The insurance industry has a key role to play in helping U.S. companies strengthen cybersecurity, a senior Treasury Department official said Thursday.
At a time when Congress is struggling to pass cybersecurity legislation and as the number of computer intrusions surges, “insurers can move the needle,” Deputy Secretary Sarah Bloom Raskin said at a Washington think tank.
Her speech reflected how the Obama administration is trying to enlist a range of sectors and use a variety of tools to combat the cyberthreat. Meanwhile, on Capitol Hill, senior security officials testified to the complex nature of the challenge, as criminals and foreign governments have become increasingly adept at penetrating U.S. government and private sector networks to steal both commercial secrets and foreign intelligence.
To illustrate the threat, Bloom cited a little-known but disturbing cyberattack on a German steel mill last year. Hackers stole computer login credentials from plant workers, remotely worked their way into the networks and ultimately took control of the plant’s manufacturing system. Managers were unable to operate an on-off switch to shut down the blast furnace. The mill, German officials said, was seriously damaged.
Such attacks are rare, but they show the potential for major economic loss — especially if an attack on one system triggers a failure in others, Bloom said at the Center for Strategic and International Studies. But insurers can alter companies’ behavior through the underwriting process, she said.
The mere process of applying for cyber insurance can help businesses identify tools and best practices they may lack, she said. Insurers ask questions to better gauge how embedded cybersecurity is in a company’s risk management strategy and determine how vulnerable a firm is to compromise.
They ask questions such as: Does the company have a cyber-incident response plan? Are subcontractors and suppliers evaluated to ensure their adherence to the company’s cyber requirements? Does the firm engage in basic cyber hygiene, such as the regular patching of software and scanning for malicious activity, and mandating a multistep identity check to access company networks?
Companies motivated to obtain better rates will seek to lower their risk by improving security. “When this happens, it is a game changer,” Bloom said. “Why? . . . Cybersecurity becomes part of an organization’s DNA.”
Industry experts said it is high time that insurers become a more visible part of the debate. “Legislation can take you so far,” said Peter J. Beshar, general counsel of Marsh & McLennan Companies, an insurance broker and global risk adviser. “But cyber insurance has the potential to create the right incentives that drive economic behavior across millions of people in the marketplace.”
The market for cyber insurance began to take off about five years ago, Beshar said. Today, globally, about $2 billion worth of premiums have been sold. Most of that coverage is in the United States, but the market is growing substantially, he said.
“Companies and boards are ready to spend money when there has been a breach or when they’re facing a civil lawsuit after an incident,” said Judi Germano, a senior fellow at New York University School of Law. “But cyber insurance encourages companies and executives to invest in cybersecurity before a breach happens.”