There’s been a lot of talk lately about the role of government in the private business sector, so it’s fitting that, since October is Cyber Security Month, the White House reports President Obama is said to be considering an Executive Order that will ultimately impact both the public and private sectors, including the insurance industry.
As a formal response to stalled cyber security legislation, the order is predicted to include information-sharing measures for infrastructure providers, and will direct federal agencies to develop “voluntary cyber security guidelines” for critical infrastructure owners, such as power and water companies, chemical plants and even financial networks. Currently, say analysts, more than 80 percent of critical infrastructure is owned by the private sector.
While the National Security Agency estimates that the annual rate of cyber attacks on American infrastructure jumped seventeen-fold between 2009 and 2011, the insurance vertical market has not been directly affected. But it would be if our nation’s power grid suffered an outage due to cyber-terrorism, say critics. The idea behind the Executive Order is to prompt the public and private sectors to offer cyber-attack intelligence that will be combined to create a tested path to follow.
Of course, insurance IT personnel have enough to worry about with their own infrastructures—keeping growing data stores safe and secure whether housed in brick and mortar bunkers or in the cloud; and whether transmitted over secure pipes or via encrypted mobile devices. The goal, cyber-resiliency (defined by Jeff Snyder, VP, Cyber Programs, Raytheon Company as “the ability to maintain operations through a cyber attack, recover, and then develop new defense techniques based on previous breaches,” is one shared by all sectors, public and private.
I know I’ve blogged about this in the past, but for our industry in particular, the issue of cyber security is about much more than cyber-resiliency, it’s about risk mitigation for the very sake of our very livelihood. We get it.
Yet apparently other industries need to hear the gospel. Recent criticism by Senate Republicans of the U.S. Homeland Security Department’s ability to take a lead role in protecting the nation’s computer systems has created an additional sense of urgency.
A little known Sept. 24 Reuters report quoted former government Cyber security sources saying the pending order would give government agencies 90 days to propose new regulations and create a new Cyber security council at the Department of Homeland Security with representatives from the Defense Department, Justice Department, Director of National Intelligence and the Department of Commerce.
If it all sounds ominous and overwhelming, it should … but for different reasons. Like many early releases of government-sponsored and promulgated rules, this potential Executive Order has a certain ring of “control” to it that finds itself on a very slippery slope.
With the best of intentions (save the United States of America from possible cyber-Armageddon), the federal government begins its course with the development of “voluntary” guidelines. As stakeholders, the insurance industry shares the ultimate goal and understands that it bears a great portion of the risk, making contributions to voluntary guidelines a slam dunk.
But haven’t we seen similar voluntary guidelines that ultimately become mandatory requirements, i.e., more regulatory compliance?
Pat Speer is an editorial consultant for Insurance Networking News.
Readers are encouraged to respond to Pat by using the “Add Your Comments” box below. Shealso can be reached at patricia.speer@sourcemedia.com.
This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.
