A lack of actuarial data on cybersecurity risks places a significant hurdle that may be keeping some small business from acquiring cyber insurance, according to industry leaders testifying before a Homeland Security subcommittee hearing.
The House Infrastructure Protection, and Security Technologies subcommittee held March 23 to examine potential opportunities to promote the adoption of cyber best practices and more effective management of infosec risks through cyber insurance.
Subcommittee Chairman Rep. John Ratcliffe (R-TX) said the majority of the companies acquiring cyber insurance are usually larger companies with more to lose.
“We need to explore ways for this marketplace to expand to create a wide array of diverse, affordable products that will also benefit small and medium-sized entities,” Ratcliffe said in his opening testimony.
A common topic in many of the testimonies was the financial burden that cyber insurance can place on small and mid-sized businesses and the lack of actuarial data being a contributing factor.
“Unlike fire insurance, insurers do not have 100 years' worth of cyber loss data that they can use to build out new policies,” Ark Network Security Solutions Chief Strategy Officer Thomas Michael Finan said in his testimony.
As a result, cyber insurance companies often create cyber insurance policies on a case by case basis that can often result in higher premiums.
Marsh, LLC Senior Vice President Matthem P. McCabe said in his testimony that cyber insurance companies can use market incentives to help better mitigate their risks and ultimately make cyber insurance more accessible.
McCabe noted that cybersecurity insurance is potentially an “effective, market-driven way” of increasing cybersecurity in the private sector.
“The underwriting process will scrutinize a company's technical defenses, incident response plan, procedures for patching software, policies for limiting access to data and systems, monitoring of the vendor network and more,” McCabe said.
He said the very act of applying for insurance forces an insurer to assess an applicant's cyber practices and could ultimately incentivize better cyber security practices.
Health Information Trust Alliance Chief Executive Officer Daniel Nutkis and North Dakota Insurance Commissioner Adam W. Hamm also testified at the hearing.