also a
prime launching point for attacks against others.
Cybersecurity expert exchanges, best practice knowledge
sharing, compliance, automation, and coordination of
cybersecurity investments are just a few topics of conversation
that a CIDAWG-like group could initiate to address this key
area of vulnerability that affects us all.
Thank you, and I look forward to your questions.
[The prepared statement of Mr. Finan follows:]
Prepared Statement of Thomas Michael Finan
March 22, 2016
Chairman Ratcliffe, Ranking Member Richmond, and Members of the
subcommittee, thank you for inviting me to address the role of
cybersecurity insurance in risk management. I am the chief strategy
officer at Ark Network Security Solutions, a private company that
provides software and services to accelerate standards compliance for
enhanced security. Until this past December, I served as a senior
cybersecurity strategist and counsel with the U.S. Department of
Homeland Security's (DHS) National Protection and Programs Directorate
(NPPD), where I launched and led DHS's Cybersecurity Insurance
Initiative. I will describe the role that DHS has played in identifying
and overcoming obstacles to a more robust cybersecurity insurance
market. I will also discuss how the private-public engagement model
that DHS has followed as a convener of the insurance conversation could
be extended to address the cyber risk management needs of mid-size and
small businesses nationally.
dhs's cybersecurity insurance initiative
As a largely operations-focused organization, NPPD may not
immediately come to mind as a likely candidate to lead a sustained
discussion with stakeholders about cybersecurity insurance. NPPD has a
more general mandate beyond its day-to-day cybersecurity mission,
however, and its mission statement says it all:
``NPPD's vision is a safe, secure, and resilient infrastructure where
the American way of life can thrive. NPPD leads the national effort to
protect and enhance the resilience of the nation's physical and cyber
infrastructure.''
That means DHS must do more than just help its partners extinguish
rapidly-developing cyber risk ``fires.'' It also requires DHS to think
more strategically and to figure out what cyber risk fires--and what
potential solutions to them--may be ahead and then determine how to
address both as part of its overall resilience mission. Ultimately, DHS
is in the risk management business. It is increasingly called to think
about risk management not just 3 to 5 minutes, hours, or days ahead
but--like its external partners--3 to 5 years ahead.
Insurance, we learned, is a key part of that process. When we began
DHS's inquiry into the cybersecurity insurance market, we asked whether
cybersecurity insurance could--as a market force--raise the
cybersecurity ``floor'' by getting more critical infrastructure owners
to manage their cyber risk better in return for more relevant and
hopefully more affordable policies. At the time, our point of reference
was the fire insurance market. We knew that insurers had been very
successful in identifying specific fire safety controls that today are
not only conditions for coverage within fire insurance policies but
also prerequisites for obtaining a building permit. Our hope was that
brokers and underwriters together could help identify the cybersecurity
equivalents of sprinkler and other fire suppression systems. What we
discovered is that while they may get there one day, they are not there
yet.
Challenges
From 2012 through 2014, DHS engaged a wide range of partners
through a series of public workshops on the cybersecurity insurance
topic. Our participants included brokers and underwriters, chief risk
officers, chief information security officers, critical infrastructure
owners and operators, and members of the academic community. During the
course of our conversations, we asked them whether now or in the future
insurance could help incentivize better cyber risk management. DHS was
especially interested in finding out if the market already provided
coverage--or could eventually provide coverage--for physical damages
and bodily injuries that might result from a successful cyber attack
against critical infrastructure. What we heard back is that several
major obstacles continue to prevent insurers from providing more
cybersecurity insurance coverage--specifically, higher limits--than
they currently do. Chief among them are:
First, the market suffers from an on-going lack of actuarial
data. Unlike fire insurance, insurers do not have 100 years'
worth of cyber loss data that they can use to build out new
policies. This has inhibited them from providing more than the
$10 to $15 million in primary coverage that they historically
have offered customers for data breach and network security-
related losses. Despite some recent progress, moreover, very
few insurers provide discrete coverage for cyber-related
critical infrastructure loss. When we asked why, the insurers
explained that for obvious reasons, they do not receive claims
against policies that do not yet exist. Without such claims,
however, they have no way to build out the actuarial tables
they need to expand their offerings. In short, they are left
with little insight into the growing number of SCADA and other
industrial control system attacks that are occurring world-
wide. They insurers further advised that they similarly lack a
consistent source of raw cyber incident data that they could
alternatively use to get their underwriting bearings in this
area.
Second, brokers and underwriters cited the absence of common
cybersecurity standards, best practices, and metrics as a
further hurdle to a more robust market. They nevertheless cited
the advent of the NIST Cybersecurity Framework in 2014 as a
very positive development. Many advised that the Framework's
common vocabulary for cyber risk management topics was helping
them have more in-depth conversations with their current and
potential clients about their cyber risk profiles than
otherwise would be the case. They also told us that they would
like to see tailored versions of the Framework emerge for each
of the Nation's 16 critical infrastructure sectors that provide
more particularized risk management information to their
clients in those sectors. The ultimate utility of the
Framework, they added, remains to be seen. Several underwriters
explained that they continue to seek answers to two key
questions: (1) Are companies that use the Framework having a
better cyber loss experience than their peers that don't; and
(2) what Framework-inspired controls should be incorporated
into cybersecurity insurance contracts as conditions for
coverage--like sprinkler systems for fire insurance?
Third, the workshop participants noted an on-going lack of
understanding about critical infrastructure dependencies and
interdependencies as another major obstacle. Like most of the
population, brokers and underwriters do not know much about how
a cyber-related critical infrastructure failure in one sector
might cascade across multiple other sectors. Until they have a
better idea about how big and bad related losses might be--and
where a strategically-placed risk control might make a
difference--they are reluctant to develop new insurance
products to cover this loss category. Without more insight, one
underwriter explained, one big loss affecting hundreds of
clients could effectively put them out of business.
Fourth, a final challenge to the cybersecurity insurance
market is the on-going failure by many companies to include
cyber risk as part of their traditional enterprise risk
management--or ERM--programs. Despite the growing threat, many
companies continue to treat cyber risk as an IT problem,
separate and apart from the other business risks they face.
Without including cyber risk within existing ERM programs,
however, they really are not ``doing ERM.'' Consequently, they
often are blind to their true risk profiles and may not be
prioritizing their risk management resources most effectively.
Cyber Risk Culture
Given these obstacles, brokers and underwriters told us that they
generally consider 2 major risk management factors when assessing a
company's qualifications for coverage: Its compliance with available
cybersecurity standards and its risk culture. In so doing, they pay
particular attention to the internal cybersecurity practices and
procedures that a company has adopted, implemented, and enforced.
Several underwriters advised that they focus primarily on risk culture
when assessing a potential insured for coverage--leading them to draft
custom policies for clients rather than more generic ``template''
policies that can be marketed more broadly. Regardless of their
particular practices, practically all of the participants suggested
that DHS should turn its attention next to how companies should go
about building more effective cyber risk cultures.
