[Senate Hearing 114-171]
[From the U.S. Government Publishing Office]


                                                        S. Hrg. 114-171

                     EXAMINING THE EVOLVING CYBER 
                         INSURANCE MARKETPLACE

=======================================================================

                                HEARING

                               BEFORE THE 

                  SUBCOMMITTEE ON CONSUMER PROTECTION,
                       PRODUCT SAFETY, INSURANCE,
                           AND DATA SECURITY

                                 OF THE

                         COMMITTEE ON COMMERCE,
                      SCIENCE, AND TRANSPORTATION
                          UNITED STATES SENATE

                    ONE HUNDRED FOURTEENTH CONGRESS

                             FIRST SESSION

                               __________

                             MARCH 19, 2015

                               __________

    Printed for the use of the Committee on Commerce, Science, and 
                             Transportation



[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]

       
                       U.S. GOVERNMENT PUBLISHING OFFICE
98-475 PDF                   WASHINGTON : 2016                       
       
             
________________________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].  
       
       
       
       
       
       
       
       
       
       
       SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION

                    ONE HUNDRED FOURTEENTH CONGRESS

                             FIRST SESSION

                   JOHN THUNE, South Dakota, Chairman
ROGER F. WICKER, Mississippi         BILL NELSON, Florida, Ranking
ROY BLUNT, Missouri                  MARIA CANTWELL, Washington
MARCO RUBIO, Florida                 CLAIRE McCASKILL, Missouri
KELLY AYOTTE, New Hampshire          AMY KLOBUCHAR, Minnesota
TED CRUZ, Texas                      RICHARD BLUMENTHAL, Connecticut
DEB FISCHER, Nebraska                BRIAN SCHATZ, Hawaii
JERRY MORAN, Kansas                  EDWARD MARKEY, Massachusetts
DAN SULLIVAN, Alaska                 CORY BOOKER, New Jersey
RON JOHNSON, Wisconsin               TOM UDALL, New Mexico
DEAN HELLER, Nevada                  JOE MANCHIN III, West Virginia
CORY GARDNER, Colorado               GARY PETERS, Michigan
STEVE DAINES, Montana
                    David Schwietert, Staff Director
                   Nick Rossi, Deputy Staff Director
                    Rebecca Seidel, General Counsel
                 Jason Van Beek, Deputy General Counsel
                 Kim Lipsky, Democratic Staff Director
              Chris Day, Democratic Deputy Staff Director
       Clint Odom, Democratic General Counsel and Policy Director
                                 ------                                

  SUBCOMMITTEE ON CONSUMER PROTECTION, PRODUCT SAFETY, INSURANCE, AND 
                             DATA SECURITY

JERRY MORAN, Kansas, Chairman        RICHARD BLUMENTHAL, Connecticut, 
ROY BLUNT, Missouri                      Ranking
TED CRUZ, Texas                      CLAIRE McCASKILL, Missouri
DEB FISCHER, Nebraska                AMY KLOBUCHAR, Minnesota
DEAN HELLER, Nevada                  EDWARD MARKEY, Massachusetts
CORY GARDNER, Colorado               CORY BOOKER, New Jersey
STEVE DAINES, Montana                TOM UDALL, New Mexico
                            
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on March 19, 2015...................................     1
Statement of Senator Moran.......................................     1
Statement of Senator Blumenthal..................................     3
Statement of Senator Blunt.......................................    28
Statement of Senator Klobuchar...................................    29

                               Witnesses

Ben Beeson, Vice President, Cyber Security and Privacy, Lockton 
  Companies.....................................................     4
    Prepared statement...........................................     6
Catherine Mulligan, Senior Vice President, Management Solutions 
  Group, Zurich (North America)..................................     8
    Prepared statement...........................................     9
Ola Sage, Founder and CEO, e-Management..........................    13
    Prepared statement...........................................    14
Michael Menapace, Counsel, Wiggin and Dana LLP, and Adjunct 
  Professor of Insurance Law, Quinnipiac University School of Law    18
    Prepared statement...........................................    20

