More Incident Data Needed for Cybersecurity Insurance

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

March 22 — The cybersecurity insurance market is still in its infancy but greater availability of incident data to strengthen underwriting may encourage further carrier participation, Marsh LLC Senior Vice President Matthew McCabe told a House Homeland Security subcommittee March 22.

Just as purchasing home insurance can incentivize homeowners to invest in protecting their homes, the same could be true for companies looking for cybersecurity insurance, House Cybersecurity, Infrastructure Protection and Security Technologies Subcommittee Chairman John Ratcliffe (R-Texas) said in his prepared opening statement.

The hearing on “The Role of Cyber Insurance in Risk Management” was called to examine the potential opportunities to promote more effective management of cybersecurity risks and adoption of cybersecurity best practices.

Benefits of Cybersecurity Insurance

During the past decade, the U.S. has witnessed “an astonishing evolution” of cybersecurity risk “that continues to grow in size and sophistication,” McCabe said. Citing a recent cyberattack against a Ukrainian power grid , McCabe said that the threat to critical infrastructure from the “exposure of cyber physical systems has quickly morphed from speculative, to rumored, and now actual events.”

Further, McCabe said, the “incessant stream of data breaches” targeting U.S. companies has increased cybersecurity insurance purchasing in industries that aggregate customer data, including financial institutions, retailers and health-care providers. There's a “double-digit take up rate,” McCabe said. Cybersecurity risks “will become a common coverage area,” he added.

According to McCabe, the benefits of purchasing cybersecurity insurance extend beyond reimbursement for financial loss. “Cyber insurance has evolved into a product that serves as a key touchpoint for an organization to assess its cyber practices and coordinate its incident response plan to cyber incidents,” he said.

Testifying at the same hearing, Health Information Trust Alliance Chief Executive Officer Daniel Nutkis echoed similar sentiments. Cybersecurity insurance is becoming expensive and companies now know that better management of cybersecurity risks mean less premium, he said. “There's a drive to focus on minimizing residual risk,” Nutkis said.

Lack of Actuarial Data

One of the major obstacles that continues to prevent insurers from providing more cybersecurity coverage is the “ongoing lack of actuarial data,” Ark Network Security Solutions Chief Strategy Officer Thomas M. Finan told the subcommittee. There's a lack of “consistent source of raw cyber incident data” that the insurers could use to get their underwriting bearings, Finan said in his prepared statements.

North Dakota Insurance Commissioner Adam W. Hamm agreed.

“Cybersecurity risk remains difficult for insurance underwriters to quantify due in large part to a lack of actuarial data,” he said. In the absence of such data, insurers use qualitative assessments of an applicant's risk management procedures, he explained. From a regulatory perspective, he said, “we would like to see insurers couple these qualitative assessments with robust actuarial data based on actual incident experience.”

Greater availability of cybersecurity incident data could also push the insurance industry to introduce “solutions to close gaps in current coverages and to determine how to best to detect and mitigate future incidents, or to reduce incident response times and facilitate recovery,” according to McCabe.

To contact the reporter on this story: Jimmy H. Koo in Washington at

To contact the editor responsible for this story: Donald G. Aplin at

For More Information

Further information on the hearing, including links to witness prepared testimony and an archived webcast of the hearing, is available at

Request Bloomberg Law: Privacy & Data Security