This made a lot of sense. We started thinking: If a core group of
brokers and underwriters is looking to how companies individually
manage their cyber risk, then maybe we could discover some lessons
learned that might be more broadly applicable to others. We therefore
identified 4 ``pillars'' of an effective cyber risk culture that
appeared to merit a deeper dive. Those pillars included the roles of:
Executive Leadership.--What should boards of directors be
demanding--and doing themselves--to build corporate cultures
that manage cyber risk well?
Education and Awareness.--What messages, training, and
accountability mechanisms need to be in place internally in
companies, among partnering companies, and at a National level
to help create a culture of cybersecurity?
Technology.--How should technology be leveraged to encourage
better cybersecurity practice?
Relevant Information Sharing.--Who within a company needs
what information, and in what formats, to help drive more
effective cyber risk management investments?
Several core conclusions emerged from our discussions:
First, for many companies, the business case for more
effective cyber risk management investment still has not been
made. The key reason for this appears to be that cyber risk by
and large has not been reduced to terms that non-technical
business leaders can readily understand--namely, the financial
costs of cyber events and the potential damages to reputation
for failing to mitigate them adequately. Many of our
participants suggested that to overcome this, companies should
adopt ERM programs that incorporate cyber risk into the vast
pool of other business risks they face.
Second, many of our participants called for more research
when it comes to the costs and benefits of existing and future
cybersecurity solutions. Once corporate leaders engage, they
explained, they will want to know what investments to make to
best manage their cyber risk. In other words, which controls
offer the most cybersecurity bang for the buck?
Third, the participants explained that it probably is
unrealistic to expect the insurance industry to come up with a
one-size-fits-all suite of cyber risk controls that everyone
should adopt in return for more coverage and (eventually) lower
premiums. What the underwriters told us is that they typically
do not spend weeks with potential insureds reviewing and red-
teaming every aspect of their organizations to see what is
happening with their information security. Moreover, they no
longer subject corporate IT professionals to hundreds of
detailed questions getting at the technical and human-based
control aspects of this information. Instead, they usually
survey the companies--asking just 20-25 questions directed at
basic, high-level information security issues to eliminate only
the most ill-prepared companies from coverage consideration.
This third point, however, does not mean that the insurance
industry does not have an important cyber risk management role to play.
On the contrary, what a growing number of strategically-focused brokers
and underwriters look for during the underwriting process, separate and
apart from the insurance application, is how well companies understand
where they uniquely sit in the cyber risk landscape and what they are
doing about their particular circumstances. Put simply, this means:
Do they know what cyber incidents are actually happening to
them based on their own data and reports from outside sources?
Do they know--through public sources and private
conversation--what kinds of cyber incidents are happening to
other companies like them; and
What cyber risk management investments are they making based
on this information?
In other words, these brokers and underwriters are assessing
whether a company exhibits an engaged cyber risk culture--one where
corporate leaders support risk mitigation efforts aimed at the cyber
risks most relevant to their companies. Such engagement serves as a
critical point of differentiation between companies that represent a
safer versus unsafe cyber risk.
action options
During DHS's fourth and final public workshop in April 2014, we
asked our insurance participants how we could best help them work
through some of the cybersecurity insurance market's persistent
challenges. They identified 3 topic areas for further discussion:
Cyber incident information sharing (as opposed to cyber
threat sharing), with a specific focus on the value of creating
an anonymized cyber incident data repository;
Cyber incident consequence analytics; and
Promotion of comprehensive ERM strategies that incorporate
cyber risk.
When we asked how to prioritize this list, the insurance
participants agreed that DHS should focus first on the concept of a
cyber incident data repository--specifically, one that helps meet the
cyber risk analysis needs of the insurance industry, chief information
security officers (CISOs), chief security officers (CSOs), and other
cybersecurity professionals.
From the start, the brokers and underwriters described a repository
notionally as a place where companies could anonymously share their
cyber incident data. That data, they explained, could then be
aggregated and analyzed to increase awareness about current cyber risk
conditions and longer-term cyber risk trends. They explained that this
information could benefit not only the insurance industry with its risk
transfer efforts but also CISOs, CSOs, and other cybersecurity
professionals with their complementary cyber risk mitigation efforts.
The brokers and underwriters emphasized that these professionals should
be central to any future repository discussion. They felt strongly that
if the men and women on the front lines of cybersecurity are not
``bought in'' on the idea, then all the talking in the world would be
for naught. We agreed and endeavored to engage not only insurance
experts but also these day-to-day practitioners who had hands-on
knowledge about cyber incidents and the kinds of analysis that would
help them better prepare, respond, and recover from them. The results
from our initial follow-up conversations testing the waters were
promising:
From the insurance side, we heard that a repository could
help the industry build up the information stores it needs to
better understand the impacts of cyber events, their frequency,
and the optimal controls for mitigating particular kinds of
cyber incidents. Various brokers and underwriters told us that
this knowledge could help them scope and price policies that
contribute more effectively and more affordably to a company's
overall corporate risk management strategy. Many of them
believed, moreover, that a repository one day could help them
provide more cybersecurity insurance at lower rates to clients
that invest in so-called ``best-in-class'' controls.
Repository-supported analysis, they explained, would be
essential for identifying those controls.
For their part, the CISOs and CSOs told us that repository-
supported analysis could help them conduct much-needed peer-to-
peer benchmarking and other activities that could bolster their
in-house cybersecurity programs.
Cybersecurity solutions providers reported that they also
have a critical stake in any future repository. They explained
that repository-supported analysis would likely influence how
the market for new solutions develops. Specifically, they told
us that greater knowledge about longer-term cyber incident
trends will inform the kinds of products and services that they
create to meet the risk mitigation needs of clients across
every industry sector.
the cidawg
In late 2014, DHS approached the Critical Manufacturing Sector
Coordinating Council (CMSCC) to sponsor and identify willing CISOs to
participate in the newly-initiated Cyber Incident Data and Analysis
Working Group (CIDAWG). The CMSCC was immediately supportive of the
repository concept and named several CISOs to the group. DHS also was
very fortunate to be joined by a number of brokers and underwriters
from the previous public workshops who had been strong proponents of
the idea. At the outset, the CIDAWG included about 10 brokers and
underwriters that were among the top thought leaders in the cyber
insurance industry. DHS paired them with approximately 25 CISOs, CSOs,
and other cybersecurity professionals to enter into a sustained
dialogue about 4 main agenda items:
The value proposition for a cyber incident data repository;
The data categories necessary to support repository-
supported analysis that helps companies manage their cyber risk
better;
How to encourage the voluntary sharing of cyber incident
data repository into a repository; and
How a repository should be structured in any proof of
concept stage.\1\
---------------------------------------------------------------------------
\1\ The CIDAWG's conclusions about the first 3 of these topics are
included in a series of white papers available on DHS's Cybersecurity
Insurance webpage, accessible at https://www.dhs.gov/cybersecurity-
insurance.
---------------------------------------------------------------------------
To be clear, DHS is not building a repository. Instead, it is
creating a safe space for people to discuss how a repository notionally
should come together as a place where companies feel comfortable
sharing their cyber incident information anonymously. To do so, DHS
established several ground rules that have been critical to the success
of the project to date:
During DHS's previous public workshops, we learned that
hosting our discussions on a confidential basis helped promote
rigorous debate. We therefore followed suit with the CIDAWG and
held all of our meetings under the auspices of the Critical
Infrastructure Partnership Advisory Council (CIPAC), a
mechanism that allowed us to keep them closed to the public. We
likewise strictly enforced the Chatham House Rule to ensure a
constant flow of conversation among CIDAWG participants.