                                Appendix

Response to written questions submitted by Hon. Jerry Moran to:
    Ben Beeson...................................................    39
    Catherine Mulligan...........................................    39
    Ola Sage.....................................................    40

 
           EXAMINING THE EVOLVING CYBER INSURANCE MARKETPLACE

                              ----------                              


                        THURSDAY, MARCH 19, 2015

                               U.S. Senate,
      Subcommittee on Consumer Protection, Product 
              Safety, Insurance, and Data Security,
        Committee on Commerce, Science, and Transportation,
                                                    Washington, DC.
    The Subcommittee met, pursuant to notice, at 10 a.m. in 
room SR-253, Russell Senate Office Building, Hon. Jerry Moran, 
Chairman of the Subcommittee, presiding.
    Present: Senators Moran [presiding], Blunt, Blumenthal, and 
Klobuchar.

            OPENING STATEMENT OF HON. JERRY MORAN, 
                    U.S. SENATOR FROM KANSAS

    Senator Moran. Good morning, everybody. We are delighted 
that we are here. I call this subcommittee hearing to order.
    Let me first of all thank our witnesses for taking the time 
to provide us with--I have read the testimony--very valuable 
information on a topic that I think has not received much 
attention. We are delighted to have you here and appreciate 
your willingness to share with us.
    I also want to thank our committee staff who worked hard at 
arranging those witnesses and putting this hearing together.
    The purpose of this hearing is to examine the state of the 
cyber insurance market, identify challenges and opportunities, 
and learn how cyber insurance may drive improvements to the 
risk management culture at businesses that purchase those 
insurance policies.
    This is our second hearing on a broad topic of data 
security, and to my knowledge, it is the first time, as I said, 
that a hearing has ever been held on the cyber insurance 
market.
    American consumers and businesses face ongoing and serious 
cyber threats. Just last week we learned of yet another. Every 
time we have had a hearing there has been an announcement of a 
data breach. May be a reason not to have another hearing.
    A Washington state-based health insurance company notified 
11 million customers that credit card numbers, Social Security 
numbers, medical records, and other sensitive information may 
have been compromised.
    A data breach, as we know, is all too frequent, and has 
become common in our digital lives.
    One strategy for business to mitigate cyber or privacy-
related losses is to purchase cybersecurity insurance. While 
some cyber related losses may be covered under a business' 
general insurance policy, the increase of publicly reported 
cyber incidents and data breaches have led insurers to begin 
offering stand-alone policies to cover cyber related risks and 
losses.
    Cyber insurance policies vary greatly but increasingly new 
policies are being developed to cover costs ranging from crisis 
management and response to a data breach, personal or health 
information, to business interruption or damage to critical 
infrastructure systems from a cyber attack.
    While an insurer's primary function is to mitigate 
financial losses, not defend against cyber threats, cyber 
insurance may be a market led approach to help businesses 
improve their cybersecurity posture by tying policy eligibility 
or lower premiums to better cybersecurity practices.
    An example of this relationship is an automobile insurer 
offering good driver discount to a customer who avoids 
accidents or driving violations, providing an additional 
incentive to a driver to be more cautious and attentive. The 
insurance company also wins. Even though the premium they 
receive may be lower, in the end, they have fewer claims to pay 
out.
    The cyber insurance market is one of the fastest growing 
commercial lines of insurance, approximately 50 carriers now 
offer stand-alone cyber policies, and the total written 
premiums were between 1.5 and $2 billion in 2014. Some 
estimates show that the market could grow as high as $5 billion 
by the decade's end.
    During last year, 2014, the number of clients at brokerage, 
Marsh & McLennan, who purchased stand-alone cyber coverage 
increased by 32 percent over 2013. Among their clients, the 
highest take up rates for cyber insurance in 2014 were in 
health care, education, hospitality, and gaming.
    The challenges in the cyber insurance market exists due to 
the difficulty of quantifying the exposure to cyber risk, 
liabilities, and losses, the aggregation of losses due to the 
interconnected nature of IT and the changing cyber threat 
environment.
    Several IT security firms are developing products and 
assisting insurers in either identifying potential threats and/
or offering cyber products or services to better protect their 
networks.
    For instance, a startup named BitSite partners with Liberty 
International Underwriters to externally analyze a company's 
cybersecurity. In one case, BitSite helped discover a dormant 
threat in a company's IT system, and the insurer was able to 
work with the company to avoid the possible breach.
    Another example in my home state of Kansas, Overland Park-
based risk analysts partner with AIG to provide security 
products to some AIG insurance products.
    This Congress considers cyber threat information sharing 
legislation as well as a national data breach notification 
standard.
    There are lots of important questions about developing the 
state of a private insurance market that come to mind. Today, 
we will focus our attention on some of those key questions, and 
I am confident today's expert panel can share their valuable 
insights on these topics.
    I would like now to turn to the Ranking Member, my friend 
and colleague, the Senator from Connecticut, Senator 
Blumenthal.

