On September 10, the National Association of Insurance Commissioners (NAIC) co-sponsored a cybersecurity forum at the Center for Strategic and International Studies in Washington, DC. Featuring an impressive line-up of senior government officials and knowledgeable experts, the forum aimed to increase understanding of the escalating threat environment, emerging best practices in cyber risk management and the importance that cyber insurance plays in mitigating cyber risks.
Sarah Raskin, deputy secretary of the U.S. Department of the Treasury, opened the program with a powerful keynote address setting out the changing nature of cyber risks as society becomes more interconnected and digitized through social media and the Internet of Things, and as threats become more malicious. She discussed the role government can play in identifying and deterring attacks, as well as the critical role that the private sector and individuals must play in risk mitigation and vendor management. Deputy Secretary Raskin also stressed the importance of the insurance sector in developing cyberinsurance and noted how the underwriting process itself can bolster the nation’s cyber defenses.
The first panel of cybersecurity experts related the ominous changes in the cyber threat landscape and the seeming capacity of rogue nation states to aggregate data on every U.S. citizen and organization for nefarious purposes. Characterizing the cyber landscape as an “aggressively predatory environment,” panelists stressed how cybersecurity must be a “deep and immediate concern” for everyone in business, and that businesses must adopt “intelligent courses of action to mitigate the risks.”
One speaker described how his security rating firm has developed FICO-like scores on more than 31,000 organizations that can be used to vet vendors and that are being used by large insurers in underwriting cybersecurity insurance risks.
Concerns were raised about the growing use of social media and the Internet of Things in commerce without the necessary cyber guardrails to protect the integrity of highly sensitive business and personal data. Other panelists discussed the importance of vendor management and the difficulties that the predatory threat environment presents for small- to medium-sized vendors. One state regulator commented on the underinvestment in cybersecurity by state governments and commended the NAIC for its focus not only on the private sector but also on state-level deficiencies. The critical need for companies to share evolving threat information and best practices in cyber risk mitigation was also discussed.
Suzanne Spaulding, under secretary for the National Protection and Programs Directorate (NPPD) at the Department of Homeland Security, gave the second keynote address that focused on the diagnostic and mitigation tools being developed at the NPPD to share cyber threat indicators in real time and to encourage more information sharing between and among the government and the private sector. She stressed the need for faster detection, more effective responses and prompt recovery, and identified the importance of developing a robust cyber insurance market.
During the second panel, Insurance Commissioner Adam Hamm (N.D.), chair of the NAIC Cybersecurity (Ex) Task Force, identified the major work streams of the Task Force, including its work on revising the NAIC’s privacy models, Model Law No. 670 (NAIC Insurance Information and Privacy Protection Model Act) and Model Regulation No. 672 (Privacy of Consumer Financial and Health Information Regulation), and updating financial examination protocols to assess cybersecurity preparedness.
John Carlson, Chief of Staff at the Financial Services Information Sharing and Analysis Center (FS-ISAC), discussed the importance of sharing threat information and tabletop exercises that lead to the development of best practices through engagement. Vendor management was again noted as a difficult challenge, while cyber insurance was identified as an important part of the tool kit for effective cyber risk management. Matt McCabe from Marsh discussed the assessment tools and stochastic modeling on data exposures being developed and described the cyber insurance underwriting process as taking a deep dive into the company’s cyber preparedness that can introduce fixes to the company’s cyber vulnerabilities and be part of the solution influencing change. Other speakers noted that big data analytics can increase the motivation of hackers to attack, and predicted that the next generation of attacks will revolve around the Internet of Things and social media devices that are “always on.”
NAIC CEO Senator Ben Nelson offered closing remarks, commending the NAIC for its work in developing the tools and resources state insurance departments need to protect consumers.