At all times, DHS also tried to be sensitive to the demands
that the CIDAWG's work placed on its members. They were located
all over the country across every time zone, and we recognized
that their time was extremely valuable. To that end, we
scheduled CIDAWG teleconferences for up to twice a month, for
up to 2 hours at a time. While we scheduled 2 in-person
meetings for the group in the Washington, DC, area during the
year, we did so only with the participants' consent. We also
provided them with several months of lead time so they could
provide notice to their employers and budget and plan for the
meetings accordingly.
The Value Proposition
The CIDAWG's first topic was the value proposition for a
repository. How could it help advance the cause of cyber risk
management and what kinds of analysis would be most useful to the
cybersecurity industry, to CISOs and CSOs, and why? The brokers and
underwriters responded that a repository could help facilitate the
development of cybersecurity best practices that insurers should
require within their policies as conditions for coverage. The CISOs and
CSOs added that a repository could provide the data needed for more
insightful peer-to-peer benchmarking that could help justify--or
modify--existing cybersecurity investments. As they explained, knowing
how a company's peers are faring on the cyber risk management front and
how it compares to them goes a long way toward making the business case
for needed funding. Both groups noted that repository-supported
analysis likewise could help the cyber risk management community
identify longer-term cyber risk trends, allowing for new kinds of cyber
risk forecasting that could help further inform cybersecurity budgets.
In June of 2015, the CIDAWG completed its first white paper that
captured the group's core findings. The paper detailed 6 major value
proposition categories for the kind of repository that they were
envisioning. Specifically, they believed that it could help by
supporting analysis that:
Identifies top cyber risks and the most effective controls
to address them;
Informs peer-to-peer benchmarking;
Promotes sector differentiation;
Supports cyber risk forecasting, trending, and modeling; and
Advances cyber risk management culture.
The Data Categories
In September 2015, the CIDAWG released its second white paper about
the cyber incident data categories that contributors should share into
a repository to deliver on that value. Early on, the brokers and
underwriters explained that they wanted to know more about the types of
cyber incidents that are happening; their severity, impacts, and time
lines; the apparent goals of attackers; effective response techniques;
involved parties; and risk controls that are making a difference.
During the course of our conversations, we asked the CIDAWG
participants to flesh all this out by telling us what value each data
category potentially brings to a better understanding of cyber
incidents; what each one actually means and to whom; which data
categories were the greatest priority, to which stakeholders, and why;
and which of them are actually accessible,
What was particularly gratifying to see was how the CIDAWG members
came to view each data category in relation to at least 1 of the 6
value proposition categories that they had previously identified.
During their deliberations, they asked themselves, ``How does this
particular data category deliver on the value that we're all seeking
together?'' After 3 months of work, this resulted in a very compelling
final list. While the brokers and underwriters were the first to offer
up their ideas--they came up with 16 of their own data categories--the
discussion did not stop there. The CISO and CSO participants identified
their own set of 9 data categories that they believed were essential
from a cybersecurity operations perspective. After sometimes intense
debate and discussion, the CIDAWG completed a final list--
coincidentally, of 16 consolidated data categories--that are a priority
for both the insurance industry and cybersecurity professional
community alike. They include:
Type of Incident;
Severity of Incident;
Use of a Cyber Risk Management Framework;
Incident Time Line;
Apparent Goal(s) of Attackers;
Contributing Causes;
Specific Control Failures;
Assets Compromised or Affected;
Types of Impacts;
Incident Detection Techniques;
Incident Response Playbook;
Internal Skills Sufficiency;
Mitigation and Prevention Measures;
Costs;
Vendor Incident Report; and
Related (Contextual) Events.
Overcoming Obstacles
As a next step, the CIDAWG addressed how private companies and
other organizations could be encouraged to voluntarily share all this
information into a repository. To prepare for this conversation, the
CIDAWG hosted several experts who described already existing and on-
going information-sharing efforts. Our hope was that the CIDAWG would
use these models to propose similar approaches for an anonymized cyber
incident data repository:
Representatives from the Department of Defense (DoD)
provided a very helpful overview of some of the information-
sharing work that is being done by Defense Industrial Base or
``DIB'' companies. Specifically, DoD shared its insight into
how DIB companies have created a trusted information-sharing
environment by adopting a unique way of anonymizing data and
using Non-Disclosure Agreements.
The MITRE Corporation likewise detailed the progress of the
Aviation Safety Information Analysis and Sharing System--the
so-called ``near-miss'' database--that MITRE established and
runs in partnership with the aviation sector. Specifically, the
representative outlined the best practices MITRE had developed
to promote the anonymized sharing of near-miss information by
pilots, flight attendants, ground crews, and others to enhance
flight safety.
The Alliance for Telecommunications Industry Solutions
(ATIS) also shared its experiences in creating a trusted
environment for the confidential sharing of highly-sensitive
network outage information.
In December 2015, the CIDAWG released its third white paper that
identified 8 perceived obstacles to repository sharing and potential
ways to overcome them, many of which had been inspired by these outside
group briefings. The obstacles included:
Assuring Anonymization (prevent data from being traced back
to a particular contributor);
Ensuring Data Security (protect the repository itself from
breaches);
Cultural Challenges and Regional Differences (avoid
potentially skewed data);
Perceived Commercial Disadvantage to Participating in a
Repository (address concern that participation could negatively
impact business operations);
Internal Process Hurdles to Participation (find ways to work
through key reviewers);
Perceived Value of Participation (evangelize the bottom-line
benefits of participation);
Assuring Appropriate, Adequate, and Equitable Participation
(develop a series of benefits available only to repository
contributors); and
Technical Design Issues (make the repository easy to use).
Outcomes
DHS and the CIDAWG are currently planning a public workshop in
April 2016 to obtain feedback on the CIDAWG's white papers.
Specifically, they are planning to dive into the 16 cyber incident data
categories in order to validate them. They also plan to assemble a
panel of experts who will offer recommendations about how a repository
should function during any future proof of concept stage.
While the CIDAWG will likely make a number of recommendations for
next steps based on this input, one of them already is clear: The
Federal Government should not actually own or operate the repository.
While the CIDAWG members reported that they would welcome data from
Federal agencies into a repository, they felt strongly that the private
sector should find its own way during a future repository
implementation stage. At the same time, however, they expressed great
interest in DHS continuing to convene the CIDAWG and any other working
groups to take the work to the next level.
cybersecurity for mid-size and small businesses
As with the CIDAWG, DHS's convening power could provide tremendous
benefit when it comes to helping mid-size and small businesses
struggling with their cybersecurity efforts. By some estimates, the
cybersecurity insurance market today is growing at 30% a year. Brokers
and underwriters alike agree that mid-size and small businesses
represent the next cohort of clients that they need to engage in order
to sustain that growth. While the market already offers cybersecurity
policies geared to these enterprises, they face the same challenge as
their larger counterparts: Managing their cyber risk well over time in
order to qualify for meaningful coverage. Unlike those counterparts,
however, mid-size and small businesses tend to have weaker security
that makes them much easier to attack successfully. It likewise makes
them a prime launching point for attacks against others. As the
``Target'' data breach in 2013 starkly demonstrated, a cybersecurity
failure by 1 small business--in that case, a heating, ventilation, and
air conditioning (HVAC) vendor--can impose hundreds of millions of
dollars in lost income and related litigation and settlement costs.