             STATEMENT OF HON. RICHARD BLUMENTHAL, 
                 U.S. SENATOR FROM CONNECTICUT

    Senator Blumenthal. Thank you so much, Senator Moran. I 
really appreciate your convening this hearing on a topic of 
huge importance to the entire country, indeed, the world, and 
certainly to my home state of Connecticut. I want to join you 
in thanking our staff, but most especially the experts who have 
come to be with us today.
    This topic, I can tell you, is of tremendous interest to my 
colleagues. I have spoken to them about this issue over the 
last couple of days. We have a busy day today, so the 
attendance here may not reflect that interest, but I can tell 
you there is no topic more important than cybersecurity to the 
U.S. Senate and maybe to our country.
    At this moment, the Armed Services Committee, and I am a 
member of that committee as well, is having a hearing on the 
budget for our military cyber warfare activities in part. The 
two are inextricably linked, the private security and our 
national defense security.
    As you well know, we are struggling now to deal with the 
problems raised in both spheres, which are very closely linked.
    Hartford, Connecticut is home to the Nation's oldest 
continuously published newspaper, the Hartford Courant, but it 
is also home to many of the world's biggest and greatest 
insurance companies. It is known colloquially as the insurance 
capital of the world. Some may dispute whether any place in the 
world is an insurance capital these days because of their 
multinational activities. Hartford, I think, has the longest 
standing claim to that title.
    We are a small state but we actually still rank number one 
in total insurance jobs as a percentage of total employment.
    I am particularly pleased to see one our nation's experts, 
Michael Menapace, of Quinnipiac University joining us here 
today. Thank you, Michael, for being here.
    I am also happy to be here today to learn, and I really do 
mean learn more about this issue. We all think we know a lot 
about breaches because they are so common, as Chairman Moran 
said, but each in many important respects is different from the 
other, in its consequences and causes, and what can be done to 
prevent these kinds of breaches.
    That is the issue that brings us here today: how to prevent 
them, how to insure against them, and how to use insurance as 
an incentive, as a tool, to provide for stronger prevention.
    The simple and stark fact is that the Internet was not 
built for security. The Internet was not built to be secure. It 
was not intended to be the commercial and financial backbone of 
the post-industrial world. It was designed as an open system, 
and it was based and still is based on anonymity, meant to be 
used among a select group of Government officials and 
university computer scientists.
    Very sadly, it seems like this dynamic has in some ways 
reinforced the picture we see every time we open the newspaper 
to read of millions of consumer records stolen from major 
retailers: Target, Neiman Marcus, Home Depot, Anthem.
    Data breaches are hardly a new phenomenon. When I was 
Attorney General of the State of Connecticut, we tried to deal 
with them in terms of providing protections to consumers, and 
consumers have been facing and paying for data breaches for 
years.
    Consumers are hit the hardest, but the growing threats of 
cyber attacks and data breaches impair more than just our 
consumers, and it is our critical infrastructure now that has a 
huge risk, and has so much at stake. They are increasingly 
hitting the bottom line of our major companies.
    The question is whether insurance can play a role in 
preventing these kinds of breaches, what kinds of insurance are 
best designed to cover damages from security breach or cyber 
attack, and why companies do not more commonly choose to have 
cybersecurity insurance.
    A lot of these companies cite its high cost, lack of 
awareness about what it covers, uncertainty that they will 
suffer a cyber attack as reasons for their decisions or non-
decisions to have insurance.
    I am looking forward to the panel's testimony today to know 
about what has been changing, the dynamics of this industry, 
and what can be done to encourage the growth of this very 
dynamic market, and ultimately increase its positive impact on 
the security of consumers' sensitive information.
    Thank you very much for being here today.
    Senator Moran. Senator Blumenthal, thank you very much. Our 
witnesses are Mr. Ben Beeson, Vice President for Cyber Security 
and Privacy at Lockton Companies. Ms. Catherine Mulligan, 
Senior Vice President of Management Solutions Group for Zurich, 
North America. Ms. Ola Sage, CEO, e-Management, an IT firm from 
Silver Spring, Maryland, and Mr. Michael Menapace, Counsel at 
Wiggin and Dana, who also serves as Adjunct Professor of 
Insurance Law at Quinnipiac University School of Law.
    It is a good thing to have a polling organization so I know 
how to pronounce the University's name.
    Thank you all very much for being here. Mr. Beeson, we will 
begin with your testimony.

