Security issues stemming from connectivity are not diminishing — estimates forecast rising costs from data breaches and cyber crime — but security spending in the private sector has not kept pace with the rising costs. At the same time, Congress has worked to pass bills that would increase the cybersecurity of Americans and American businesses but, despite some significant steps, has failed to pass a comprehensive bill with broad authorities or requirements that would strengthen private sector cybersecurity. The 114th Congress has an opportunity to change this record by passing bills to provide liability protection and open the door to more information sharing and defensive measures. While these bills would support greater greater private sector cybersecurity, more incentives are needed to move the needle.
The question, then, is: what will make a significant difference? Cybersecurity insurance has made a resurgence in the minds of some in Washington, D.C. as the solution for private sector cybersecurity problems. While insurance is unlikely to ever deliver a silver bullet, it does have the potential to catalyze better cybersecurity practices in the private sector through positive incentives. Traditional insurance is not adequate to address cybersecurity, and the cybersecurity insurance market needs to grow significantly. Congress can pursue a cyber-legislative agenda in order to inject more life into this marketplace by increasing the effectiveness of the database of risks and tools, supporting a cyber incident reporting database, expanding programs that certify safety measures, and capping insurance costs in catastrophic circumstances.
Read the full paper here.