The insurance industry has a great record of solving problems where government regulation didn’t because the government either didn’t know how to regulate, or the government wouldn’t regulate,” Richard A. Clarke, former National Coordinator for Security, Infrastructure Protection and Counter-Terrorism for the United States, told attendees at a recent cybersecurity insurance forum in Santa Clara, Calif.
Clarke, now CEO of Good Harbor LLC, a security risk management firm that advises companies and governments on cybersecurity and best practices, was the keynote speaker at the recent National Association of Insurance Commissioners (NAIC) and Stanford Cyber Initiative: Cyber Insurance and Its Evolving Role in Helping to Mitigate Cyber Risks.
The first joint forum between the NAIC and Palo Alto, Calif-based Stanford University held last month sought to explore how insurers and cybersecurity experts can better work together to solve cybersecurity challenges facing the nation’s technology infrastructure.
Clarke’s experience in the cybersecurity world has spanned decades, including a 30-year career with the U.S. Government. He served under three presidents as a Senior White House Advisor, Special Advisor to the President for Cyber Security, and on the United States National Security Council.
“I think the cyber insurance industry has enormous potential to positively shape the cybersecurity ecosystem in this country, as it has so many other things in this country – as it has with fire prevention, as it has with automobile safety,” Clarke said at the NAIC/Stanford forum.
Clarke offered several ideas on where he thinks the insurance industry can use its power to improve cybersecurity for companies and organizations alike, as well as grow and improve the overall cybersecurity insurance market.
1) Know Your Insureds’ IT Budgets
Clarke said what differentiates the security of a company’s technology infrastructure is what they spend on their IT budget.
“If you look at the percentage of their IT budget that they spend on security … that will tell you a lot,” he told the audience of insurance professionals and regulators.
The reason for that, Clarke said, is every company has “definitional issues” about how they look at security and how they allocate their budget to those different areas. Clarke said for companies to truly be effective at combating cybersecurity intrusions they need to employing resources at many different levels, and that costs money.
“At the gross level, if the company is spending 3 percent, 4 percent, or even 5 percent, of its IT budget on security, it’s not spending enough,” he said. “Getting this right is hard. Getting this right is expensive.”
Clarke said good companies that are highly secure are spending at least 8 to 12 percent of their IT budget on security.
“If people are unwilling to spend money on IT security, they will get hacked,” he said.
2) Cybersecurity Defense is About People
Clarke said even if a company is employing all the right hardware and software that it can to fend off technology intrusions, the real difference maker to keeping a company or institution safe is still its people.
“If you don’t have training [for] IT security people, all that hardware and software is not going to do you any good. You’re not going to know how to integrate it and you’re not going to know what to do at large,” he said.
He said there are currently 200,000 vacant IT security jobs across the U.S., and that number doesn’t include the people in IT security jobs who aren’t trained or qualified for them.
“You would never a let a doctor operate on you who wasn’t board-certified in that capacity; you’d never let someone do your income taxes who hadn’t recently gone through a tax certification program … yet we have [people] in companies throughout the United States who do not have the qualifications to do their job,” he said.
Clarke said part of the reason for that is there isn’t a good certification program for people to train in cybersecurity, something he said he is working on. And he thinks insurers should do more to provide adequate training as well.
3) Know How Secure Your Insureds Are
Clarke said insurers shouldn’t just be examining a policyholder’s security system when they are filling out the insurance application, but “every moment of the day.”
In other words, he said, insurers should continuously monitor the cybersecurity procedures of their insureds, much the way auto insurers do with driving telematic devices. And, he said, the technology exists for insurance companies to gather this information and keep a “security score” on their policyholders.
“If I was an insurance company and I was underwriting a company, I would not underwrite them unless I knew every day how secure they were,” he said.
4) Don’t Give Up
Clarke said in the wake of many high-profile cybersecurity breaches such as Target, Sony, Yahoo, and most recently Equifax, it would be easy to reach the conclusion that all company technology networks cannot be secured.
“You can get really depressed by that and give up,” he said.
But he urged people not feel that way, saying there are many companies that are successful at keeping hackers away and keeping people’s personal information safe, they just don’t publicize it.
“The companies that are successful don’t like to attract attention. There are companies that have not been hacked; or when they have had the network penetrated, it has not resulted in the loss of data, it has not resulted in the shutting down of operations,” he said. “Don’t look at all the horror stories … They’re not all going to be hacked. Some of them are going to get it right. We need to learn from the ones that aren’t being hacked.”
5) Create a Cybersecurity Insurance Institute
Clarke said the insurance industry should develop a place where the phenomenon of cyber incidents and the potential interaction with insurance could be studied. That place could create the data needed for better underwriting, and think of ways of reducing the risks.
He said the institute could also certify people working in cybersecurity.
“A cybersecurity insurance institute joining with other organizations could create a multilevel set of certifications and could help run that program, run the curriculum, run the testing, and run the continuing education,” he said.
He added such an institute would put the insurance industry on the cutting-edge of the cybersecurity world, and help ensure that insurers are not putting themselves at too great a liability.
“You don’t have to wait for new technology. You don’t have to wait for new breakthroughs, and you don’t have to wait for someone to pass the ball because they never will,” he said.