U.S. Sen. Jerry Moran (R-Kan.), chair of the Subcommittee onConsumer Protection, Product Safety, Insurance, and Data Security,held a hearing March 19 titled "Examining the Evolving Cyber Insurance Marketplace." Thehearing explored the growing cybersecurity risk insurance marketand heard from experts about coverage, challenges, andopportunities in the industry and the impact on cybersecurity.

The March 19 event followed two previous hearings that were heldlast month on the same topic. The first one, "Building a More Secure Cyber Future: Examining Private SectorExperience with the NIST Framework," examined the federalNational Institute of Standards and Technology (NIST)'s partnershipwith the private sector to improve critical infrastructurecybersecurity. (NIST's continuing role in cybersecurity was definedin the Cybersecurity Enhancement Act of 2014.) The second hearing,"Getting It Right on Data Breach and Notification Legislation inthe 114thCongress," provided the Committee with moreinformation to assist its efforts in drafting a federal data breachbill.

Joining a distinguished roster of previous industry experts, thewitnesses were

• Ben Beeson, vice president, Cyber Security and Privacy, LocktonCompanies,
• Catherine Mulligan, senior vice president, Management SolutionsGroup, Zurich North America,
• Ola Sage, chief executive officer, e-Management, and
• Michael Menapace, counsel, Wiggin and Dana LLP; AdjunctProfessor of Insurance Law, Quinnipiac University School ofLaw.

Not just a financial instrument

In his testimony, Beeson pointed out that cyber insurance is animportant market force that can drive improved cyber security forcompanies, which will lead to improved protection for consumers andthe nation as a whole. In his view, cyber insurance should not beseen as "just a financial instrument to transfer risk from onebalance sheet to another." He believes it will provide incentivesfor companies to understand and mitigate their risks.

Beeson also noted that, just as companies invest in workplacesafety to reduce workers compensation costs, sophisticatedcompanies also will invest in stronger cyber security. In turn,those companies will experience fewer losses, insurers will seefewer claims, and companies' premiums will be lower.

"Simply engaging in the process of seeking cyber insurancecoverage can assist businesses to develop the correct approach tomitigate risk," Beeson said. Insurance can bring all relevantstakeholders in an organization together, encouraging anenterprise-wide risk management approach.

The cyber insurance market

In her testimony, Mulligan explained that cyber insurance isquickly becoming a need for commercial customers; however, it faceschallenges as a new market. Some are simple, such as capacity andpricing, which are in flux as the industry grows and learns of newchallenges. Others are more complex.

Mulligan also said that "a privacy and security event," whichshe describes as the more accurate term of cyber insurance, alsocan be caused by something like improper disposal of records, whichcan trigger multiple types of claims for multiple insureds withinone company, and even cause physical damage to a manufacturer orutility. Multiple lines of business also can be impacted as theresult of a cybersecurity event. She cited the example of asignificant breach to a public company that might result in a stockdrop, which in turn could lead to a derivative suit filed as aclaim under Directors & Officers Liability Coverage.

Currently, the buyers of cyber insurance are in a few keyindustry sectors: healthcare, financial institutions, technologyand retail. Generally, the companies that buy cyber insurance arelarge organizations with annual revenues of more than $1billion.

Cost drivers for cyber insurance

Although third-party lawsuits are still a factor insurersconsider in the way they draft policy wordings and price thecoverage they offer, Menapace said, data breach response costs haveincreased in importance. Most costs involve responses to the databreaches, including credit monitoring at no cost to consumers.Initial crisis service costs, however, account for about half ofall data breach costs. Breach response services include technicalforensic investigations, attorney oversight, breach notification toand credit monitoring for affected consumers, call centers andpublic relations services. The other half of the costs go towardlegal defense and settlement, regulatory response and defense,regulatory fines, and fines imposed by credit and debit cardissuers.

Menapace also said that, as of March 19, there are 47 states,plus Puerto Rico, Washington, D.C., and the U.S. Virgin Islands,that have requirements for notifying customers and the stateattorney general after the unauthorized access of personallyidentifiable information or protected health information. But thestate requirements aren't uniform in terms of when they'retriggered and what information must be contained in the consumernotices. As a result, lawyers and other advisers have to analyze 47sets of requirements to deal with a data breach—a costly endeavorthat a nationwide standard could help.

No standard coverage terms

Both Mulligan and Menapace pointed out that there is no standardinsurance policy language for cyber insurance. The InsuranceServices Office, Inc. (ISO) recently published cyber coverageterms, but Menapace is not aware of any insurer that has adoptedthe ISO policy terms or has plans to do so in the near future.Mulligan noted that privacy events may be triggered by an analogevent such as improper disposal or paper records containingpersonally identifiable information, for example, not just acomputer virus or similar "attack."

Among the approximately 40 insurers that offer cyber insurance,there are some with significant experience and policy languagedeveloped over more than a decade of writing coverage. Other, newerentrants into the cyber insurance market and some who are lookingto differentiate themselves from their competitors have their ownpolicy language that Menapace explained has not been tested to thesame extent as the policy terms used by the insurers with moremature books of business. What can be challenging for some insurersis making sure they have enough data to make prudent underwritingdecisions when they sell policies.

Public/private partnership

Beeson, Mulligan and Menapace all were positive on the idea of apublic/private partnership between NIST and the insurance industryto create a framework—but not mandate standards—that companies hadto meet. Beeson observed that such a partnership, with the possibleformation of a data repository to house anonymized enterprise lossinformation, would "accelerate the growth of the marketplace, andcrucially accelerate the ability of cyber insurance to act as amarket incentive for industry to invest in cybersecurity."

Encouraging a private/public partnership, Mulligan said that thescope of the challenge is too broad to be solved by the privatesector alone, and welcomed involvement by NIST. Not all losses froma cyber attack will be or even could be covered by an insurancepolicy. The market is new and evolving daily, she said, which willrequire time to fully mature. "The scope of the exposures is toobroad to be solved by the private sector. Not all causes of losscan be transferred to an insurance policy."

Suggestions on data sharing framework

In Mulligan's view, data sharing might need to take a fewdifferent forms, for example, sharing cyber event data, such asattack vectors and scope, and cyber insurance data, such as claimand underwriting information by sector. The potential upside ofthese discussions, she said, is that more comprehensive informationwill assist insurers in developing both coverage and riskmanagement solutions and best practices for customers.

Menapace agreed that a nationwide database or clearinghouse fordata breach information, specifically recording how each breachoccurred and who was responsible for the breach, could be helpfulto the insurance market generally and to businesses that areimplementing their own data protection practices, processes andprotocols. He also noted that the "prioritized, flexible,repeatable and cost-effective approach" of the NIST CybersecurityFramework helps owners and operators of critical infrastructuremanage cybersecurity-related risk.

But, Menapace said, any data protection guidance or frameworkmust be industry specific and the industry standards must remainflexible to accommodate the size of the company, the data at issueand technology as it emerges. A partnership between the governmentand private industry could accelerate the development and adoptionof flexible guidelines that will, ultimately, benefit consumerswithout restricting innovation.

The Senate subcommittee is expected to continue hearings. We'llbring you more information on the topic of cyber insurance as itdevelops.

Editor's note: As of press time, Ms. Sage could not bereached for comment.