Lawmakers have been unable to pass legislation to deal with the stream of hacks at major stores and websites, but the government may be able to do some good by helping out the insurance market.
Analysts and brokers say the federal government should do more to help bolster the market for cybersecurity insurance, which would lead to stronger networks and make people’s data harder to steal.
Cybersecurity worries are growing following the theft of celebrities’ nude photos, a hack at Home Depot that may have exposed tens of millions of people’s credit card information and a breach of HealthCare.gov. Industry supporters hope the time is right for the country to take a new look at their offerings.
“These are unfortunate events but they of course increase awareness and one of the natural questions that come out of that increased awareness is what can I do to insure against this type of event if it happens to my company?” said Matt McCabe, a senior vice president for network security and privacy at Marsh, a major insurance broker.
Cyber insurance legally protects companies after a data breach, covers their expenses as well as profits that are lost in responding to the hack and provides for credit monitoring — as many companies do for people whose data has been breached.
More importantly, supporters say, the insurance also requires companies to take stock of their security systems and get them up to snuff — or else pay more.
Advocates say that can be a safeguard in itself.
“The number one thing to think about when you think about cybersecurity insurance is the point is not just to insure people against the risks. The point is to internalize the cost of bad cybersecurity practices,” said Eli Dourado, head of the technology policy program at George Mason University’s Mercatus Center.
“If I am a company and I buy cybersecurity insurance, if I have bad security practices then my premiums are going to go up," he added.
Officially, the Obama administration is supportive of cyber insurance.
The Department of Homeland Security has held multiple workshops and roundtable discussions to try and expand the market, which is still growing.
Last year, the White House suggested that it could work with the insurance industry to spur companies to hop on board with a voluntary cybersecurity framework designed to protect critical infrastructure sectors like utilities and banks.
But when that framework was released this February, the idea of insurance was nowhere to be found.
One way the government could spur growth in the market is by buying cyber insurance itself, suggested Dourado. That idea may be appealing after recent news that a hacker broke into a test server for HealthCare.gov and planted malicious software designed to attack other networks.
“If federal agencies were required to buy insurance against breaches... they [would] have an incentive to really evaluate their security practices in terms of the bottom line,” Dourado said.
Short of that, federal agencies could at least make the insurance mandatory for its legions of contractors, said Wylie Donald, a lawyer at the McCarter & English law firm.
“Why doesn’t the government put in a cyber insurance provision in those contracts?” Donald said. “Or why doesn’t the government tell its contractors, ‘Hey, we will pay for cyber insurance if you buy it, as part of our contract.’”
At the very least, he said, the government could at least talk about it more positively.
In some instances, government officials have “belittled” the idea of insurance and have been “just shunting it aside,” he said.
“’It’s the ugly stepchild that we know it’s here but we don’t want to talk about it,’” he added, characterizing the government’s attitude.