Cyber-insurance carriers prepare for the convergence of
information security, privacy and litigation.
Part eight of a se...
the enterprise; such as, data breach
litigation, physical damage to the
enterprise, damaging acts as a result of
and product liability lawsuits and (2) cap
liability of litigation directed at private
CIKR operators that have experien...
Upcoming SlideShare
Loading in …5

Cyber-insurance and liability caps proposed as incentives by Department of Commerce


Published on

It is important to note that while the incentives study was required within 120 days of the date of EO 13636, the preliminary version of the Framework is required within 240 days of the date of EO 13636. In addition, DHS will be establishing a voluntary program to support Framework adoption within 365 days of the signing of EO 13636. This report is limited by the current understanding of what the Framework will entail and would benefit from more specifics to inform the analysis and recommendation of the incentives designed for promoting its adoption. For example, knowledge of the Framework would allow the cost of Framework adoption to be quantified. Since the Framework is still under development, this was not possible, and so the incentives considered were evaluated at a more general level with the understanding that the analysis would be updated as needed as the Framework is developed. Since the Framework is still in development at the time of this writing, the incentives that are intended to promote its adoption were assessed prospectively, in terms of the likelihood that they will motivate organizations to adopt the Framework in the future. It is expected that the most effective incentives will not only promote adoption of the Framework.

Published in: Technology
  • Despite the common denominator of cyber insurance and liability caps there is an inherent gap between them. Liability caps are derived from, and operate as 'compensation' for obligatory regulations, granting immunity to those who follow them. Cyber insurance, on the other hand does not grant immunity,but enforces enterprise to take another step in order to defend itself. Tjis is achieved through voluntary legislation. I estimate that cyber insurance wide appearance will be the most critical implication of Senate's choice to go with the NIST framework rather than the House’s Cyber Intelligence Sharing and Protection Act.
    Are you sure you want to  Yes  No
    Your message goes here

Cyber-insurance and liability caps proposed as incentives by Department of Commerce

  1. 1. 1 Cyber-insurance carriers prepare for the convergence of information security, privacy and litigation. Part eight of a series August 2013 Author: Dave Sweigert, M.Sci., CISSP, CISA, PMP ABSTRACT As the White House drives an industry risk-based approach for cybersecurity that may reduce privacy, insurance carriers are watching the development of liability caps to incentivize those entities that embrace this approach. Background The Cybersecurity Framework (CSF) is an evolving structure and process for “voluntary” certification of private sector critical infrastructure and key resource (CI/KR) operators, encouraged to use a consensus developed risk-based approach proposed by the White House1 . The White House has brought increased visibility to the risk management function of CI/KR operators and has endorsed concepts to incentivize private industry to adopt the CSF as a consensus-based risk management framework (RMF) for the purposes of limiting cyber incident liability. The CSF is a type of the blueprint for a safe harbor, providing protection from 1 Executive Order -- Improving Critical Infrastructure Cybersecurity, 2/12/2013. See: Sec. 7. Baseline Framework to Reduce Cyber Risk to Critical Infrastructure thorny tort and product liability litigation for those entities that implement it. Cyber-insurance Liability caps – a form of tort reform – could be based upon the CSF. When applied to cyber incident damages, caps would limit liability as to the downstream consequences of a cyber-based initiated severe incident (calamity created by the consequences resulting from a cyber breach). Cyber-insurance is an insurance product used to protect policyholders from cybersecurity risks; but may not fully protect against the downstream cascading consequences associated with CI/KR (e.g. power black-outs). Presently, insurers require a policyholder to have some level of cybersecurity as a condition of such coverage. However, damages are generally within the sphere of losses to
  2. 2. 2 the enterprise; such as, data breach litigation, physical damage to the enterprise, damaging acts as a result of criminal activity, etc. Widespread adoption of the CSF (to be released in draft form in October 2013) would provide a level of certainty to the cyber-insurance industry as to what measures are considered to be a consensus-based industry best practice. Premiums can then be adjusted to favor policyholders implementing the CSF. Liability caps can also be legislatively applied to those private CI/KR operators that have deployed the CSF. Threshold ceiling amounts as to potential damages can be established for those entities relying on the CSF; which will establish the tangible and material standards of the “safe harbor” via de facto standards. Will technical safeguards limit cyber incident liability? While the U.S. National Institute for Standards and Technology (NIST) is engaging stakeholders to address the technical components of the CSF, the U.S. Department of Commerce (DoC, parent organization to NIST) has been busy engaging stakeholders as to incentive strategies. Two recently published DoC recommendations include:  Partnering with the Insurance Industry to Promote Effective Cybersecurity Measures and Best Practices “ …. the cyber insurance market should respond with premium increases for policyholders that fail to adopt effective cybersecurity protections, and corresponding reductions for those that agree to join the Program (CSF) and adopt effective Framework practices…”  Limiting Liability for Cybersecurity Breaches and Actions Under the Program “…The Administration is currently studying the idea of limited liability protections in other areas that could be directly related to the Program (CSF), depending on its development. For example, as part of the National Strategy for Trusted Identities in Cyberspace (NSTIC), which the President issued in order to address critical cybersecurity weaknesses caused by inadequate online identification and authentication solutions, the President stated that “the Federal government may need to establish or amend both policies and laws to address” concerns such as “the uncertainty and fear of unbounded liability that have limited the market’s growth,” but concerns about where liability should fall still exist….” In sum, these two recommendations appear to suggest that the cyber- insurance industry should explore how macro-level technical safeguards (such as the NSTIC program) could (1) provide an affirmative defense to tort
  3. 3. 3 and product liability lawsuits and (2) cap liability of litigation directed at private CIKR operators that have experienced a severe cyber incident. However, the DoC report points out that it can be difficult to measure the effectiveness of a technical counter- measure in the abstract. NSTIC as a national identity floor to reduce cyber liability In the foregoing DoC recommendations, NSTIC appears to be akin to the ship’s Maritime weather radio (technical safeguard to reduce liability) in the context of U.S. v. Carroll Towing. NSTIC is an identity and authentication management initiative of NIST (the same agency guiding the industry collaboration to define and publish the CSF). Some believe that “identity is the new perimeter”, meaning that it is taken for granted that every Internet-connected I.T. enterprise has a firewall, border gateway and other perimeter protecting devices. So too, the theory goes, that these enterprises should rely on a standards-based identity infrastructure, resembling the practical reliance on social security numbers or State issued drivers’ licenses to verify identity. However, privacy advocates are critical of the NSTIC program as it reduces anonymity of Internet users and creates an identity infrastructure requiring verification of an individual’s identity for the purposes of cyber space. Pro-NSTIC advocates claim that the program establishes a business grade class of service on the Internet; enabling a more secure commercial quality of Internet activity. If NSTIC is absorbed into the NIST CSF it may create a new de facto national standard for identity management. Private CI/KR operators would most certainly embrace any technology recognized by the cyber-insurance industry to reduce liability. Legislative bodies would recognize the favorable effect of such a technology to improve the operations of their private CI/KR constituents when proposing caps on cyber liability. These would be very strong and convincing arguments which privacy advocates would need to overcome to slow the adoption of NSTIC as the new identity perimeter for the Internet under the CSF. About the author: Dave Sweigert is a Certified Information Systems Security Professional, Certified Information Systems Auditor, Project Management Professional and holds Master’s degrees in Information Security and Project Management. A former consultant to the U.S. National Security Agency, he is a practitioner of cybersecurity. He is also the moderator of the NSTIC discussion group on LinkedIn.