  STATEMENT OF BEN BEESON, VICE PRESIDENT, CYBER SECURITY AND 
                  PRIVACY, LOCKTON COMPANIES

    Mr. Beeson. Chairman Moran, Ranking Member Blumenthal, 
distinguished members of the Committee, thank you very much on 
behalf of Lockton Companies for the opportunity to testify 
today.
    My name is Ben Beeson. I am Vice President for Cyber 
Security and Privacy at Lockton. Lockton is the largest 
privately held independent insurance broker in the world. I am 
based in the Washington, D.C. office where I advise clients on 
a cyber risk management strategy that addresses crucially 
people, processes, and technology.
    Our clients face a substantial set of cyber threats today 
that include criminal gangs, disgruntled employees, politically 
motivated actors, and now even nation states.
    Well-publicized attacks have sought to target and monetize 
personally identifiable data and protected health information. 
However, it is also commonly understood that the theft of 
corporate intellectual property is a significant problem with 
non-trivial impacts on innovation for companies and countries, 
and companies also face incidents that can disrupt or destroy 
information technology and other vital assets, even now 
physical assets.
    The key message I would like to convey today is this, we 
believe that cyber insurance is an important market force that 
can drive improved cybersecurity within companies but also 
importantly thereby improve consumer protection and the nation 
as a whole.
    There is an important link there. It should not just be 
seen as a financial instrument to transfer risk from one 
balance sheet to another. As the cyber insurance market 
develops, it will provide incentives for companies to 
understand and better mitigate their risks.
    For example, forward thinking companies invest in workplace 
safety to reduce their Workers' Compensation costs, and in the 
same way, sophisticated companies are investing in strong 
cybersecurity. Those companies ultimately will experience fewer 
losses and insurers will see fewer claims and the premiums will 
be lower.
    In addition, and importantly, simply just engaging in the 
process of seeking cyber insurance coverage can also assist 
businesses to develop the correct approach to mitigate risks. 
It is no longer just the domain of the IT Department.
    Cyber insurance can also act as a catalyst for driving an 
enterprise-wide risk management approach. It can bring all the 
relevant stakeholders together, in IT, Legal, Risk Management, 
R&D, Finance, Human Resources, Communications, and perhaps now 
most importantly, the Board itself.
    So, do not view cyber insurance as just a commodity that 
you may or may not see at the end of this process.
    However, we are not there yet today. The cyber insurance 
market is still young and developing. Companies today spend 
about $2 billion annually on cyber insurance, a fraction of the 
$1 trillion U.S. insurance market.
    Lockton also sees the NIST Framework aligning hand in glove 
with this enterprise risk management strategy. Working closely 
with the Department of Homeland Security to support its 
implementation, Lockton sees the Framework providing the tool 
that is needed to help boards of directors understand in 
layman's terms their current security, areas for improvement, 
and desired future status.
    As insurance brokers, we also advise directors and officers 
on management liability, and we see that cyber risk has now 
entered the governance dialogue. The NIST Framework has proved 
immensely helpful in driving better board discussions.
    Building on a public/private partnership, discussions are 
ongoing with the Department of Homeland Security about the 
possible formation of a data repository to house anonymized 
enterprise loss information. The ability to access anonymized 
loss data, shared between industry and government with 
appropriate privacy protections, would accelerate the growth of 
the marketplace, and crucially accelerate the ability of cyber 
insurance to act as a market incentive for industry to invest 
in cybersecurity.
    In addition, Lockton, and we believe the industry as a 
whole, would welcome the introduction of legislation that would 
reduce barriers and incentivize organizations to share threat 
indicators with government and each other while also protecting 
individual privacy.
    Thank you again for the opportunity to testify, and I will 
be happy to answer any questions you may have.
    [The prepared statement of Mr. Beeson follows:]