Mid-size and small businesses are falling behind for several
reasons. As an initial matter, most lack the budgets, expertise, staff,
and time to adequately and consistently address their cyber risks. Many
have concluded--wrongly--that their relative anonymity protects them
from breaches and cyber-related business interruption events. Given
competing business concerns, moreover, still others have simply chosen
not to prioritize cyber risk management very highly. Mid-size and small
businesses accordingly often fail to comply with common cybersecurity
standards that promise real protection through the deployment of
appropriate security infrastructure. A growing number, for example, use
the cloud as a cost-saving measure for their transactions,
unfortunately without strong encryption technology in place. As a
result, these businesses represent the weakest links in the global
supply chain, making them less attractive business partners.
Large companies have awoken to this problem and are increasingly
inquiring of their current and potential supply chain partners about
the effectiveness of their cyber risk management programs. In many
cases, the less-than-stellar answers they receive present a quandary
that raises difficult questions:
How should large companies define and measure ``reasonable
cybersecurity'' for the mid-size and small companies with which
they partner?
Would imposing their own, potentially more costly
cybersecurity requirements effectively put those enterprises
out of business?
Should large companies sever business ties with mid-size and
small vendors and suppliers in favor of others that in reality
may be no more ``cyber secure''?
How and how often should they verify whether a mid-size or
small business is actually complying with cybersecurity
requirements over time and ``course adjusting'' their cyber
risk management investments in response as necessary?
When does the risk of transacting business with a less-than-
secure enterprise outweigh a large company's absolute need for
a unique service or product that that enterprise provides?
Does a cyber insecure organization provide products or
services at such a competitive rate that a larger company
should continue to take a chance through continued partnership?
Part of the answer to these questions is that cybersecurity in
today's hyper-connected world is not like the television game shows
``Weakest Link'' or ``Survivor'' where mid-size and small businesses
should somehow be eliminated or voted off the island automatically
because they suffer a breach or other damaging cyber event. The fact of
the matter is that all businesses--large, mid-size, and small--are
linked through the supply chain. They all are on the same island.
Accordingly, they need to work with each other to survive and thrive in
today's fast-evolving cyber risk environment. Cybersecurity
collaboration among these enterprises has never been more essential.
DHS should consider convening an on-going conversation focused on
this topic. The CIDAWG provides an excellent model for how different
cybersecurity stakeholders--brokers, underwriters, CISOs, CSOs, and
other cybersecurity professionals--can be drawn together to
confidentially discuss shared cyber incident data and analysis
requirements. A similarly-structured dialogue could focus large, mid-
size, and small business attention on the specific approaches and
support structures needed to advance the cybersecurity performance of
all partners across the supply chain.
Brokers and underwriters would have particularly insightful
perspectives to share on this topic given their growing interest in
encouraging better cybersecurity among the mid-size and small
businesses that will comprise a sizable portion of their future client
base. A new working group could assess, for example, how more effective
cybersecurity collaboration among all supply chain partners--through
initiatives like cybersecurity expert exchanges, best-practice
knowledge sharing, compliance automation, and coordination of
cybersecurity investments--might help establish mid-size and small
businesses as more attractive insurance risks. As brokers and
underwriters learn more about which cyber risk controls work for larger
companies, they could become a powerful voice regarding which ones
should be prioritized and adapted to the needs of the vendor and
supplier community. Over time, the group's recommendations could be
developed, shared, and updated through a standing private-public
partnership effort dedicated to this issue.
Thank you. I am happy to answer any questions you may have.
Mr. Ratcliffe. Thank you, Mr. Finan. I now recognize myself
for 5 minutes of questions.
Mr. McCabe, I want to start with you. You know, in having
this hearing and looking at the cyber insurance market more
broadly, as I've talked about, I want to get to a point where
we see a permeation of the market where cyber insurance becomes
commonplace. I'm hopeful that, in the future, we get to the
point that Mr. Finan was just making, where any small business
who sells their products on-line through a public-basing
website would be able to buy appropriate and effective cyber
insurance.
From your perspective, where you are at Marsh, can you see
that happening, and if so, what factors or changes have to take
place for us to get there?
Mr. McCabe. So as I said in my testimony, the takeup rate
increases over the last 3 years have been very healthy double-
digit takeup rates. So I think that what we have here is a very
strong growing market. I absolutely believe that this is going
to become a common coverage for each company to carry.
I think probably one of the limitations right now is that
security dollars are always finite. You have companies that are
assessing, well, do I spend another dollar on a technical
solution, or do I put that dollar towards insurance? Quite
frankly, I think we often face a culture where companies would
prefer technical solutions. But over time we discovered that
there is no silver bullet and that there is always going to be
some residual risk, despite how strong your practices are.
So I think that is what is really driving insurance as a
product today, and I think it is going to continue to grow.
Mr. Ratcliffe. Thank you.
Commissioner Hamm, in your testimony, you talked about the
lack of actuarial data. What that led to, I believe you said,
was that in cyber we see more customized policies, and because
they're more customized, they're more costly. Can you speak to
how additional cyber incident data could be leveraged by
insurance commissioners like you? I mean, does that lead to
more diverse cyber products?
Mr. Hamm. So to begin, to me, where that actuarial data is
primarily going to be used is by the industry itself to get
more of a comfort level in coming up with products, developing
those products. Then as they do that, those products would then
be submitted to State insurance departments to review the rates
and forms. So if those are based on better actuarial data,
there is more of a likelihood that once they reach State
departments of insurance, that those products will then be
approved and then hit the market. So that would probably be my
answer to your question there.
I would say, though, I want to make sure and highlight,
what you said in your opening statement was spot on. This
market is in its infancy, and it is going to take decades
before you get predictably to a fully mature and developed
market. So what this market really needs is time, patience, and
support, and support from folks like you, folks like me as a
regulator, to help with that actuarial data piece so that the
market can grow organically over time. Thank you.
Mr. Ratcliffe. Thank you. I appreciate the comments.
To that point, about aggregating data, I want to shift to
you, Mr. Nutkis, and ask you, with respect to the ISAO model,
when it comes to aggregating cyber incident data, what are the
aspects of it from your perspective that can facilitate this
process, if it can?
Mr. Nutkis. Sure. So we see the ISAO model having a lot of
potential to support both the aggregation of data, but then
also the ability to link the cyber threats that are coming in
through the ISAO through threat catalogues to the bolstering of
the controls framework itself. So it is another feed, as the
actual data is, into strengthening the controls, which
therefore the organizations then have a better security posture
and, hopefully, less residual risk.
Mr. Ratcliffe. Okay. Thank you. Have your members found
that applying for cyber insurance, has it caused them to
bolster their cybersecurity standards? Is that an assumption we
can state?
