Beeson also noted that, just as companies invest in workplace safety to reduce workers compensation costs, sophisticated companies also will invest in stronger cyber security. In turn, those companies will experience fewer losses, insurers will see fewer claims, and companies' premiums will be lower.

"Simply engaging in the process of seeking cyber insurance coverage can assist businesses to develop the correct approach to mitigate risk," Beeson said. Insurance can bring all relevant stakeholders in an organization together, encouraging an enterprise-wide risk management approach.

The cyber insurance market

In her testimony, Mulligan explained that cyber insurance is quickly becoming a need for commercial customers; however, it faces challenges as a new market. Some are simple, such as capacity and pricing, which are in flux as the industry grows and learns of new challenges. Others are more complex.

Mulligan also said that "a privacy and security event," which she describes as the more accurate term of cyber insurance, also can be caused by something like improper disposal of records, which can trigger multiple types of claims for multiple insureds within one company, and even cause physical damage to a manufacturer or utility. Multiple lines of business also can be impacted as the result of a cybersecurity event. She cited the example of a significant breach to a public company that might result in a stock drop, which in turn could lead to a derivative suit filed as a claim under Directors & Officers Liability Coverage.

Currently, the buyers of cyber insurance are in a few key industry sectors: healthcare, financial institutions, technology and retail. Generally, the companies that buy cyber insurance are large organizations with annual revenues of more than $1 billion.

Cost drivers for cyber insurance

Although third-party lawsuits are still a factor insurers consider in the way they draft policy wordings and price the coverage they offer, Menapace said, data breach response costs have increased in importance. Most costs involve responses to the data breaches, including credit monitoring at no cost to consumers. Initial crisis service costs, however, account for about half of all data breach costs. Breach response services include technical forensic investigations, attorney oversight, breach notification to and credit monitoring for affected consumers, call centers and public relations services. The other half of the costs go toward legal defense and settlement, regulatory response and defense, regulatory fines, and fines imposed by credit and debit card issuers.

Menapace also said that, as of March 19, there are 47 states, plus Puerto Rico, Washington, D.C., and the U.S. Virgin Islands, that have requirements for notifying customers and the state attorney general after the unauthorized access of personally identifiable information or protected health information. But the state requirements aren't uniform in terms of when they're triggered and what information must be contained in the consumer notices. As a result, lawyers and other advisers have to analyze 47 sets of requirements to deal with a data breach—a costly endeavor that a nationwide standard could help.

No standard coverage terms

Both Mulligan and Menapace pointed out that there is no standard insurance policy language for cyber insurance. The Insurance Services Office, Inc. (ISO) recently published cyber coverage terms, but Menapace is not aware of any insurer that has adopted the ISO policy terms or has plans to do so in the near future. Mulligan noted that privacy events may be triggered by an analog event such as improper disposal or paper records containing personally identifiable information, for example, not just a computer virus or similar "attack."

Among the approximately 40 insurers that offer cyber insurance, there are some with significant experience and policy language developed over more than a decade of writing coverage. Other, newer entrants into the cyber insurance market and some who are looking to differentiate themselves from their competitors have their own policy language that Menapace explained has not been tested to the same extent as the policy terms used by the insurers with more mature books of business. What can be challenging for some insurers is making sure they have enough data to make prudent underwriting decisions when they sell policies.

Public/private partnership

Beeson, Mulligan and Menapace all were positive on the idea of a public/private partnership between NIST and the insurance industry to create a framework—but not mandate standards—that companies had to meet. Beeson observed that such a partnership, with the possible formation of a data repository to house anonymized enterprise loss information, would "accelerate the growth of the marketplace, and crucially accelerate the ability of cyber insurance to act as a market incentive for industry to invest in cybersecurity."

Encouraging a private/public partnership, Mulligan said that the scope of the challenge is too broad to be solved by the private sector alone, and welcomed involvement by NIST. Not all losses from a cyber attack will be or even could be covered by an insurance policy. The market is new and evolving daily, she said, which will require time to fully mature. "The scope of the exposures is too broad to be solved by the private sector. Not all causes of loss can be transferred to an insurance policy."

Suggestions on data sharing framework

In Mulligan's view, data sharing might need to take a few different forms, for example, sharing cyber event data, such as attack vectors and scope, and cyber insurance data, such as claim and underwriting information by sector. The potential upside of these discussions, she said, is that more comprehensive information will assist insurers in developing both coverage and risk management solutions and best practices for customers.

Menapace agreed that a nationwide database or clearinghouse for data breach information, specifically recording how each breach occurred and who was responsible for the breach, could be helpful to the insurance market generally and to businesses that are implementing their own data protection practices, processes and protocols. He also noted that the "prioritized, flexible, repeatable and cost-effective approach" of the NIST Cybersecurity Framework helps owners and operators of critical infrastructure manage cybersecurity-related risk.

But, Menapace said, any data protection guidance or framework must be industry specific and the industry standards must remain flexible to accommodate the size of the company, the data at issue and technology as it emerges. A partnership between the government and private industry could accelerate the development and adoption of flexible guidelines that will, ultimately, benefit consumers without restricting innovation.

The Senate subcommittee is expected to continue hearings. We'll bring you more information on the topic of cyber insurance as it develops.

Editor's note: As of press time, Ms. Sage could not be reached for comment.