 Prepared Statement of Ben Beeson, Vice President, Cyber Security and 
                      Privacy, Lockton Companies
    Chairman Moran, Ranking Member Blumenthal, distinguished members of 
the Committee, thank you for the opportunity to testify today on behalf 
of Lockton Companies.
    My name is Ben Beeson and I am Vice President for Cyber Security 
and Privacy at Lockton Companies. Lockton is the world's largest 
privately held, independent insurance broker. I am based in the 
Washington, DC, office, where I advise clients on a cyber risk 
management strategy that addresses people, processes, and technology.
    Our clients face a substantial set of cyber threats today that 
include criminal gangs, disgruntled employees, politically motivated 
actors, and now nation states. Well-publicized attacks have sought to 
target and monetize personally identifiable data and protected health 
information. However, it is also now well understood that the theft of 
corporate intellectual property is a significant problem, with 
nontrivial impacts on innovation for companies and countries, and 
companies also face incidents that can disrupt or destroy information 
technology and other vital assets.
    We believe that cyber insurance is an important market force that 
can drive improved cyber security for companies--and thus improve 
protection to consumers and the Nation as a whole. It should not just 
be seen as another insurance transaction. As the cyber insurance market 
develops, it will provide incentives for companies to understand and 
mitigate their risks.
    For example, forward-thinking companies invest in workplace safety 
to reduce their workers' compensation costs. In the same way, 
sophisticated companies are investing in stronger cyber security, and 
those companies ultimately will experience fewer losses, insurers will 
see fewer claims, and their premiums will be lower.
    However, we're not there today. The cyber insurance market is still 
nascent and developing.
Cyber Insurance Market Today
    It is estimated that more than 50 insurers domiciled mainly in the 
U.S. and the Lloyd's of London marketplace provide dedicated cyber 
products and solutions today. Buyers are overwhelmingly concentrated in 
the U.S. with little take-up to date internationally. Annual premium 
spend at the end of 2014 was estimated to be in excess of $2 billion 
\1\ with the potential to grow to $5 billion.\2\ Total capacity (the 
maximum amount of insurance available to any single buyer) is currently 
at about $300,000,000. Cyber insurance first emerged at the end of the 
1990s, primarily seeking to address loss of revenue and data-
restoration costs from attacks to corporate networks. However, the 
underwriting process was seen as too intrusive and the cost 
prohibitively expensive, and it was not until 2003, and the passage of 
the world's first data breach notification law in California,\3\ that 
demand started to grow.
---------------------------------------------------------------------------
    \1\ The Betterley Report--www.betterley.com
    \2\ The Cyber Liability Insurance Market 2015--Jim Blinn, Advisen. 
www.cyberrisknetwork.com
    \3\ California S.B.1386
---------------------------------------------------------------------------
What Does Cyber Insurance Cover?
    It is important to understand that insurers do not address all 
enterprise assets at risk. The vast majority of premium spent by buyers 
has sought to address increasing liability from handling personally 
identifiable information (PII) or protected health information (PHI), 
and the costs from either unauthorized disclosure (a data breach), or a 
violation of the data subject's privacy. Insurable costs range from 
data breach response expenses such as notification, forensics, and 
credit monitoring to defense costs, civil fines, and damages from a 
privacy regulatory action or civil litigation.
    Insurers also continue to address certain first-party risks 
including the impact on revenue from attacks on corporate networks, 
extortion demands, and the costs to restore compromised data.
What Does Cyber Insurance Not Cover?
    Theft of corporate intellectual property (IP) still remains 
uninsurable today as insurers struggle to understand its intrinsic loss 
value once compromised. The increasing difficulty in simply detecting 
