December 14, 2022
Comments of the Cybersecurity Coalition
To the Federal Insurance Office, Department of Treasury
Potential Federal Insurance Response to Catastrophic Cyber Incidents
The Cybersecurity Coalition (the Coalition) submits the following comments in response to the Federal Insurance Office’s (FIO) Request for Comment on Potential Federal Insurance Response to Catastrophic Cyber Incidents. 1 The Coalition appreciates the opportunity to provide input.
The Coalition is composed of leading companies specializing in cybersecurity products and services dedicated to finding and advancing consensus policy solutions that promote the development and adoption of cybersecurity technologies. 2 We seek to ensure a robust marketplace that will encourage companies of all sizes to take steps to improve their cybersecurity risk management. We are supportive of efforts to identify and promote the adoption of cybersecurity best practices, information sharing, and voluntary standards throughout the global community.
Overall, the Coalition is supportive of FIO's efforts to engage the cyber insurance industry one exploring the potential benefits of "catastrophic" cyber insurance. As with other insurance applications, cyber insurance provides a powerful stabilizing force that overlays the existing cybersecurity domain. In particular, insurance encourages policyholders to utilize strong cybersecurity standards, controls, and best practices in the face of a third-party risk assessment and provides enhanced access to mitigation and response resources in the event an incident does occur.
The Coalition, representing a breadth of cybersecurity industry stakeholders, would like to especially provide its input on question seven of the RFI, which focuses on the details of a potential implementation of a federal insurance response.
The FIO has an opportunity to drive better safety and security standards in the context of catastrophic cyber insurance. The FIO should ensure underwriting is driven by data on the policyholder’s due diligence, rather than solely market-driven. The risk assessment and due diligence process of the insurer must require the policyholder to meet some minimum level of cybersecurity competency reflective of their risks. Simply raising the price of a policy for inadequately protected entities is insufficient, and results in critical security decisions being relegated to an overly simplified cost-benefit comparison. As the consequences of cyber incidents become more likely to impact disparate parties who may not even be aware of their connection to the policyholder, a wholly market-driven calculation is unlikely to correctly capture potential risk. Requiring a baseline level of risk-based security ensures that the underwriting process encourages strong cybersecurity practices that can help mitigate the severity of a catastrophic cyber incident, should one occur.
With this in mind, the Cybersecurity Coalition recommends that this due diligence and risk assessment process be based on widely recognized standards and controls for cyber risk management. Many of the common standards in this domain already have significant activity, expertise, and tooling around them, and insurers should have the flexibility to choose the standards appropriate for the prospective policyholders. As an example, the National Institute of Standards and Technology (NIST) has published the Framework for Improving Critical Infrastructure Cybersecurity (The Cybersecurity Framework or CSF), which has become an industry standard for managing an enterprise’s cybersecurity risks. 3 The CSF represents a broadly applicable baseline of security, but there are a number of specialized standards that may provide adequate frameworks of controls for specific domains or industries. Another example is the Center for Internet Security’s Critical Security Controls, which are used in the insurance industry as a framework for discussing security controls. 4 Defining the minimum requirements for underwriting around a combination of CSF compliance and industry-specific standards incentivizes and encourages positive cyber security practices and mitigates the potential that market forces will not adequately encourage strong cybersecurity practices. By requiring baseline cyber risk management processes that reflect well-established standards and best practices, FIO can ensure companies perform appropriate due diligence, drive stronger risk management across the market, and help ensure the nation is more resilient against a catastrophic cyber attack.
* * *
Should you have any questions, or if we can assist in any other way, please contact Harley Geiger atHLGeiger@Venable.com.
Respectfully submitted,
The Cybersecurity Coalition