As Federal and State Agencies Warn of Increased Cyber Threats, Insurance Incentives for Compliance with NIST Cybersecurity Framework May Be on the Horizon

This post was written by J. Andrew Moss and Emily Garrison.

Since the President’s February 2013 Executive Order directing the National Institute of Standards and Technology (NIST) to lead the development of a voluntary framework to address and reduce cyber risks, the agencies and stakeholders involved have been exploring whether to tie the February 2014 Framework for Improving Critical Infrastructure Cybersecurity (the NIST Framework) to incentives such as cyberliability insurance. For example, in a Report to the President on Cybersecurity Incentives, the Treasury Department suggested that “[c]yber insurance can promote adoption of stronger security measures” because, among other reasons, “insurers could require policyholders to comply with minimum security standards as a condition of insurance coverage, including adoption of the Framework.”

The Treasury Department held a public meeting on November 6 that included a discussion of developments in the market for cyberliability insurance and the NIST Framework.

A webcast of the meeting and meeting materials will be made available on the Treasury Department’s website within the next few weeks. The Commodity Futures Trading Commission (CFTC) also recently commented on the increasing importance of cyber security. In a November 5 speech at the Futures Industry Association's Expo 2014 in Chicago, CFTC Chairman Timothy Massad commented that the “need to strengthen the security and resilience of our financial markets against cyber attacks is clear,” and outlined steps the CFTC has been taking regarding cyber and information security. And at the state level, California’s Attorney General, Kamala D. Harris, issued a report in October showing that data security threats are on the rise in the Golden State, and recommended specific steps California retailers should take to improve data security and reduce breaches.

At least one major insurer may now be developing the initiatives suggested by the Treasury Department and other agencies. In recent statements to Bloomberg BNA, American International Group (AIG) indicated that its companies are considering incorporating elements of the NIST Framework into the underwriting process. AIG stated that adoption of the NIST Framework may make companies eligible to purchase cyberliability insurance at cheaper rates, but also stated that companies will not be required to adopt the Framework as a condition of receiving special insurance rates or a condition of obtaining cyberliability coverage.

Andy Moss is a partner in Reed Smith’sInsurance Recovery Group and a co-leader of the Group’s Cyberliability practice area. Emily Garrison is an associate in the Insurance Recovery Group. Companies considering, placing or renewing cyberliability coverage, or interested in examining the scope of coverage or determining whether certain types of claims may be insured under a particular cyberliability policy form should contact Andy or Emily.

Leave a Reply