Cybersecurity Framework Unveiled
By: Judy Greenwald (Business Insurance) March 2014
The federal government’s recommendations to address cybersecurity risks target critical infrastructure industries such as utilities, but the voluntary standards can help any company potentially mitigate legal liability from data breaches or other cyber threats.
The U.S. Department of Commerce’s National Institute of Standards and Technology’s final framework for improving cybersecurity provides a flexible guide that is not unduly specific, experts say.
The guidelines released last month responded to President Barack Obama’s executive order a year ago, citing “repeated cyber intrusions” that are “one of the most serious national security challenges we must confront.”
In another move regarding cyber threats, U.S. Attorney General Eric Holder last week called on Congress to establish a national standard to alert consumers whose information gets exposed by cyber breaches. Experts say it would be a major challenge to implement such a standard since there are 46 differing state laws on the issue.
Meanwhile, “the NIST standards are definitely a step forward because they’re so broadly applicable and they’re a standard set up by the government,” said Tom Reagan, New York-based large-risk underwriter of breach response insurance at Beazley P.L.C. The framework looks beyond prevention to how to respond to data breaches, he said.
“It’s helpful that they’re taking a risk-based approach, rather than imposing any kind of an inflexible and uniform set of standards that applies to all in the same manner,” said Oliver Brew, New York-based vice president of professional liability at Liberty International Underwriters, a unit of Liberty Mutual Holding Co. Inc.
With this federal cybersecurity framework, “an organization can ask itself a set of questions and start to see where they are,” where they aspire to be and “what they need to do to get there” to protect against cyber risks, said Toby Merrill, Philadelphia-based vice president of Ace Professional Risk, a unit of Ace Ltd.
It provides guidelines for companies to look at their cyber security structure critically, said Joe DePaul, managing director of cyber risk services at Arthur J. Gallagher Risk Management Services Inc. in Parsippany, N.J.
Ben Beeson, a London-based partner at Lockton Cos. L.L.P., said the NIST standards will help insurance buyers “get their arms around what is a very tricky new area of risk.”
The U.S. Department of Homeland Security in particular “has done a really nice job in engaging” in a dialogue with the insurance industry regarding the cybersecurity standards, said Catherine A. Mulligan, senior vice president and head of specialty errors and omissions at Zurich North America.
Experts say noncritical infrastructure firms also should adopt the NIST framework.
For companies that have made “a significant effort” to meet the government’s recommendations and then have a data breach, courts are unlikely to find them negligent, said Richard J. Bortnick, a shareholder at law firm Christie, Pabarue & Young P.C. in Philadelphia.
George Allport, Warren, N.J.-based vice president and worldwide product manager for financial institution bond products at Chubb Corp., said while many organizations may not consider themselves part of the critical infrastructure, they may in fact be a smaller contractor dependent on such a firm. In the cyber world, “you have no way of knowing if you’re below the radar,” he said.
Some experts think insurers will use the federal recommendations to evaluate risks in their cyber policy underwriting.
“I could see insurers using this as a yardstick,” said Michael R. Overly, a partner at Foley & Lardner L.L.P. in Los Angeles.
The NIST framework “will increase the need for insurance because it’ll clarify a cybersecurity standard of care that more companies will have to fulfill,” said Matt McCabe, New York-based senior vice president at Marsh L.L.C.’s network security and privacy practice.
“I see this also as a period of almost a unique opportunity to have the insurance industry take a leadership role in driving the voluntary compliance,” said Alan E. Brill, senior managing director of secure information services at New York-based Kroll Associates Inc.
While the NIST framework may help insurers understand a company’s cyber risk profile, this will not necessarily be transmitted directly into the underwriting process, Mr. Allport said.
Kevin Kalinich, Chicago-based global practice leader for cyber risk insurance at Aon Risk Solutions, said insurers generally price cyber coverage based on companies’ business and size. Audit standards for cyber exposures also already are available, but insurers do not use them in underwriting, he said.
Categories
- Benefits Resources
- Bonding
- BOP
- Business Insurance
- Commercial Auto
- Commercial Property
- Company News
- Construction
- Crime Insurance
- Cyber Insurance
- Directors & Officers
- Employee Benefits
- Employment Practice Liability Insurance
- Entertainment
- General Liability
- Health Insurance
- Healthcare
- Healthcare Reform
- Homeowners Insurance
- Hospitality
- Manufacturing
- Medical Malpractice
- Mining & Energy
- Nightclubs
- Personal Auto
- Personal Insurance
- Professional
- Restaurants
- Retail & Wholesale
- Risk Management Resources
- Safety Topics
- SBA Bonds
- Security
- Seminars
- Technology
- Tourism
- Transportation
- Uncategorized
- Workers Compensation
Archives
- May 2021
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- November 2018
- September 2018
- August 2018
- May 2018
- April 2018
- March 2018
- February 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- August 2017
- July 2017
- June 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- September 2014
- August 2014
- July 2014
- June 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- August 2013
- July 2013
- June 2013
- February 2013
- November 2011
- October 2011
- September 2011
- July 2011
- June 2011
- March 2011
- November 2010
- October 2010
- September 2010
- April 2010
- February 2010
- November 2009
- October 2009
- November 2008
- August 2008