What the Cybersecurity Executive Orders Mean for Insurers

Earlier this week, President Obama issued the cybersecurity executive orders he promised at the end of last year when the U.S. Senate failed to pass the Cybersecurity Act of 2012. The provisions included in the orders are improved information sharing between the government and private sector as well as a cybersecurity framework.

“Information about cyberthreats will be more quickly and more readily disseminated to the private sector so the private sector can take steps to protect itself from attacks,” said Lisa Sotto, chair of the U.S. Department of Homeland Security’s Data Privacy and Integrity Advisory Committee. “There hasn’t been a sufficient communication vehicle. This will change that.”

Indeed, a recent survey conducted by AIG revealed that more than 85 percent of the 258 decision-makers respondents said they were very or somewhat concerned about cyber risks to their organizations, compared with the group’s response to six other areas of risk, including income loss (82 percent of executives were very or somewhat concerned), property damage (80 percent), and securities and investment risk (76 percent).

Insurers wanting more information need to be prepared, warned Sotto, as cybersecurity threats are changing constantly, and when you become privy to this information, you need to be prepared to act.

“It is very, very difficult to craft a set of security standards because the tactics of cybercriminals are changing constantly and the level of sophistication is extremely high. So [the standards] have to be dynamic and insurers need to be nimble and flexible in reacting to cybersecurity events.”

But there are potential benefits to staying on top of cybersecurity threats, as Sotto believes insurers could use the standards for setting policy limits and policy requirements. Also reassuring for companies concerned about meeting standards: The private sector will participate in setting them.

For the task of designing the framework, the National Institute for Standards and Technology has been tapped to develop it in coordination with private companies. The preliminary version of the framework needs to be delivered within 240 days of the order; the final version is due within a year—which makes the end due date Feb. 12, 2014.

Executive orders, however, cannot impose mandates; the standards will be voluntary. And while President Obama called on Congress in Tuesday’s State of the Union address to pass legislation that would enact cybersecurity laws instead of mere standards, until then, insurers will not be forced to act. Yet, Sotto thinks that a couple factors will contribute to the framework gaining precedence even without legislative backing.

“I would suggest that these standards will become the standards by which companies will be judged, so that if there is a cybersecurity event there may be negligence claims that follow if the standards are not complied with. Also there could be shareholder suits, if a company suffers damage as the result of a cybersecurity event where they’re not complying with the cybersecurity framework,” said Sotto.

Lastly, incentive was also built into the executive orders with its demand that government contractors eventually take the cybersecurity framework into consideration when assigning contracts. “If security controls are taken into account for the procurement of services then that will be great incentive for contractors to put in fulsome security regimes within their companies,” said Sotto.