Mr. Nutkis. So I think what our members have found is that
cyber insurance has become very, very expensive, a lot more
expensive than it was in the past, and that they are, as I
think was mentioned, they are looking at ways to figure out
where they should invest the dollars they have. They have a
pool of dollars. I think what we have demonstrated is, is that
if, in fact, you make good decisions on your cyber controls,
you can reduce your cyber premiums, and therefore you have
better cyber resilience, and you still get cyber insurance.
That's the behavior I think we're trying to drive to, which is
getting people to focus on really minimizing residual risk and
finding ways to more cost effectively do that.
Mr. Ratcliffe. Thank you. My time has expired. I'm hoping
maybe we will do another round of questions. But I will now
recognize the Ranking Member for his questions.
Mr. Richmond. Thank you, Mr. Chairman. I will just pick up
where you left off. Mr. Finan, I think in your testimony you
talked about comparing it to a building fire and fire
suppression devices. But I will tell you, as a person who went
through Katrina and Rita, the two big hurricanes in Louisiana,
after those hurricanes, we as a legislature went in and said,
you know what, maybe we need to reexamine our building codes.
We need to make sure that we require people to build homes that
can withstand winds of X, and da, da, da.
So part of it, I guess, seeps into what we would consider
risk culture. So I guess that, you know, as we talk about you
all identifying companies as they examine their enterprise-wide
risk, the risk of a cyber attack is low on their priority
analysis. How do we or does the insurance change not only
behavior but standards across the whole potential clientele for
cyber insurance?
Mr. Finan. Thank you, Congressman. I think it does. One of
the discoveries that we made during the CIDAWG conversations,
and even in the prior workshops that we held, is that a lot of
this is a cultural problem. You have boards of directors and
senior leaders that are very comfortable with traditional
business risks. They can range from workplace violence to
competition. Cyber risk unfortunately, even in some very large
companies today, have been relegated to sort of the IT
department. Frankly, those aren't people that often talk with
one another.
The CISOs and other cybersecurity professionals that we
were engaging were having a very hard time breaking through.
How did they express what they knew in business terms, chiefly,
the financial impact of a cyber event, and the reputational
damage to a company that could result if a breach or a
vulnerability leading to a breach wasn't properly addressed
beforehand?
I think insurance, though, plays an incredibly valuable
bridging role in that the boards of directors and chief risk
officers and CFOs understand what insurance is about, and they
see the business benefit to it. CISOs are increasingly seeing
it as an avenue to express what they know. One of the great
things about the CIDAWG was that we were able to bring the
insurance industry together with a lot of cybersecurity
professionals who wouldn't again normally speak to one another,
but they started to understand what each other's concerns were,
the underwriters and brokers certainly wanting to sell an
insurance product but also not wanting to take on too much risk
by overextending the policies that they were offering. The
technical expertise of a CISO, once you combine those, you're
really addressing both sides of the same coin.
So I think one of the outputs of the CIDAWG effort is that
you have the insurance industry and the cybersecurity
professional community more in sync and speaking together,
using the same vocabulary to express that business risk that is
cyber risk. So I see insurance as a vehicle to really make
cyber risk more of an enterprise risk management problem, and
it is something that I think should be strongly encouraged.
Mr. Richmond. I guess another part of what I heard today
was the cost and whether, you know, we can--I guess in my
world, I would say actuarially sound. If the actuarially sound
part is something that we focus on, I guess my question would
be, for companies that have not invested in their
cybersecurity, their information technology, and all those
things to make their company stronger to fend off a cyber
attack, is the insurance affordable? For companies who do that
and invest in it, is the insurance affordable?
So I guess my question is: Is this something that small
businesses would be able to afford, and is it something that
our large businesses can afford? Probably Mr. McCabe or Mr.
Hamm.
Mr. McCabe. So cyber insurance is made available to every
size of business. We segment our brokerage depending on the
revenues of the clients, and we have a specific group that are
specifically concentrating on small and mid-size business. You
know, I would estimate that the takeup for small and mid-size
businesses on cyber insurance is somewhere around 20 percent.
That lags behind larger organizations that have more than a
billion dollars in revenue, but still, a very healthy takeup
and still growing rapidly.
As far as the moral hazard issue, I mean, if a company is
not investing in their basic security, I would imagine that
they are most likely not going to invest in the cyber insurance
aspect of it either. I don't think that in the cyber insurance
industry, I don't think that the moral hazard problem is really
applicable. I mean, and that would be in comparison to, well, I
have fire insurance so I am going to leave greasy rags around
the house and I am going to leave highly flammable foods next
to them because, you know, I have my house secured with
insurance now.
I mean, nobody knows how big the breach is going to be, and
nobody knows what the outcome of a cyber breach might be.
Executives could lose their job. You could lose the entire
shop. You know, potentially an entire company could go down
from a cyber breach. That is why it really does need, as has
been spoken on this panel previously, enterprise risk
management, because this is one of those risks that can take an
evenly sailing ship and knock it right off course. I think that
cyber insurance is a piece of the puzzle that supports the
other aspects of risk management.
Mr. Richmond. Thank you. I yield back.
Mr. Ratcliffe. I thank the gentleman.
The Chairman now recognizes the gentleman from
Pennsylvania, General Perry.
Mr. Perry. Thank you, Mr. Chairman.
Mr. McCabe, I am sorry I had missed the opening part of
your testimony, so I don't want to rehash stuff that has
already been gone over, but your last comments kind of piqued
my curiosity. I am a guy that started a business in my mom's
garage. Right. That was a long time ago, and we weren't so
concerned about this at the time. But did you say that there
are policies for every level of business, and at the smaller
level they are based almost solely on the business's income? I
just want to kind of make sure I understand what you said
there.
Mr. McCabe. So premiums are always going to be tied to the
sector of the business----
Mr. Perry. Right.
Mr. McCabe [continuing]. The revenues of the business, and
the security practices. Those are probably the largest 3
determinatives of what a premium is going to be. Yes, I mean
for me, you know, probably if I am involved with putting a
program in place, the limit of a policy is typically going to
be for $10 million for the first primary sold. Right? That is
not going to be true for every company. Smaller companies can
get million-dollar, much smaller policies.
Mr. Perry. Can you give me an idea? You want a million-
dollar policy, as a guy that ran a business, in the scope of
everything else, plant and equipment and employees, and all the
other products that you got. What are we talking about? Is it a
6-month premium? Is it an annual deal?
Mr. McCabe. It is an annual deal.
Mr. Perry. Give me some idea.
Mr. McCabe. To tell you the truth, I am going to be more
solid on premiums for much larger businesses because that is
the class that I handle. But you do have to remember, even from
your question, it is a wide-open question because for the
business that you are running, well, how big is your digital
footprint? How on-line are you? How much do you rely on on-line
presence to conduct your business? What is the manner of your
business? Are you collecting health data? Are you collecting--
--
Mr. Perry. I understand the risk exposure, and I am kind of
asking you how long is the string. But if you could, at some
point after the fact----
Mr. McCabe. Absolutely.
