A cyber mandate isn’t the way to address cyber-insurance takeup
The federal government can play a role to bolster that demand, but prescriptive measures, like a cyber-insurance backstop or a cyber-insurance mandate, would have a negative impact on those efforts. A recently released paper from R Street Technology Policy Fellow Anne Hobson instead recommended that so-called “internet-of-things” vendors and contractors that do business with the federal government be held financially responsibility should a cybersecurity failure on their part result in costs to U.S. taxpayers.
Some have proposed the best way to accomplish this goal would be to require that federal vendors and contractors buy cyber insurance. It’s a proposal that has some attractive features. Insurance often has the benefit of forcing private actors to take account of their practices and reduce risks that otherwise would cause their premiums to rise or render them unable to obtain coverage at all.
But it’s important to remember that insurance exists to transfer risk. Whether it’s appropriate to buy cyber coverage to address directors and officers liability, or to deal with the potential for business interruption, is a decision each firm’s management team must make for themselves. The government has no special knowledge to know what’s right for every company with which it does business. What it can and should require is that taxpayers be protected from having risks directly or implicitly transferred to them as a result of those private risk-management decisions.
While firms could pursue other mechanisms to address their financial responsibility—from letters of credit to surety bonds to cash—most would find cyber insurance the most efficient means to transfer the risk of cyber-related liabilities. When it comes to risk management, private firms have a number of questions they must ask, including what risks they face, what strategies can be employed to mitigate those risks and whether it is more cost-effective to retain those risks, which will be borne by shareholders and creditors, or to transfer them to third parties like insurers. The key is to make clear that firms know they will be held liable for any risks they create for others—in this case, the government and individuals whose private data are entrusted to the government. There will be no bailout if things go wrong.
If the government simply wants its contractors to undertake cybersecurity measures, it can do that and, to an extent, it already has. It’s not only appropriate, but it’s absolutely essential that federal agencies vet the vendors and contractors with which they do business, and not offer contracts to those who practice poor cybersecurity hygiene. This should include examining vendors’ overall risk-management practices and taking as a positive sign that a given contractor has prepared for contingencies by obtaining insurance.
But as a technical matter, while it’s possible to require and define the scope of financial responsibilities that a government contractor holds to the agency with which it contracts, there is no magic formula to determine what kind and how much insurance every potential government contractor should get. Different firms of different sizes engaged in different kinds of activities that face different kinds of risks and operate under different contract terms all will have vastly different sorts of insurance needs.
The larger point here is that before you can enjoy the benefits of cyber insurance, which are many, you first must have a definable need for insurance. There is much to praise about how the underwriting process can act as a kind of cybersecurity audit. But the social benefits of cyber insurance do not, themselves, create the need for a cyber-insurance policy. First, you must have a risk that it actually would be prudent to transfer.
Image by Rawpixel.com