In the aftermath of recent high profile cyberattacks on several name brand U.S. companies, the federal government is taking action. On April 1st, 2015 President Obama signed the Executive Order in an effort to bolster national security by protecting the private sector, including critical infrastructure, against hackers. According to Obama, "This Executive Order authorizes the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, to impose sanctions on individuals or entities that engage in malicious cyber-enabled activities that create a significant threat to the national security, foreign policy, or economic health or financial stability of the United States." The order will seek to identify and punish individuals behind attacks, who often move across international borders, and are not tied to one geographic location.
Meanwhile, recent legislation has been proposed by the Senate to help organizations prepare for, defend against, and mitigate the cost of cyber attacks. The Cyber Security Information Sharing Act (“CISA”) was passed by the select Committee on Intelligence on March 17, 2015. Participation will be voluntary. In theory, the private sector will share threats, and possibly incidents in order to describe threats, with the government. Data will be anonymized by the entity that shares the information and housed in a portal that will most likely be administered by the Department of Homeland Security. There will be some form of liability protection offered for organizations that share this information. In return, the government will share threats with those that participate. The hope is that these organizations will ultimately be better able to prepare for, defend against, and mitigate the cost of cyber attacks.
However, the CISA legislation does not address any potential impacts in the insurance industry. Several questions arise, including:
- Will the information the government shares really be able to be put to practical use to help the private sector better defend against a cyber attack ?
- Will cyber insurance underwriters request, or perhaps demand, what was shared prior to writing a cyber insurance policy?
- What if there are different interpretations as to whether or not the information provided by the government really is a threat to a company?
- Will the government recommend some costly changes to a company's IT infrastructure to defend against what they perceive to be a threat?
- What if the private sector disagrees with the means to protect themselves or simply can't afford to make the changes required to defend against a threat?
- Will this have a negative impact on underwriting cyber insurance policies for the private sector?
The bill appears to have bi-partisan support. However it has been met by some resistance from privacy rights groups, so whether or not this legislation ultimately becomes law remains uncertain.