One year after issuing an executive order promising to defend the nation’s computer networks, the Obama administration released cybersecurity guidelines this week for utilities, banks and other industries considered crucial to US infrastructure.
The voluntary guidelines mean a reassessment of security protocol for affected businesses, but for independent agents offering cyber insurance, they represent a great way to boost policy sales.
Christine Marciano, president of Cyber Data-Risk Managers in New York, told Insurance Business in December she felt the guidelines could only help her business, which focuses exclusively on cyber insurance.
“[The guidelines] will be a win-win for all sides if they can get the market moving,” Marciano said. “I think it’s going to enhance and draw up our business because more people will need to be cooperating with the government. It can only drive our business with more sales coming in, especially if companies realize adopting the framework will help them in the long run.”
The new framework lays out steps companies should take to secure their computer networks against attack. Suggestions include identifying organizational systems and assets, actively monitoring their networks, and detecting cybersecurity events.
In the event of an attack, the framework issues guidelines for responding to the event and restoring the business’s capabilities to full power.
The fact that the guidelines so closely match what cyber insurance professionals have been pushing for years is great news, Marciano said.
“For a broker like myself, we focus on underwriting on all these factors,” she said. “We’re coming onto the ‘respond and recover’ factors; if a company has it, it would actually help because we already build our business around that model and we will be on the same page with everyone.”
Opponents of the framework complain that its voluntary nature offers no incentives for companies to adopt the model, but Marciano feels insurance repercussions for those not following the guidelines will soon entice most businesses to participate.
“I think it’s going to be kind of expected that critical infrastructure adopt the guidelines,” she said. “If there’s an attack and they didn’t do anything to prevent it, [insurers] might be more harsh on those enterprises.”
The framework represents a new level of government involvement in cybersecurity. Marciano herself said the industry “hasn’t seen anything like this before as far as government regulation and insurance.”
