Interest in cyber insurance is expanding rapidly, a top official of Marsh & McLennan testified before a Senate committee today, with the number of Marsh clients purchasing stand-alone cyber insurance increasing by more than 20 percent in just the past year.
The Marsh official also testified that, in the area of cyber security, “offense is a lot easier than defense,” that is, companies should be aggressive in taking steps to head off cyber breaches.
“There is no silver bullet or panacea that will eliminate this risk,” said Peter Beshar, Marsh executive vice president and general counsel.
Rather, he said, it will take a “collaborative effort between government and business and among professionals in different disciplines — IT, HR, Legal and Compliance — to assess vulnerabilities and link arms to confront this risk head-on.”
Beshar’s testimony came at a hearing on “Protecting Personal Consumer Information from Cyber Attacks and Data Breaches,” held by the Senate Committee on Commerce, Science & Transportation.
The hearing was held the day after Sen. John D. Rockefeller, D-W.Va., chairman of the panel, released a report stating Target “possibly failed” to take advantage of several opportunities to prevent the massive data breach in 2013 when cyber criminals stole the financial and personal information of as many as 110 million consumers.
John Mulligan, Target executive vice president and CFO, responded, “With the benefit of hindsight and new information, we are now asking hard questions regarding the judgments that were made at that time and assessing whether different judgments may have led to different outcomes,” Mulligan said.
The report used the “intrusion kill chain” framework developed by Lockheed Martin security researchers in 2011. The report said that this tool “suggests” that Target missed a number of opportunities along the kill chain to stop the attackers and prevent the massive data breach.
Rockefeller used the occasion to highlight legislation he recently introduced, the Data Security and Breach Notification Act. He said enactment of this legislation would, “for the first time, establish strong, federal consumer data security and breach notification standards.”
Edith Ramirez, chairwoman of the Federal Trade Commission, used the hearing to reiterate the FTC’s longstanding, bipartisan call for enactment of a strong federal data security and breach notification law. “Never has the need for legislation been greater,” she said. “With reports of data breaches on the rise, and with a significant number of Americans suffering from identity theft, Congress must act.”
Marsh’s Beshar’s testimony highlighted the increasing importance of cyber-security insurance as an industry product.
He said throughout 2013 cyber-insurance rates remained stable — even as the perception and potential severity of the risk increased. “This is partly because a number of new underwriters are interested in providing cyber coverage,” he said, noting the average price-per-million dollars of coverage for a cyber policy actually dropped in 2013 in a number of sectors, including financial institutions, utilities and sports and entertainment, while increasing for other sectors, including communications and transportation.
He said the highest take up rates for cyber insurance are in health care, education and financial services. “These industries handle a large volume of sensitive personal information, including health-care data, Social Security numbers and credit-card information.”
Beshar also said, “Importantly, a number of cyber coverages also provide access to experts who are available to monitor the client’s information security and assist the client to restore operations in the event of a network attack.” He said these services include technical advice from on-call consultants and vulnerability detection to examine network devices.