The team developing the cybersecurity framework that President Obama ordered is considering incorporating cyber-insurance as a component of the plan, says NIST Director Patrick Gallagher.
But Gallagher and others addressing the cybersecurity framework say the cyber-insurance marketplace hasn't matured to the point where large, critical infrastructure operators can transfer a significant portion of their cyber-risks to insurers [see NIST Unveils Draft of Cybersecurity Framework]
"You need to monetize the risk; this comes down to measuring and understanding and developing an actuarial basis for this risk to be imbedded into the market," Gallagher said at a July 25 hearing on the cybersecurity framework held by the Senate Commerce, Science and Transportation Committee. "This discussion has come up quite frequently in the framework process, and I think as part of the metrics discussion this is something being looked at and something that would be quite helpful."
Limits of Cyber-Insurance
But witnesses testifying at the hearing, none from the insurance industry, expressed doubt that insurers can take on the risk for insuring against the most catastrophic attacks envisioned, at least not by the time when the cybersecurity framework is issued in February. A draft of the framework is due in October
President Obama, in an executive order, ordered the National Institute of Standards and Technology to lead a government-industry initiative to create a cybersecurity framework of best practices that the owners of the nation's critical infrastructure could voluntarily adopt [see Obama Issues Cybersecurity Executive Order]. The leaders of the Senate panel have introduced legislation to codify Obama's executive order [see Bill Endorses Obama Cybersecurity Plan]. A committee vote on that bill could occur as early as the coming week.
At the hearing, Sen. Richard Blumenthal, D-Conn. questioned why the insurance marketplace isn't ready to handle massive claims from devastating cyber-attacks when it insures against calamitous storms, which in the past few years have created economic disruptions in parts of the country.
"The [cyber] threat has been here for well long enough to monetize and do the actuarial accounting," said Blumenthal, whose state is headquarters for a number of insurers. "The insurance companies are very mindful about the potential threats of hurricanes in the Northeast, which are about as difficult to monetize as I guess that of the cyberthreat, in fact more so, because we know the cyberthreat is there; we know some of the damage that can be caused."
Protecting the IT Environment
But Art Coviello, chief executive of the security firm RSA, disputed Blumenthal's assessment, saying it's more difficult to create actuarial tables and algorithms around cyber-incidents than natural disasters for two reasons: ever-changing computing platforms and the escalating amount of data being created. "The complexity of protecting the fast-changing IT environment is overwhelming," Coviello said. "That's why the framework is so important."
It's not just the increasing sophistication of attackers but the attack surface - the platforms businesses operate on - that present a challenge. "The iPhone didn't even exist till 2007; six years later we have full mobile ubiquity," Coviello said. "We used very few web apps to run our businesses as recently as 2005, 2007; now, the common refrain is, 'There's an app for that.' In another six or seven year, we'll be using big data applications to monitor everything about us and the world around us."
Another challenge Coviello sees in monetizing potential losses from cyber vulnerabilities is the stratospheric amount of digital content being generated, quantities unimaginable just a few years ago. "There was a quarter of zettabyte being created in 2007," said Coviello, who calculates that one zettabyte is the equivalent of 4.9 quadrillion books. "This year there will be 2 zettabytes. By 2020, there will be 40 to 60. That amount of content needs to be sorted through to determine what exactly needs to be protected."
That makes valuing losses from cyber-attacks and vulnerabilities difficult to calculate. Insurance is a risk-transfer tool where someone else - the insurer - absorbs some of the risk. For that to occur, both parties need to understand the risk and determine its value.
Few Comprehend Consequences of Risk
"Many of the people who face the risk don't have a good estimation of what it really means to them, what the consequence will be and the likelihood and frequency of those events occurring," said Mark Clancy, chief information security officer and managing director of technology risk management at Depository Trust and Clearing Corp., a clearing and settlement services company "We use cyber-risk insurance for the risks that are smaller. The catastrophic risk that we can face, if these issues escalate to a point where they become manifest, are really beyond the ability of the insurance industry to absorb right now. We have to look at making sure those things don't occur."
That's why risk management - and ultimately cyber-insurance - is seen as an important component of the cybersecurity framework. Indeed, Gallagher said the cybersecurity framework to be published in February won't be the final word on best practices. Coviello picked up on that theme: "We need a security model that has legs; we need a security model that's future-proof. That model, starting with a federal understanding of risk, is an ongoing process."
For information about efforts to create a healthcare-specific version of the framework, see: Tailoring NIST Framework for Healthcare.