Mr. Perry [continuing]. Give us some kind of idea, based on
some of that criteria, what businesses are looking at just, you
know, so we can kind of be in the game on that.
I want to move on a little bit. Mr. Hamm, how do we ensure
these policies keep up with something as evolving as this? I
mean, you know, I think about upgrades. I used to do P and C
limits, right. So when you upgrade, when you put airbags in, or
you do all these safety systems of an industry moving towards a
certain direction, or sprinklers or whatever, this industry
involves bad actors that are moving in a nonlinear fashion.
They don't announce their intention, and so you don't know what
your risk is day-to-day. How do we keep up?
Do you have any--that almost sounds like an unanswerable
question, too, but you're in the position to have to answer.
Mr. Hamm. I'll do the best I can to answer it. To begin
with, because this line of insurance is still in its infancy,
we are basically at a point where if you have seen one
cybersecurity policy, you have seen one cybersecurity policy.
Right? So my colleagues and I, and there are 11,500 of us in
State insurance departments across the country, we are busy
reviewing the rates and forms that are coming in from companies
looking to sell these sorts of products, and you have about 4
or 5 dozen of those companies out there selling these.
So we are making sure that from a standpoint of a
regulator, that the products that are actually hitting the
market are complying with State laws in the 50 States. In
addition to that, we are reviewing those companies to make sure
that they are financially sound so that they will be there to
pay claims when they come due. Because the only way this market
is going to go from infancy to fully developed is if there is a
comfort level by individuals and businesses and Governmental
entities that what is actually growing and developing in this
country, in terms of a cyber insurance market, is actually
going to be there for the long haul.
Mr. Perry. So that speaks to the lawfulness or, you know,
complying and comporting with what you said the rules and
requirements----
Mr. Hamm. Right.
Mr. Perry [continuing]. And I guess to soundness of the
institution. But it doesn't necessarily get to the issue of an
ever-changing landscape from an actuarial standpoint, from a
risk assessment standpoint.
Mr. Hamm. Which is a big part of why this market is
developing. Even though it is developing quickly, in some ways
it is developing slowly, because they need more and more data
in order to answer the question you are asking.
Mr. Perry. So Mr. Nutkis talked about this a little bit,
and maybe the question should be for him, but I want to stay on
you a little bit. So who should determine the standards? I am
not a big Federal Government guy. I know I am sitting in the
place, but who is determining the standard? If it is the
insurance industry, is the fox guarding the henhouse? Am I
going to be required to report? Is the insurance company going
to--you know, the insurance company that has my policy is going
to want to know my risk exposure. How do we determine, and
should we be determining, the greater risk exposure? I mean,
one thing begets another.
I know there is a whole lot of questions there, but----
Mr. Hamm. Right.
Mr. Perry. Where is the repository of all this information,
and how do you safeguard it? I mean, it is different than
accident crash data or something like that. Right? So how do we
do this for this?
Mr. Hamm. So I am going to do the best I can to answer that
question. From my perch as a regulator, I don't really much
care where the repository of that data is. Okay? I don't care
if it is some arm of the Federal Government, if it is some
private entity. That doesn't matter to me. What matters is that
that data that is actually being gathered is useful, okay, and
it is being shared with me as a regulator so I can do my job.
Mr. Perry. But as a regulator, and it is a guy that this is
your business, this is your livelihood, your passion, your
expertise, what is your recommendation? Do you want another
Federal program?
Mr. Hamm. No.
Mr. Perry. Okay. All right. That's all I needed to do hear.
Thank you.
Mr. Chairman, I yield back.
Mr. Hamm. Thank you for the lifeline.
Mr. Ratcliffe. I thank the gentleman.
The Chair now recognizes the gentleman from Rhode Island,
the Chairman of the House Cyber Caucus, Mr. Langevin.
Mr. Langevin. Thank you, Mr. Chairman. I want to thank you
for holding this hearing. I want to thank our witnesses for
being here today and deeply appreciate your work with DHS and
on this issue, in general.
So we have come a long way since I first started on the
cybersecurity issue back in 2007. We have certainly raised
awareness. We have come a long way in getting everybody, for
example, in the National security apparatus from the President
on down, to understand how challenging and difficult
cybersecurity is, how important it is to the country, how
vulnerable we are in many ways, and very dependent on cyber-
related issues.
Now, of course, what do we do about it? There is a variety
of tasks that we need to take, that we are taking. Some of it
will come through legislation. Others are going to come through
regulation. Others are going to come from this public-private
partnership certainly, which is going to be vital because
Government nor private sector can do this independently on its
own.
Also a role for the FCC. I have met with FCC commissioners
and have written several times to the chair of the FCC, and
they are moving in the direction doing more in this space as
well. The insurance industry also, I believe, has a critical
role to play here. I have met with some of the largest insurers
in the country, both to encourage them to move more into this
space, but also to hear from them and clearly see what they are
doing in this space. They are now writing policies that are
more reflective of the risks that companies face in this area.
Clearly, if you have 2 companies, and 1 is investing
heavily in cybersecurity protections and doing everything they
can to protect customer data and prevent the consequences of a
cyber attack, the policy should be written to reflect that.
Those that are doing very minimal amount, then the policy
should be written and priced accordingly as well. So I think
this is an important discussion.
So, Mr. Finan, I found your testimony very insightful. I
deeply appreciate your work with DHS and thank you for your
commitment to public service. I am wondering if you can clarify
a few things for me. I am certainly very fond of the NIST
cybersecurity framework, and I fully understand the importance
of having a risk-based approach to handling cybersecurity
risks.
That said, as you indicated in your testimony, current
insurance offerings are not typically tailored to liabilities
we tend to focus on in this committee, such as third-party harm
due to an attack on an industrial control system. So, again, I
fully recognize the value of raising the cybersecurity floor,
but I just wanted to make sure I understood your testimony. Did
I get that about right?
Mr. Finan. Yes, I think so. Specifically, to the NIST
cybersecurity framework, Congressman, the underwriting
community especially has been very supportive of it because it
gave a vocabulary and an approach for brokers and underwriters
to discuss cyber risk in a way that everyone was comfortable.
You didn't have to be a technical expert. I think the jury is
still out on what the ultimate impact might be of the framework
because they want to see how usage translates to fewer losses
or less severe losses. So I think that there is a tremendous
potential, but they are taking a wait-and-see approach. I think
NIST is working and engaging with the insurance industry to see
where it may head next.
Mr. Langevin. Okay. Thank you for that. In that case, is it
possible that the floor we are raising is focused on business
risk, for example, to a financial system, rather than on a risk
relating to operational technology, since they are unlikely to
be insured against?
Mr. Finan. Yes. I think insurance can have that floor-
raising impact. The C-suite understands the benefit of
cybersecurity insurance and insurance base, generally. They see
it through business terms, and they see it as an opportunity to
really make that hard decision between, what Mr. McCabe was
talking about, do you spend the last dollar on a technical
solution, or do you transfer the risk through insurance? I
think it is engendering some very healthy conversation between
and among chief risk officers and other senior officials within
companies with their cybersecurity teams. It is bridging that
cultural divide that still remains, for most companies, but it
is a vehicle to finally have that conversation, and I think
that is healthy.
