U.S. Sen. Jerry Moran (R-Kan.), chair of the Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security, will convene a hearing on Thursday, March 19, 2015, at 10:00 a.m. entitled “Examining the Evolving Cyber Insurance Marketplace.” The hearing will explore the growing cybersecurity risk insurance market and hear from experts about coverage, challenges, and opportunities in the industry and the impact on cybersecurity.
The Committee’s cybersecurity activity this Congress began with two hearings last month. The first hearing examined the National Institute of Standards and Technology (NIST)’s partnership with the private sector to improve critical infrastructure cybersecurity. NIST’s continuing role was codified in S. 1353, the Cybersecurity Enhancement Act of 2014 (P.L. 113-274), originally introduced by Commerce Committee Chairman John Thune (R-S.D.) and former Chairman Rockefeller (D-W.Va.). The second hearing informed Committee efforts in crafting a federal data breach bill. Sen. Moran’s hearing on Thursday will continue the Committee’s examination of cybersecurity issues.
- Mr. Ben Beeson, Vice President, Cyber Security and Privacy, Lockton Companies
- Ms. Catherine Mulligan, Senior Vice President, Management Solutions Group, Zurich North America
- Ms. Ola Sage, Chief Executive Officer, e-Management
- Mr. Michael Menapace, Counsel, Wiggin and Dana LLP; Adjunct Professor of Insurance Law, Quinnipiac University School of Law
Thursday, March 19, 2015
Consumer Protection, Product Safety, Insurance, and Data Security Subcommittee hearing entitled “Examining the Evolving Cyber Insurance Marketplace"
This hearing will take place in Senate Russell Office Building, Room 253. Witness testimony, opening statements and a live video of the hearing will be available on this page.
For reporters interested in reserving a seat, please contact the press gallery:
• Periodical Press Gallery – 202-224-0265
• Radio/Television Gallery – 202-224-6421
• Press Photographers Gallery – 202-224-6548
• Daily Press Gallery – 202-224-0241
Individuals with disabilities who require an auxiliary aid or service, including closed captioning service for the webcast hearing, should contact Stephanie Gamache at 202-224-5511 at least three business days in advance of the hearing date.
Chairman Jerry Moran
"Good morning. This hearing is now called to order.
"First, I would like to thank the witnesses for taking the time to provide their valuable knowledge of the cybersecurity insurance market. I would like to also thank the Committee Staff for their hard work in making this hearing possible.
"The purpose of this hearing is to examine the state of the cyber insurance market, identify challenges and opportunities, and learn how cyber insurance may drive improvements to the risk management culture at businesses who purchase these insurance policies. This is our second hearing on the broad topic of data security and to my knowledge the first congressional hearing on the cyber insurance market.
"American consumers and businesses face ongoing and serious cyber threats. As was noted in our last subcommittee hearing, the Privacy Rights Clearinghouse has estimated that over 4,400 data breaches involving more than 932 million records have been made public since 2005. The Verizon 2014 Data Breach Investigations Report reviewed more than 63,000 security incidents and found 1,367 confirmed data breaches in 2013. On average, that means just under four data breaches occur every day across the globe.
"One strategy for businesses to mitigate cyber or privacy-related losses is the purchase of cybersecurity insurance. While some cyber–related losses may be covered under a business’s general insurance policy, the increase of publicly-reported cyber incidents and data breaches have lead insurers to begin offering stand-alone policies to cover cyber-related risks and losses. Cyber insurance policies vary greatly, but increasingly new policies are being developed to cover costs ranging from crisis management in response to a data breach of personal or health information, to business interruption or damage to critical infrastructure systems from a cyber attack.
"While an insurer’s primary function is to mitigate financial losses – not defend against cyber threats – cyber insurance may be a market-led approach to help businesses improve their cybersecurity posture by tying policy eligibility or lower premiums to better cybersecurity practices. An example of this relationship is an auto insurer offering a “good driver discount” to a customer who avoids accidents or driving violations, providing an additional incentive to a driver to be more cautious and attentive. The insurance company also wins. Even though the premium receipt they receive may be lower, in the end they have fewer claims to pay out.
"The cyber insurance market is one of the fastest growing commercial lines of insurance. Approximately 50 carriers now offer stand-alone cyber policies, and the total written premiums were $1.5-2 billion in 2014. Some estimates show the market could grow as high as $5 billion by the decade’s end. In 2014, the number of clients at brokerage Marsh & McClennan who purchased stand-alone cyber coverage – for example – increased by 32% over 2013. Amongst Marsh clients, the highest take-up rates for cyber insurance in 2014 were in health care, education, hospitality, and gaming.
"Challenges in the cyber insurance market exist due to the difficulty of quantifying exposure to cyber risks, liabilities, and losses; the aggregation of losses due to the interconnected nature of IT; and the changing cyber threat environment. Several IT security firms are developing products and assisting insurers in either identifying potential threats and/or offering cyber products or services to better protect the networks. For instance, a startup named BitSight partners with Liberty International Underwriters to externally analyze a company’s cybersecurity. In one case, BitSight helped discover a dormant threat in a company’s IT system and the insurer was able to work with the company to avoid a possible breach. Another example is Overland Park, Kansas-based Risk Analytics, which partners with AIG to provide a security product to some of the AIG insurance clients.
"As Congress considers cyber threat information sharing legislation as well as a national data breach notification standard, important questions about the developing state of the private insurance market come to mind. Today, we will focus our attention on some of the key questions on this topic, including:
• How can the private sector – the insurers and insured – work together to not only increase their cybersecurity posture and address their risk, but also to mitigate losses in the event a breach or cyber incident?
• What cyber insurance policies are currently offered and what losses do they cover?
• How does an insurer assess a policy holder’s risk?
• What specific factors do insurers consider when developing a policy and premium rate?
• Has the NIST framework had an impact on how insurers communicate with businesses about their cyber posture?
• What factors inhibit companies from purchasing a cyber insurance policy?
• What factors inhibit insurers from offering this insurance?
• What does the future of this market look like?
"I am confident that today’s expert panel can share valuable insight to these important questions that can help Congress better understand the marketplace.
"I would like to now turn the Subcommittee’s Ranking Member, Senator Blumenthal."
Witness Panel 1
Mr. Ben BeesonVice President, Cyber Security and PrivacyLockton Companies
Ms. Catherine MulliganSenior Vice PresidentManagement Solutions Group, Zurich North America
Ms. Ola SageChief Executive Officere-Management
Mr. Michael MenapaceCounselWiggin and Dana LLP; Adjunct Professor of Insurance Law, Quinnipiac University School of Law