There has been a furor of activity by the federal government as it grapples with the cyber security threat. Guidance documents roll out, an executive order has been issued, and a Cybersecurity Framework has been set down. In all of this, insurance, the tool that is used in nearly all other circumstances where there is an exposure that threatens an organization’s existence, gets short shrift or no shrift at all. The article examines the government’s steps into cybersecurity and how insurance is addressed. It then offers some thoughts on what to do about it.
According to the National Institute of Standards and Technology (NIST), “[s]enior leaders/executives in modern organizations are faced with an almost intractable dilemma—that is, the information technologies needed for mission/business success may be the same technologies through which adversaries cause mission/business failure.” In today’s vernacular, this describes the battlefield for cyber war.
With great fanfare, the Obama administration has mustered the nation’s defenses against cyber attack. Frustrated by a lack of achievement in the Congress, in 2013 President Obama, through Executive Order 13636, called for the establishment of a voluntary set of security standards for critical infrastructure industries. This led to the release of the Cybersecurity Framework one year later, which built on NIST work that had been released earlier.
One hesitates to criticize a project that has painstakingly sought to engage stakeholders across the nation. Yet, a uniform feature of the nation’s commercial landscape is insurance coverage, to which the government’s cyber initiatives give short shrift or no shrift at all. This should be fixed; fortunately, the NIST protocols provide a place to do so, and the place to start is NIST’s 2011 publication, Managing Information Security Risk, NIST’s “flagship document in the series of information security standards and guidelines.”
This article outlines the risk management practices recommended by the guidance and comments on those practices. It concludes that the government could do much better. Insurance is a fundamental part of an organization’s risk response, and, notwithstanding the government’s apparent lack of interest, prepared organizations must pursue their full set of risk management options—including insurance.