I think they are figuring it out, about what controls
actually deliver value. That is going to be a long-term and on-
going discussion. But insurance is a good umbrella under which
to have it.
Mr. Langevin. One other follow-up on this line of
questioning. Is there a widely-accepted definition of
cybersecurity incident that you found, at least among critical
manufacturers?
Mr. Finan. Not that we came across, and I think it is
because of the newness. People in the industrial control system
space are very concerned about business interruption, obviously
the physical damage that could result to critical
infrastructure, if a hacker were to get in and have that
intent. But because it is new to the insurance industry, as a
concept and a potential area of coverage, they haven't really
defined it too specifically yet. But I think that is why the
kind of collaboration that a group like the CIDAWG was
encouraging is something that DHS should continue, because you
start to move toward those common definitions and vocabulary.
Mr. Langevin. I think that would be helpful, and I am
hoping that we are going to see us move in that kind of a
direction and have that common understanding. I know my time
has expired.
Mr. Chairman, I don't know if you are going to do a second
round, but if you are, I am going to stay. All right. I yield
back.
Mr. Ratcliffe. I thank the gentleman.
The Chair now recognizes my friend, the gentleman from
Florida, Mr. Clawson. By the way, is it too late to offer
condolences on your Boilermakers?
Mr. Clawson. You know, it is a yearly thing, so don't worry
about it. When I see you dunk a breakaway, then you and I can
talk. To be a tough guy, you have to have hit somebody at some
point, right? Thanks for coming. If I knew it would have been a
conversation about basketball, I would have checked your own
credentials.
I am okay with voluntary cyber risk information being
shared by companies. I am all right with that. My own
observation was that most CEOs and boards are all over this.
They are all over this. They know that disaster is right around
the corner, and it is not just financial interruption of
business. It is embarrassment, and customers have a hard time
getting over it. Moreover, a lot of us are business-to-business
suppliers, and we don't have a lot of choice in the matter, to
begin with. So we are part of a larger supply chain that makes
this more complicated, and, moreover, it is an international
supply chain.
The final point I guess I would make is that every ERP
implementation that I have done is unique. I wonder about an
insurance market, I hear actuarial data, and I say, wait a
minute, every time I did an SAP it was a little different.
Sometimes we touched a base code; sometimes we didn't.
Sometimes we integrated with the financials and with the
customers; sometimes we didn't.
So to set up data that is somewhat standardized so that an
insurance industry can make decisions when there is no
standardized data, I will just tell you, from my desk, I don't
know. I don't know. I don't know if that is even practical,
because these things are very, very customized and very, very
unique. That is what they are, because every business is
different. You know, I operated in 20 countries or so, you
know, and all of them had governing bodies. Therefore, all of
my instincts tell me, let the market catch up to itself.
I know if I was going to buy insurance, the only person I
would buy it from is the consultant doing my SAP or whatever it
was, the ERP implementation. To have a third party that is not
involved in my system, that is therefore going to decide
whether he is going to pay me and everybody, not knowing who
messed up on keeping, you know, everything secure, seems like a
very difficult thing to do. So I know what I would do if I was
going to buy insurance from one of these things, and I am
spending 3 to 5 percent of my top line on IT every year, I
would buy it from the guy that helps me put in the system.
Given all that--2 minutes of talking about that--it just
seems to me that we have to let the market catch up here. The
less the Government is involved, the better. You just slow it
down. The data that we collect, in order to have a standardized
kind of approach to this, is not going to be worth a lot
because every implementation of an IT system is unique. So I am
worried about the whole thing that we will try to help, but we
will actually make things different. Do you all agree with
that? I mean, we will try to help, but we will make things more
difficult. Do you all agree with that, or am I missing on that?
Mr. Hamm. Yes.
Mr. Clawson. Anybody disagree with what I just said?
Mr. McCabe. So, of course, not disagree.
Mr. Clawson. If you do, that is okay.
Mr. McCabe. I would want to try and put some bones around
what we are doing going forward. So I know for the data
repository, I mean, there is no ``there'' there yet. It is just
a conversation. I think it is a question of how they reach the
ultimate solution. So to add another layer of complexity for
everything you are talking about, I mean, this peril has been
compared several times to fire; but, of course, we are not
facing a fire here. We are facing an adversarial relationship
that changes tactics and technique. So that can call into
question just how valuable is actuarial data, if the threat is
going to change every time you change your security.
But, you know, one of the things that I did not mention,
but I do want to mention, is this committee, the subcommittee
and the committee and Chairman and this entire Congress, has
done a lot of great work on cyber information-sharing
legislation getting passed this year. We are going to see a lot
more information sharing among many different ISAOs. Right?
So if we are starting to get into this culture where we are
doing much more information sharing, then maybe there is a way
we can glean from that financial impact data that can lead to
trends. That does not have to be a Federal Government solution.
Maybe that can represent value to several different industries,
including the insurance industry.
Mr. Clawson. I am okay with that, if it is voluntary. But I
do want to say to the Chairman, thank you for this. I just want
to make sure people up here that sometimes don't understand the
complexity of what you all are talking about, it is easy to
come to a conclusion that we can make some sort of standardized
impact on a moving target that is beyond complex and that we in
Government don't understand. I just want to make sure you all
get that point. I mean, that is my point to the group. Be
careful on what we try to do here, or we will make a very
difficult situation even worse because the threats are, you
know, so difficult.
Thank you. I yield back.
Mr. Ratcliffe. I thank the gentleman. I'm going to open a
second round of questions for anyone that is interested. I had
a couple of follow-ups that I wanted to make sure we got to
today.
I want to come back to you, Mr. McCabe. Technical
questions. But do insurers generally mandate certain
prerequisites or cybersecurity efforts at all before anyone
could be issued coverage in this space?
Mr. McCabe. I mean, certainly it depends how we define
efforts. But I think the question is--absolutely. You know, if
you find out that you have an applicant who simply isn't using
firewalls because they don't believe in them, then the
insurance market is just simply going to walk away from them.
From a far more practical example, take for instance retailers.
So if you have a retailer who simply is choosing not to be
compliant with PCI standards, it is going to be very, very
difficult to get that particular applicant coverage.
Take that a step further. If you have a retailer who is not
keeping up with the technical standards, the practices that
would have prevented breaches like Target and Home Depot back
in 2014, and that is using end-to-end encryption, that is
tokenizing your data so it is just transaction numbers; it is
not the actual card numbers--if you don't have those state-of-
the-art practices, then it is going to be very, very difficult,
if not impossible, to get that retailer coverage.
So I think, while for most industries there is not a hard-
and-fast rule, because there isn't regulation, because it is
very hard to regulate in this space because things change so
quickly, but there certainly are practices that are required.
Now, there are, of course, certain industries where there is
heavy regulation. There is HIPAA compliance. There is FERC,
NERC standards, CIP standards. I mean, those, of course, you
have to comply with.
Mr. Ratcliffe. So as a follow-up to that, and maybe, Mr.
Hamm, you can weigh in on this as well. Are there certain
common conditions in cyber insurance policies, or in
limitations or exclusions to those policies, that essentially
would undermine the effectiveness of that coverage?