an attack and, unlike a breach of PII or PHI, the frequent lack of a 
legal obligation to disclose, suggests that a solution is not in the 
immediate future.
    Much attention in the industry is now being paid to risks to 
physical assets from a cyber attack. Much of the credit here must go to 
the Federal Government for directly engaging the industry initially in 
2013 as part of the creation of the NIST Framework and raising 
awareness about the risks to critical infrastructure industries. In the 
absence of actuarial risk modeling data, certain innovative insurers 
and brokers have started to produce solutions that specially address 
property damage, resultant business interruption loss, and bodily 
injury from a cyber attack. However, it is early days, and major 
challenges lie ahead in establishing significant market capacity as 
well as addressing the current ambiguity embedded in legacy property 
and casualty insurance policies.
How Do Insurers Underwrite Cyber Risks?
    Historically, underwriters have sought to understand the controls 
that enterprises leverage around their people, processes, and 
technology. However, the majority of assessments are ``static,'' 
meaning a snapshot at a certain point in time through the completion of 
a written questionnaire, a phone call interview, or a presentation. In 
the wake of significant insurable losses in 2014 and early 2015 to the 
retail and healthcare sectors in particular, a consensus is growing 
that this approach is increasingly redundant. It is Lockton's opinion 
that insurers will increasingly seek to partner with the security 
industry to adopt a more threat-intelligence-led capability as part of 
the underwriting process in the face of threats that continue to 
evolve. The industry (as discussed later) will also increasingly seek 
to partner with government to access industry loss data and analytics 
capabilities.
What Is the Role of Cyber Insurance?
    In the context of building enterprise resilience to counter 
evolving cyber threats, insurance should not just be seen as a 
financial instrument for transferring risk from one balance sheet to 
another. Importantly, the actual process of seeking cyber insurance 
coverage should also be viewed as the catalyst for driving an 
enterprise-wide risk management approach, and ultimately an improved 
security posture.
    It can bring all relevant stakeholders together in IT, Legal, Risk 
Management, R&D, Finance, Human Resources, Communications, and the 
Board of Directors for example. Do not view cyber insurance as just a 
commodity that you may or may not seek at the end of this process.
NIST Framework
    In the same vein, Lockton also sees the NIST Framework aligning 
hand in glove with this strategy. Working closely with the Department 
of Homeland Security to support its implementation, Lockton sees the 
framework providing the tool that is needed to help boards of directors 
understand in layman's terms their current security posture, areas for 
improvement, and desired future status. As insurance brokers who also 
advise directors and officers on management liability, we can 
acknowledge that cyber risk has now entered a governance dialogue, and 
the NIST Framework has proved immensely helpful in facilitating the 
discussion.
Conclusion--A Public/Private Partnership
    Lockton, and we believe the industry as a whole, would welcome the 
introduction of legislation that would reduce barriers and incentivize 
organizations to share threat indicators with government, and each 
other, while also protecting individual privacy. Actuarial data is 
extremely thin on the ground and is holding back the growth in market 
capacity, particularly to address the previously highlighted risks to 
critical infrastructure industries.
    As part of the insurance industry's engagement with the Department 
of Homeland Security, discussions are ongoing about the possible 
formation of a data repository to house anonymized enterprise loss 
information. The ability to access anonymized loss data, shared between 
industry and government with appropriate privacy protections would also 
accelerate the growth of the marketplace, but crucially the ability of 
cyber insurance to act as a market incentive for industry to invest in 
cybersecurity.
    Thank you again for the opportunity to testify, and I will be happy 
to answer any questions that you may have.

