Leading brokers from Marsh, Willis and Lockton visit White House for talks which could have global impact
Brokers from Marsh, Willis and Lockton were invited to the White House to discuss a voluntary national cyber security framework for critical infrastructure using broad cyber insurance as an incentive.
The framework, which will aim to increase the level of core capabilities for critical infrastructure in the US by introducing security regulations and protocols, is expected to be released in February 2014 while the draft for the framework is due in October this year.
President Barack Obama’s administration has set the National Institute of Security and Technology (NIST) and the Department of Homeland Security (DHS) the task of with developing the framework and they held the third of four discussions at the White House in August with senior cyber insurance brokers.
The final talks took place in Dallas on 11 September and involved IT and cyber security experts.
This week, StrategicRISK spoke to three representatives from Marsh, Willis and Lockton who attended the White House discussions about the implications of the framework.
Willis senior vice-president Chris Keegan believes the potential for the framework to be deployed around the globe and also extended to other industries added real significance to the discussions. “Eventually it will roll out to other industries because the one good thing about the framework when it gets put together is that it has to be flexible,” he said.
“It has to be designed for different entities all the way from the largest US banks down to small utilities and energy companies. The resources they have are so vastly different and the risks they face are so different that you need a matrix as part of the framework.”
Keegan added: “If NIST gets that right and it’s a good framework, I think you will have people in the UK, Europe and other countries jumping on the bandwagon.”
Lockton partner of global technology and privacy practice, Ben Beeson said the industry was set to get “a huge shot in the arm” as the attention from Obama’s administration would put cyber risks and insurance policies under the microscope.
Beeson said the discussions at the White House would push the cyber insurance industry to the next stage in development saying operational risks would now take focus after the initial policies covering hacking and business interruption losses were first developed at the turn of the century.
Marsh senior vice-president of network security and privacy practice Matt McCabe believes the framework discussions will create more awareness of cyber risks. He said: “The administration’s attention is going to boost the market in two regards: first, it is going to increasingly shine light on the problems around cyber security and second, it’s going to have companies thinking more about what they should be doing about the risk associated with cyber, so the natural outcome of that attention will give a boost to the market.”
During the discussions, several suggestions were made by brokers who were asked to help the US administration understand the current cyber risk and insurance landscape and how they could persuade US critical-infrastructure companies to adopt the framework.
Beeson suggested the need for an additional third stakeholder from the IT industry to accompany the government and insurance stakeholders. He said: “There need to be high-level, IT security stakeholders – people who have a real understanding of threat information, what attacks are going on, so they can help monitor them.”
Keegan highlighted the need for liaison between government, insurers and organisations regarding cyber threats: “We asked for help with putting together some standards so that you know that a breach has occurred. In some instances, we have no way of knowing if a breach has occurred so we are asking for some type of co-operation in information sharing.”
The incentive for broader cyber insurance is something that all three think will be pivotal in the framework’s success as cyber attacks are increasing, with notable high-profile attacks against Sony and the New York Times, as McCabe explained: “Cyber attacks are growing in frequency and severity and are overtaking weather conditions as the major threat to US companies. You have to respond to such a growing risk.”
He added: “The administration realises that companies who are doing the right thing and improving their cyber security practices should be able to realise benefits in how they are transferring the residual risk. They recognise this is part of an industry solution and they are trying to facilitate a marketplace that is going to incentivise better security practices.”
Beeson echoed this, adding: “There was a consensus from my peers that this is a good idea and we feel if they would allow us to have a say as to what goes into the framework, we can develop insurance in the way they are looking to incentivise industry to sign up to these risks. This is a huge opportunity for the industry.”