It is important to note that while the incentives study was required within 120 days of the date of EO 13636, the preliminary version of the Framework is required within 240 days of the date of EO 13636. In addition, DHS will be establishing a voluntary program to support Framework adoption within 365 days of the signing of EO 13636. This report is limited by the current understanding of what the Framework will entail and would benefit from more specifics to inform the analysis and recommendation of the incentives designed for promoting its adoption. For example, knowledge of the Framework would allow the cost of Framework adoption to be quantified. Since the Framework is still under development, this was not possible, and so the incentives considered were evaluated at a more general level with the understanding that the analysis would be updated as needed as the Framework is developed. Since the Framework is still in development at the time of this writing, the incentives that are intended to promote its adoption were assessed prospectively, in terms of the likelihood that they will motivate organizations to adopt the Framework in the future. It is expected that the most effective incentives will not only promote adoption of the Framework.
Cyber-insurance and liability caps proposed as incentives by Department of Commerce
1. 1
Cyber-insurance carriers prepare for the convergence of
information security, privacy and litigation.
Part eight of a series
August 2013
Author: Dave Sweigert, M.Sci., CISSP, CISA, PMP
ABSTRACT
As the White House drives an industry risk-based approach for cybersecurity that
may reduce privacy, insurance carriers are watching the development of liability
caps to incentivize those entities that embrace this approach.
Background
The Cybersecurity Framework (CSF) is
an evolving structure and process for
“voluntary” certification of private sector
critical infrastructure and key resource
(CI/KR) operators, encouraged to use a
consensus developed risk-based
approach proposed by the White
House1
.
The White House has brought increased
visibility to the risk management function
of CI/KR operators and has endorsed
concepts to incentivize private industry
to adopt the CSF as a consensus-based
risk management framework (RMF) for
the purposes of limiting cyber incident
liability.
The CSF is a type of the blueprint for a
safe harbor, providing protection from
1
Executive Order -- Improving Critical Infrastructure
Cybersecurity, 2/12/2013. See: Sec. 7. Baseline
Framework to Reduce Cyber Risk to Critical
Infrastructure
thorny tort and product liability litigation
for those entities that implement it.
Cyber-insurance
Liability caps – a form of tort reform –
could be based upon the CSF. When
applied to cyber incident damages, caps
would limit liability as to the downstream
consequences of a cyber-based initiated
severe incident (calamity created by the
consequences resulting from a cyber
breach).
Cyber-insurance is an insurance product
used to protect policyholders from
cybersecurity risks; but may not fully
protect against the downstream
cascading consequences associated
with CI/KR (e.g. power black-outs).
Presently, insurers require a
policyholder to have some level of
cybersecurity as a condition of such
coverage. However, damages are
generally within the sphere of losses to
2. 2
the enterprise; such as, data breach
litigation, physical damage to the
enterprise, damaging acts as a result of
criminal activity, etc.
Widespread adoption of the CSF (to be
released in draft form in October 2013)
would provide a level of certainty to the
cyber-insurance industry as to what
measures are considered to be a
consensus-based industry best practice.
Premiums can then be adjusted to favor
policyholders implementing the CSF.
Liability caps can also be legislatively
applied to those private CI/KR operators
that have deployed the CSF. Threshold
ceiling amounts as to potential damages
can be established for those entities
relying on the CSF; which will establish
the tangible and material standards of
the “safe harbor” via de facto standards.
Will technical safeguards limit cyber
incident liability?
While the U.S. National Institute for
Standards and Technology (NIST) is
engaging stakeholders to address the
technical components of the CSF, the
U.S. Department of Commerce (DoC,
parent organization to NIST) has been
busy engaging stakeholders as to
incentive strategies. Two recently
published DoC recommendations
include:
Partnering with the Insurance
Industry to Promote Effective
Cybersecurity Measures and Best
Practices
“ …. the cyber insurance market should
respond with premium increases for
policyholders that fail to adopt effective
cybersecurity protections, and
corresponding reductions for those that
agree to join the Program (CSF) and
adopt effective Framework practices…”
Limiting Liability for
Cybersecurity Breaches and
Actions Under the Program
“…The Administration is currently
studying the idea of limited liability
protections in other areas that could be
directly related to the Program (CSF),
depending on its development. For
example, as part of the National
Strategy for Trusted Identities in
Cyberspace (NSTIC), which the
President issued in order to address
critical cybersecurity weaknesses
caused by inadequate online
identification and authentication
solutions, the President stated that “the
Federal government may need to
establish or amend both policies and
laws to address” concerns such as “the
uncertainty and fear of unbounded
liability that have limited the market’s
growth,” but concerns about where
liability should fall still exist….”
In sum, these two recommendations
appear to suggest that the cyber-
insurance industry should explore how
macro-level technical safeguards (such
as the NSTIC program) could (1)
provide an affirmative defense to tort
3. 3
and product liability lawsuits and (2) cap
liability of litigation directed at private
CIKR operators that have experienced a
severe cyber incident.
However, the DoC report points out that
it can be difficult to measure the
effectiveness of a technical counter-
measure in the abstract.
NSTIC as a national identity floor to
reduce cyber liability
In the foregoing DoC recommendations,
NSTIC appears to be akin to the ship’s
Maritime weather radio (technical
safeguard to reduce liability) in the
context of U.S. v. Carroll Towing.
NSTIC is an identity and authentication
management initiative of NIST (the
same agency guiding the industry
collaboration to define and publish the
CSF).
Some believe that “identity is the new
perimeter”, meaning that it is taken for
granted that every Internet-connected
I.T. enterprise has a firewall, border
gateway and other perimeter protecting
devices. So too, the theory goes, that
these enterprises should rely on a
standards-based identity infrastructure,
resembling the practical reliance on
social security numbers or State issued
drivers’ licenses to verify identity.
However, privacy advocates are critical
of the NSTIC program as it reduces
anonymity of Internet users and creates
an identity infrastructure requiring
verification of an individual’s identity for
the purposes of cyber space.
Pro-NSTIC advocates claim that the
program establishes a business grade
class of service on the Internet; enabling
a more secure commercial quality of
Internet activity.
If NSTIC is absorbed into the NIST CSF
it may create a new de facto national
standard for identity management.
Private CI/KR operators would most
certainly embrace any technology
recognized by the cyber-insurance
industry to reduce liability. Legislative
bodies would recognize the favorable
effect of such a technology to improve
the operations of their private CI/KR
constituents when proposing caps on
cyber liability. These would be very
strong and convincing arguments which
privacy advocates would need to
overcome to slow the adoption of NSTIC
as the new identity perimeter for the
Internet under the CSF.
About the author: Dave Sweigert is a
Certified Information Systems Security
Professional, Certified Information
Systems Auditor, Project Management
Professional and holds Master’s
degrees in Information Security and
Project Management. A former
consultant to the U.S. National Security
Agency, he is a practitioner of
cybersecurity. He is also the moderator
of the NSTIC discussion group on
LinkedIn.