On Tuesday, the White House announced the President’s Improving Critical Infrastructure Cybersecurity Executive Order. Much is being written and discussed about the order, and experts are already offering different reactions to it. This article won’t discuss whether the Order stopped short of meaningful requirements or if it went too far in creating additional burdens. Today’s topic is the cyber insurance policy you have in place, or may be considering.
Q: Will the Order Affect the Cyber Insurance Underwriting Process?
A: Not immediately. But the Order does require the government work with key industries to develop a risk-based “Cybersecurity Framework” within the next year that may affect the underwriting process. The Order states:
The Cybersecurity Framework shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. The Cybersecurity Framework shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible. The Cybersecurity Framework shall provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.
One possible result of the Order may be the development of a cross-industry “best practice” that may start to simplify or combine the multitude of regulatory and industry cyber compliance measures in existence today. Conceivably, an insured might be able to at some point evidence to their cyber insurer that they are “Framework Compliant,” and significantly simplify the underwriting applications, documents, conference calls, and meetings.
Q: Will the Order Affect my Cyber Insurance Rates?
A: Again, not likely in the short term. Over time, if the Order and any subsequent legislation created more or less purchasers of cyber insurance, supply and demand impacts could come into play. Also, as nothing in the Order is “mandatory” for companies, it is unlikely that underwriters would alter coverage terms or adjust pricing because of the Order.
Q: Will the Order’s Purpose of Greater “Threat Information Sharing” Give us Better Claims/Loss Examples and Scenarios?
A: It likely will. One can foresee increased information on significant threats being shared more openly. That data could be helpful for insureds as well as insurers to craft meaningful policy structures. That said, classified information will still be classified or redacted. National security level threat information will likely only be shared with persons with security clearance within critical infrastructure organizations.
Q: Will the Order Affect Available Cyber Insurance Coverage Terms and Conditions Going Forward?
A: Not directly. Cyber insurance has been a “living and breathing” organism since its inception in the late 1990s. Coverage terms and conditions are constantly changing and evolving (most often in the insured’s favor). The days of “widespread virus” exclusions are almost gone, and many insurers are reacting reasonably to the “cloud computing” craze. Both of these risk areas are impacted by non-targeted, widespread cyber-attacks. Cyber insurers may continue to tweak available coverages, but not due to the additional “threat sharing” nature of the Order.
Q: What Other Impact Might the Order Have on Cyber Insurance?
A: Vendor insurance requirements. Most companies today rely on various third-party vendors (IT, security, HR benefits, payroll, marketing, etc.) to operate their businesses. Many organizations are already addressing cyber insurance requirements, as well as indemnification and limitation of liability provisions in agreements with these vendors. The Order, in bringing more light to cyber security, will likely increase an organization’s own cyber risk awareness and cause businesses to strengthen contractual obligations with third parties.
Overall, in reaction to the Order, it should be business-as-usual in the cyber insurance marketplace – at least for now. But in this continually evolving marketplace, the only constant has been change.