    Senator Moran. Thank you very much, Mr. Beeson. Ms. 
Mulligan?

          STATEMENT OF CATHERINE MULLIGAN, SENIOR VICE

             PRESIDENT, MANAGEMENT SOLUTIONS GROUP,

                     ZURICH (NORTH AMERICA)

    Ms. Mulligan. Good morning, Chairman Moran, Ranking Member 
Blumenthal, and members of the Subcommittee. My name is 
Catherine Mulligan. I am a Senior Vice President with Zurich 
(North America) with our Management Solutions Group.
    I lead a market facing team of underwriters who are 
responsible for working with our brokers and customers on the 
placement of cyber insurance.
    I appreciate the opportunity to speak with the Subcommittee 
today, and I apologize for my laryngitis as well.
    As a brief introduction, Zurich Insurance Group is a global 
multi-line insurance provider with a global network of 
subsidiaries and offices, 55,000 employees, and customers in 
more than 200 countries and territories.
    We are the fourth largest commercial property and casualty 
insurer in the United States by gross written premium. Mr. 
Chairman, as I am sure you are aware, we employ over 400 people 
in the state of Kansas.
    Zurich has had a cyber insurance product for over 10 years, 
and we have invested heavily in the last few years in thought 
leadership to address the risk management concerns of our 
customers.
    In October 2014, Dowling and Partners called ``security & 
privacy,'' also known as ``cyber insurance,'' one of the few 
growth markets in the U.S. property and casualty industry, and 
while sources suggest that the current market is $2 billion in 
gross written premium, this number is actually hard to verify 
due to the fact that the coverage can be offered blended with 
other coverages in addition to stand-alone.
    The product was first introduced about 15 years ago and has 
its roots in technology errors and omissions, a third party 
financial damage coverage, and as privacy regulations evolved, 
companies found that they were incurring costs, first party 
costs, to respond to privacy events and comply with these 
regulations, so cyber policies were developed to respond to 
this blend of first and third party costs arising from breaches 
and privacy events.
    In January of this year, the Insurance Information 
Institute reported that market capacity for cyber is on the 
rise, and while this optimism is understandable, given the 
visibility of these issues, the reality is that the shape of 
the marketplace continues to shift.
    Number one, capacity is in flux, so in the Dowling & 
Partners' report in October, they said that over 60 carriers 
wrote the coverage, but that number has since decreased as some 
excess markets are pulling out of the product or reevaluating 
their appetite, and reinsurers are doing the same.
    Pricing is in flux. The insurance industry lacks robust 
actuarial data around the loss experience for a product that is 
still in its nascency. Unlike general liability policies, which 
all commercial enterprises carry, the buyers of this coverage 
are largely in a few key industry sectors, such as health care, 
and in the large company space, over $1 billion in revenue.
    Loss experience is developing. Highly publicized breaches 
have led to direct damages in the hundreds of millions of 
dollars of costs which continue to rise, and liability costs 
have yet to be determined, so what these recent breaches show 
us is that there is a severity potential as well as this 
unknown element as liability issues are resolved in court.
    Coverage and aggregation challenges remain. It is important 
to understand the history of the product as financial loss 
insurance, as the total scope of exposures presented by a 
cybersecurity event currently are beyond the scope of the 
current coverage.
    For example, a cyber attack may cause physical damage, and 
while some limited coverage is available in the marketplace, 
current security and privacy forms generally exclude bodily 
injury and property damage.
    The scope of the exposures is too broad to be solved by the 
private sector alone, not all exposures are transferrable to an 
insurance policy.
    That leads us to the emerging issues of aggregation 
tracking and emerging exposures. Multiple lines of insurance 
may be impacted by a security event. For example, if a public 
company has a significant breach and then has a stock drop as a 
result, they may face a shareholder derivative suit, which can 
then come in as a claim under their directors' and officers' 
liability policy.
    That leads us to the public/private sector cooperation. In 
2015, the World Economic Forum report stated ``The global risks 
transcend borders and spheres of influence and require 
stakeholders to work together.''
    This echoes Chairman Thune's comments from the February 4 
hearing on the NIST Framework, ``Real progress can be made by 
continuing to enhance public/private cooperation and improving 
cyber threat information sharing.''
    Work in this arena, as Mr. Beeson said, includes working 
groups at the Departments of Homeland Security and Treasury on 
the issue of data repositories, which may need to take a couple 
of different forms--sharing of cyber event data, such as attack 
vectors, and cyber insurance data, including claims and 
underwriting information by sector.
    While it is too early to assert any definitive conclusions, 
the potential upside of these repositories would be more 
comprehensive information could help the insurance industry 
develop broader coverage and broader risk management solutions 
for our customers.
    Thank you.
    [The prepared statement of Ms. Mulligan follows:]

