A presidential executive order outlining some guidelines on cyber-security-coordination efforts may help get the ball rolling on more meaningful legislation, but by itself, the order does not seem to make any mandatory demands on private entities, at least at this time, an insurance-industry expert says.
Jim Whetstone, senior vice president and U.S. technology and privacy manager at Hiscox, says there has been a lot of talk over several years about accomplishing legislation around cyber security. As for Pres. Barack Obama's executive order, issued Feb. 12, Whetstone says, "It looks like a watered-down version of some things that have been talked about in the past."
The order addresses cyber risks to industries seen as critical to U.S. infrastructure. "The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront," says the order. "The national and economic security of the United States depends on the reliable functioning of the Nation's critical infrastructure in the face of such threats."
It calls for an inter-agency process to facilitate coordination and guidance of policies designed to "increase the volume, timeliness, and quality of cyber-threat information shared with U.S. private-sector entities so that these entities may better protect and defend themselves against cyber threats."
Specifically, the order says that, within 120 days, the attorney general, the secretary of Homeland Security, and the director of National Intelligence must each issue instructions to produce "unclassified reports of cyber threats to the U.S. homeland that identify a specific targeted entity."
It also calls for a voluntary information-sharing program between the government and eligible "critical-infrastructure companies or commercial-service providers that offer security services to critical infrastructure."
Whetstone says, "It doesn't appear that anything in it, at least from my reading, is mandatory. It talks about creating some frameworks and creating some methods to share information, which I think is all healthy, and I think that's good."
As for compliance for private companies and how insurers will likely treat the executive order, Whetstone says the short-term approach is likely "wait and see." He notes, "I don't even know if companies have to do anything at this point." The immediate onus, he says, is on the government and and various public entities to create frameworks. Once that happens, says Whetstone, then companies will respond, and insurers like Hiscox will look at the frameworks, determine what type of companies have to comply and what they have to do to meet any requirements.
One reservation among insurers and companies is the potential for liability that comes with the sharing of sensitive information envisioned in the order. Whetstone says he sees the value in sharing information — particularly if one company is familiar with a certain type of cyber attack and makes other companies and public entities aware of it.
But he says previous cyber legislation has failed to pass through Congress in part because of concerns about the legal implications of sharing sensitive information.
Whetstone says these concerns could be addressed if some type of exemption is built in so companies cannot be held liable simply for following the executive order or the frameworks that result from it.
And Whetstone says companies do recognize cyber risks today more than in the past. When he first got involved in providing cyber-liability coverage in 2001, Whetstone says conversations did not even center around insurance, but rather the exposures and the need for risk mitigation — including better technology and best practices.
Today, he says more companies have invested in IT and procedures, and are looking at insurance to cover the residual exposures that remain after those investments.
Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
- Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
