Key Takeaways in Newly Released Homeland Security Insurance Industry Report

Posted by Mark Greisiger

Guest Author: Vince Vitkowsky, Partner, Seiger Gfeller Laurie LLP

The Department of Homeland Security (DHS) National Protection and Programs Directorate (NPPD) has convened a series of sessions focusing on developing the first-party cyber insurance market. The most recent session was held on April 7, 2014, and it included representatives from 10 insurance brokers, 10 insurance underwriters, and 10 reinsurers. On July 22, DHS released its Readout Report of that Session. The entire 44-page Report, together with the Reports of three earlier sessions, can be found here on the Homeland Security website. The April 7 Session focused on three subjects, and the distilled essence is described below.

The purpose would be to develop cyber risk actuarial tables and inform cyber incident trend analysis.

Cyber incident information sharing/data repository. There was industry support for the creation of a mechanism, referred to as a “cyber incident data repository,” through which private companies, public sector entities, and the US Government (USG) could submit information about cyber incidents they have experienced or have become aware of. For private sector companies, the submissions would be anonymous. The purpose would be to develop cyber risk actuarial tables and inform cyber incident trend analysis.

Cyber incident consequence analysis/analytics approaches. Participants expressed a need for information and assistance from the USG in building models, simulations, and exercises “to confidently expand first-party coverage for cyber-related critical infrastructure loss”. They pointed to the core insurance industry need of estimating probable maximum loss. They also suggested that the USG design, develop, and execute a cyber incident table top exercise that would include insurance industry representatives and vendors.

ERM Evangelization. Participants expressed support for Enterprise Risk Management which included analysis of cyber risks. They believed that greater public awareness and education about cyber risk would be beneficial, and advocated for a general push for “ERM Evangelization.”

Vince Vitkowsky is a partner in the law firm of Seiger Gfeller Laurie LLP, resident in New York. He can be reached at vvitkowsky@sgllawgroup.com.