Mr. Hamm. Nothing that I have seen yet. Again, the market
is in such an infancy stage that my colleagues and I haven't
got to a point where we are reviewing so many different rates
and forms that I can give you, you know, an informed answer to
that question.
Mr. Ratcliffe. So when we talk about assessing the solvency
of insurance policies that cover cyber, is there a point, or at
what point do we need to be concerned about U.S. companies
becoming insolvent because of their inability to cover one-off
cyber events of a great magnitude?
Mr. Hamm. So thankfully, we are not there yet, obviously.
That is one of the reasons why the NAIC is so interested in
gathering very granular level data on what this market is
looking like, not just to give us a snapshot of claims,
premiums, losses, et cetera, but to start to tell us if there
are any of these companies that are selling these sorts of
products that may not fully understand the risks they are
taking on and may not be able to pay claims when they come due.
So that is a big part of why we are gathering that data. We
are going to get the first batch of that here within the next
few weeks. We would be happy to provide that to this committee,
once we have it in a form that we can release publicly.
Mr. Ratcliffe. So, Mr. Finan, I want to ask you a question,
because of your experience in setting up the CIDAWG. We have
had this conversation about standing up a data repository of
some type. In your mind, who would be the ideal entity to house
that?
Mr. Finan. I am going to do it in my basement. No. It is a
great question, Congressman. Truly, I think the CIDAWG members
themselves are probably the best equipped to answer that. The
CIPAC meetings that we were holding, the Critical
Infrastructure Protection Advisory Council, we really had not
pushed toward who should own and operate. They were very clear,
however, that the ghost of Edward Snowden still lives, and they
were not overly keen on the Federal Government owning and
operating.
However, they did feel that the Federal Government had an
enormous role to play in terms of convening the conversation so
they themselves could figure it out. They are also very
interested in the Federal Government providing data about cyber
incidents so they could start to get their underwriting
bearings. However, there are a couple of models that are out
there. I know the working group has talked about ISAOs as a
potential model, ISACs as well. I know a number have been
interested in potentially looking at FFRDCs and universities
and similar communities.
But the truth of the matter is, is that this is a needs and
requirements discussion about what is the value of a
repository? What data do you need? Ultimately, what is it going
to get you in terms of better understanding about how to invest
more wisely against the risk? Really, anyone could take these
public documents and decide to build a repository. We really
wanted to lay out the roadmap for them to do that, and I think
the group next month will have some recommendations that are
more specific. But it is really for anyone to read and review
and, hopefully, engage.
Mr. Ratcliffe. All right. Thank you very much. My time has
expired again.
The Chair now recognizes the gentleman from Rhode Island,
Mr. Langevin.
Mr. Langevin. Thank you, Mr. Chairman. Mr. Finan, if I
could return to you. I was intrigued by your description of the
aviation industry's near-miss database and its possible
application to a cybersecurity context. So I imagine that a
better understanding of the interconnectedness of critical
infrastructure would be essential to be able to grasp the
consequences if an incident had been a miss in the cyber
world--I should say had not been a miss in the cyber world.
Does that comport with your thinking, and can you suggest
what additional research would need to be done to adopt this
model?
Mr. Finan. So the near-miss repository was something that
really captured the imagination of the working group because at
the outset, the commercial aviation sector didn't believe that
they could actually share very sensitive information among
themselves to find common, you know, safety solutions. But lo
and behold, they did. They were able to create that environment
largely through the development of nondisclosure agreements.
They encrypt data. They had an anonymization protocol. So we
brought them in to come and talk to us about how they did it.
Really, we needed to dispel the notion that a repository would
somehow be impossible to develop.
There were other examples as well. DOD came in and talked
about some of their experiences with creating an anonymization
protocol. There were other groups that, you know, sort-of
talked about how they worked it. None was perfect, but it did
convince folks that, hey, this is potentially doable.
I think the main goal is that when you have a group of
individuals that are facing a shared business problem, and
cyber risk is certainly that, that the people who say no, and
the fear, ultimately has to relent to some kind of sharing. So
the recommendation was, gee, if we could do something like the
near-miss database for the aviation sector, that would get us
closer.
So we had a very in-depth conversation with the organizers
from MITRE who put that together. They, I think, will be
participants in the workshop that DHS is hosting next month,
really to generate ideas. Because some of this information,
some of it is sensitive certainly, but if you can share it at a
generic enough level, the insurance industry and the CISOs that
joined us really felt strongly that that would be enough for
them to get a fix on what needs to be done, and how to direct
their budgets against cyber risk, accordingly. So I am happy to
report that there are these models that can be adopted.
Mr. Langevin. Very good. That is very helpful. Thank you.
Mr. McCabe, and I certainly welcome any of the other
panelists to chime in. Can you describe the claims
investigation, if any, that you conduct following a
cybersecurity incident?
Mr. McCabe. So the broker is usually not responsible for
claims investigation. That will be by the carrier into their
claims or by the company itself by retaining their own counsel.
I mean, typically what happens is there is a cyber breach, and
the first move by the insured would be to reach out to their
attorneys, who will coordinate with the forensics company to
find out exactly what happened and what is the impact. Then
based on that impact, you might have different
responsibilities.
If it has been a breach of personally identifiable
information, then State law requires certain efforts, such as
notifying, credit monitoring, and fraud restoration. Perhaps,
you know, there is an extortion demand in which there is an
entire different set of services that have to go in. Perhaps
there is a business outage in which it is more a forensics
investigation of, well, what has this company actually lost and
what are the expenses that you have suffered as a result of
that business outage?
I think that that is typically how the incident response
comes. But from an investigation into what actually happens
during the claim, that is usually headed up by the carrier.
Mr. Langevin. So in the part of the investigation, as the
carrier is doing this, do they go back and look at, did the
insured do what they said they had done in terms of complying,
say, with NIST standards and such that, you know, obviously
that the policy was written in such a way that the company, the
firm, made certain representations that they raised their level
of cybersecurity protection to X level. Is there a part of that
investigation that does forensics to see if they actually did
what they said they were doing?
Mr. McCabe. Sure. Of course. Ranking Member Richmond
brought this up in his opening statement as well, that during
the application process, you can make representations upon
which the underwriter will rely, and that actually becomes part
of your application. Now, if it turns out what you represented
is not true, that could be grounds for denying the claim. That
is really one of the things that incentivizes the better
practices. You have to let the rubber meet the road on how you
are practicing security. You can't just get the insurance based
on a bad-faith application.
Mr. Langevin. Very good. Okay. Thank you all very much.
Unless there is anything else from the panel on that particular
topic?
Okay. I yield back.
Thank you, Mr. Chairman.
Mr. Ratcliffe. I thank the gentleman. We will let that be
the last word. I thank all the witnesses for your testimony
today and the Members for all of their questions. The Members
of the committee may have some additional questions for any of
you witnesses and, if so, we will ask you to respond to those
in writing. Pursuant to Committee Rule VII(e), the hearing
record will be held open for a period of 10 days.
Without objection, the subcommittee stands adjourned.
[Whereupon, at 11:30 a.m., the subcommittee was adjourned.]
[all]