It has become commonplace for the news to be peppered with accounts of data breaches affecting a wide range of entities, from large retailers, to motion picture studios, to the federal government. Unfortunately, the increasing frequency of the events has not yet led to an insurance industry standard for affordable, robust and effective coverage for cyber incidents.
To address the gap in insurance coverage, as well as the broad spectrum of harms arising from cyber incidents, the Department of Homeland Security (DHS) has established the Cyber Incident Data and Analysis Working Group (CIDAWG). The CIDAWG recently published the first of a series of white papers on the possibility of establishing a national data repository where cyber incidents can be reported and collected in a uniform and central way.
Such a data repository would increase information sharing among the “Federal government, enterprise risk owners, and insurers” with the goal of enhancing risk mitigation strategies and “also improve and expand upon existing cybersecurity insurance offerings.” One of the obstacles to establishing insurance coverage for cyber incidents is a lack of data needed to inform “actuarial calculations and related underwriting considerations by insurers.” The repository would seek to close that information gap. As it stands, certain industry groups have methods to share information about cyber incidents within the industry group, but there is no centralized way to share the wealth of information that companies have about hacking activity, but are understandably reticent to share.
The CIDAWG’s first white paper concludes that there is value to policyholders if the repository is structured the right way. Its next white paper will address what cyber incident “data points” should be included for evaluation.
Interestingly, though perhaps not surprisingly, the white paper notes that “[t]here are currently no plans for DHS or other Federal departments or agencies to build or manage such a repository. A resulting repository could potentially be managed by a private organization.”
If this idea continues to gain traction, it will be a positive development for policyholders as a productive step in allowing insurers to provide informed and effective cyber incident insurance protection.
Emily Breslin Markos is an associate at Weisbrod Matteis & Copley PLLC, where she focuses her practice on commercial litigation and insurance coverage counseling and litigation for policyholders. She received a B.A. from Brywn Mawr College in 2004 and graduated magna cum laude from Rutgers University School of Law – Camden in 2010. She can be reached at email@example.com or 267.262.5589.