As part of an initiative to develop a national cybersecurity framework, Lockton experts participated in a discussion on cybersecurity on August 26, 2013. Ari Schwartz, a Director for Cybersecurity Privacy, Civil Liberties, and Policy on the White House National Security Staff, invited select members of the insurance brokerage community to meet at the White House. Michael Born, Laurie Schwarz, and I were honored to represent Lockton.
In February 2013, President Obama issued an executive order outlining steps to protect critical U.S. infrastructure from cybersecurity threats. This effort will result in a voluntary cybersecurity framework outlining standards, procedures, and processes to address cybersecurity risks while balancing policy, business, and technological concerns.
At the meeting, Lockton’s Michael Born led a discussion about how the insurance industry could help develop the framework and how the government agencies could help the insurance industry and our clients with cybersecurity issues.
Some government officials perceive that the cyber insurance market is largely commoditized, like auto insurance. For some, the view is, “adopt the framework and lose 10% from your premium.”
We explained that it’s not that easy. But the cybersecurity framework can be a roadmap to help broaden coverage and capacity. It may also help us address cyber risks that are uninsurable today. That’s what makes the discussion and effort exciting for us and beneficial for our clients, ultimately.
The White House is not proposing legislation mandating cybersecurity standards, but is trying to get broad support in the private sector generally and specifically with insurers and brokers.
Additional topics of discussion included:
- Should cybersecurity insurance be required in order to comply with the framework?
- What incentives could be in place to encourage adoption of the framework?
- Does there need to be a Federal backstop or reinsurance program to encourage more insurance companies to offer coverage?
- What types of cybersecurity coverage are missing or are in short supply and how can we increase capacity?
- How can we encourage insurance companies to share loss and threat information to provide more actuarial data and help focus prevention and coverage where the risk is greatest?
- How can the cybersecurity insurance industry help develop standards for the five top-level cybersecurity functions – identify, protect, detect, respond and recover?
- What are other sources of information that can be tapped to increase threat awareness?
What do you think about these ideas? How can and should the private sector and government officials work together on this cybersecurity framework? I’d welcome your thoughts.
Read the draft of the framework.