• United States




Improving cybersecurity: national cyber breach law or better business insurance?

Oct 10, 20175 mins
ComplianceData and Information SecurityRegulation

In the wake of the Equifax breach, many believe a national standard for cybersecurity is needed. But are insurance requirements a better option?

Equifax credit bureau logo and building security breach
Credit: Tami Chappell/Reuters

Recently, a colleague of mine sent me a link to a video of a panel interview with Richard Clarke and retired General Michael Hayden. Richard Clarke is a former White House Cybersecurity Advisor and Michael Hayden is the former Director of both the CIA and NSA.

The first part of this interview, moderated by the Washington Post, was focusing on aspects of using cyber not as an instrument of attack, but as information warfare. Before the topic went too far down the path of “RUSSIA, RUSSIA, RUSSIA,” the Equifax breach became the main talking point.  As many of you know, Equifax sustained a breach this year. Millions of Americans as well as Europeans and Canadians were impacted by this event. So to quickly recap:

  • A vulnerability was discovered and a patch made available
  • Patch not applied and a breach occurred
  • Numerous flaws in how this issue was addressed once identified
  • Questionable actions by C-Suite on selling shares of stock before share prices plunged about 35 percent in the wake of the public disclosure
  • CEO forced out
  • CEO forced to come to Capitol Hill to be skewered by Congressmen and Women
  • New talks on a national breach notification standard instead of the current model where 48 states have their own unique requirements

During this interview, the notion of a national standard was broached by the former CIA and NSA Director and was followed by Richard Clark echoing the need but that the minimum requirements should be  “no less”  than that of California’s current law. There was a reference to a former attempt by the Department of Commerce to intercede, which never materialized. Here is where the discussion becomes more pointed.  Richard Clarke stated, “…companies like Equifax will continue to screw up until there is a penalty for doing so…”

As a business owner myself, I really have no desire to have more regulations in place that govern my ability to provide value to our clients; However, business owners rarely act unless consequences are going to impact their bottom line. Mr. Clarke is spot on in his assertion. He further describes a notion if the offending party is charged by the record lost, that type of sanction would have a profound impact and improve organizational aptitude in addressing cyber risk. 

There was an analogy about cyber risk made to the oil industry and specifically what happened after the Exxon Valdez tragedy. Mr. Hayden described the scenario where oil companies began to look for insurance and the subsequent requirements to even obtain insurance. Because the U.S. Government imposed a clearly defined metric that was actionable and repeatable (how many barrels of oil are lost) for sanctions and penalties, the insurance carriers had better data to quantify the risk of an oil spill. 

This very closely aligns with what the market needs for cyber today but is it ready? We first have to examine what is the issue we are looking to address when it comes to insuring cyber. 

  • Are we talking about incident response costs to a cyber incident that impacts system operations by disruption or destruction?
  • Are we talking about the inadvertent disclosure of sensitive information like Personally Identifiable Information (PII) – including healthcare data or potentially Controlled Unclassified Information (CUI) or;
  • Combination of both?

In a recent webinar by GENEDGE, there was a topic of knowing who you adversaries are and without this knowledge, making informed decisions on cyber risk is not likely to occur. This is a factor that the insurance sector does not evaluate. Specifically, there is not a question to date that asks if the applicant’s risk assessment defined who its adversaries are in the cyber realm.

While asking such a question may have little implication in determining lines of coverage or premium decisions, this does tie back to the need for the insurance sector to vastly improve how it assesses cyber risk of applicants and tying potential penalties into the cost calculation. I have heard from many brokers and carriers, “We already do that.”  When pressed as to how they do that (e.g. determine how many states the applicant does business in, do they hold European PII under GDPR, does the applicant hold CUI, etc.). Other than a very limited scope to Credit Card and Healthcare data, applications are in dire need of aligning with today’s cyber threat landscape and how this landscape translates to business risk (i.e. translating cyber threats into business risk and identifying mechanisms to lower the total cost of ownership in the face of a cyber incident).

So while Mr. Hayden and Mr. Clarke make excellent points, until the insurance sector adopts more stringent requirements to obtain a policy, these topics are merely academic discussions.

If a national standard or requirement is enacted, what would that look like? Mr. Clarke references the State of California as a minimum baseline. If the United States enacted such a law, who would enforce it, The Department of Commerce? What about the Federal Trade Commission (FTC)? If FTC, how would they enforce/police it? How would it differ than their current enforcement actions under Unfair and Deceptive Business Practices when cyber is at hand? How many people would have to be hired to conduct audits and at what costs?

Some stakeholders are discussing a GDPR-like rule here in the United States. If we cannot get Congress to agree on taxes and healthcare, what is the likelihood they can ratify a national requirement on cyber?  

I am attending the National Association of Insurance Commissioners (NAIC) Cyber Working Group Forum in California this week where Mr. Clarke is a featured speaker. I greatly look forward to learning more about the insurance industry addresses concerns about the Equifax breach and perceived implications of GDPR. As I learn more, the Cyber Insurance Forum will highlight all relevant takeaways from this event.


Carter Schoenberg is the President and Chief Executive Officer of HEMISPHERE Cyber Risk Management, Inc. Mr. Schoenberg is a certified information system security professional with over 23 years of combined experience in criminal investigations, cyber threat intelligence, cyber security, risk management and cyber law. He is a cybersecurity subject matter expert supporting government and commercial markets to better define how to evaluate a risk profile and defining criteria for brokers and carriers to utilize in their determination on coverage and premium analysis.

HEMISPHERE is working with insurance stakeholders to define appropriate standards and training of brokers and agents in determining coverage requirements, scheduled for release later in 2017. HEMISPHERE is also working with the National Association of Insurance Commissioner’s Cyber Task Force.

Mr. Schoenberg’s expertise has been featured at many events and his background and knowledge in the Latin American markets, specifically in Panama’, has provided him with a unique and detailed view of this market segment.

Mr. Schoenberg is responsible for designing practical solutions to address cyber risk management using his proprietary cost-benefit analysis enabling system owners to make mission and cost justified decisions on cyber risk. Starting his career in law enforcement as a homicide detective, his work products have been actively used by DHS, the ISAC communities, and the Georgia Bar Association for Continuing Learning Educational (CLE) credits on the topic of cybersecurity risk and liability. His expertise is profiled at conferences including ISC2, SecureWorld Expo, ISSA and InfosecWorld.

The opinions expressed in this blog are those of Carter Schoenberg and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.