Insurance Carrot Beats Government Stick in Quest for Stronger Cybersecurity
Blog Article Published: 12/02/2016
By Laurie Kumerow, Consultant, Code42 When it comes to cybersecurity, the U.S. federal government recognizes the carrot is more effective than the stick. Instead of using regulations to increase data security and protect personal information within private organizations, the White House is enlisting the insurance industry to offer incentives for adopting security best practices. In March 2016, the U.S. House Homeland Security Cybersecurity Subcommittee held a hearing to explore possible market-driven cyber insurance incentives. The idea, said Rep. John Ratcliffe, chairman of the subcommittee, is to enable “all boats to rise, thereby advancing the security of the nation.” The issue isn’t a lack of cyber insurance. Today, 80% of companies with more than 1,000 employees have a standalone cybersecurity policy, according to a Risk and Insurance Management Society survey. The real issue is getting companies to maintain more than a minimum set of security standards. Borrowing from the fire insurance playbook The insurance industry has been a catalyst for change in the past. Attendees of the Homeland Security Cybersecurity Subcommittee hearing pointed to the fire insurance market as a good example of using a carrot to drive positive behavior. Insurers offer lower rates to policyholders who adhere to certain fire safety standards, such as installing sprinklers and having extinguishers nearby. Identifying best practices So, what are the cybersecurity equivalents of sprinklers and fire alarms? Hearing attendees highlighted four components of an effective cyber risk culture:
- Executive leadership: what boards of directors should do to build corporate cultures that manage cyber risk well.
- Education and awareness: training and other mechanisms that are necessary to foster a culture of cybersecurity.
- Technology: specific technologies that can improve cybersecurity protections.
- Information sharing: ensuring the right people within the company have the information they need to enhance cybersecurity risk investments.