A new report by George Mason University’s Mercatus Center finds that the Cybersecurity Framework could “ultimately undermine cybersecurity” and diminish the “spontaneous, creative sources of experimentation and feedback that drive Internet innovation.”
The Cybersecurity Framework was authorized by President Obama’s February 2013 cybersecurity executive order. The National Institute of Standards and Technology (NIST), an agency of the Department of Commerce, launched the framework in February 2014.
Eli Dourado and Andrea Castillo, the report’s authors, argue that instead of a government-driven, technocratic solution, “[c]ybersecurity insurance is an attractive solution to the problem of critical infrastructure protection.” Insurance coverage can be flexible and tailored to specific needs and would incentivize firms to consistently improve their internal cybersecurity so as to keep premiums manageable. The problem they recognize is that the insurance market is still underdeveloped.
The report says there is a “catch-22 of sorts.” Insurance companies are unsure how to price risk because they lack data and experience in cybersecurity risk assessment, so premiums are high and thus most companies do not purchase them, which then means insurance companies cannot gather the data they need. To jump-start the insurance market, Douado and Castillo purpose an interesting solution: “cultivating the development of a private cyber insurance market by purchasing coverage for breach-riddled federal agencies.”
This initial start would enable insurers to start the critical risk analysis process and “derive needed information and develop best practices from their first big customer.” To then further develop the market, federal agencies could condition contracts with private industries on the purchase of cybersecurity insurance.
The Mercatus plan is similar to the recommendation by The Heritage Foundation. A liability system is needed to ensure that the cost of cybersecurity breaches is borne by the original actors, not the consumers. It would also help naturally develop the cyber insurance industry by incentivizing firms to purchase insurance to protect from liabilities.
And like Douado and Castillo, Heritage also recognizes that the insurance market is underdeveloped because insurers do not have enough risk analysis data. Heritage suggests that development of insurance “may need some initial incentives from the government, but, ultimately, such a system returns cybersecurity liability to those who are largely responsible for cybersecurity losses.” The Mercatus proposal could be one such initial incentive.
Ultimately the Mercatus and Heritage Foundation report agree: Congress should help promote the development of a cybersecurity insurance community rather than adopting top-down, technocratic standards.
Jared Ferris is currently a member of the Young Leaders Program at The Heritage Foundation. For more information on interning at Heritage, please click here.