   Prepared Statement of Catherine Mulligan, Senior Vice President, 
           Management Solutions Group, Zurich (North America)
    Good morning Chairman Moran, Ranking Member Blumenthal and members 
of the Subcommittee. My name is Catherine Mulligan and I am Senior Vice 
President of the Management Solutions Group for Zurich (North America). 
I lead the market facing team of underwriters responsible for working 
with brokers and customers on the placement of ``cyber'' insurance. I 
appreciate the opportunity to speak to the Subcommittee on the state of 
the cyber insurance marketplace and to share thoughts on some of the 
challenges we are seeing.
    As a brief introduction, Zurich Insurance Group (Zurich) is a 
leading multi-line insurance provider with a global network of 
subsidiaries and offices. Founded in 1872, Zurich is headquartered in 
Zurich, Switzerland with approximately 55,000 employees serving 
customers in more than 200 countries and territories.
    While Zurich is named after the Swiss city where it was founded, we 
are quite proud of our U.S. roots and our global platform for 
diversifying risk. In 1912, Zurich entered the U.S. as the first non-
domestic insurance company and quickly became a leading commercial 
property and casualty insurance carrier.
    Over the last 103 years, Zurich has grown and its U.S. companies 
now employ more than 8,500 people in offices throughout the country 
with major centers of employment in the metropolitan areas of Chicago, 
New York City, Kansas City, Atlanta, Dallas, and Baltimore. Mr. 
Chairman, as I am sure you are aware, we employ nearly 400 people 
throughout the state of Kansas and write coverage in every single 
state. Zurich's U.S. insurance group accounts for roughly 40 percent of 
its total global business.
    As a result, Zurich is the fourth largest commercial property and 
casualty insurer in the United States by gross written premium. It is 
the fourth largest writer of commercial general liability insurance, 
which includes coverages that, among a wide array of other risks, 
protect U.S. manufacturers, importers and retailers against product 
liability losses. In addition to this capacity, Zurich also protects 
many U.S. construction projects throughout the country as the third 
largest fidelity and surety insurer. Zurich protects hundreds of 
thousands of U.S. employees and their employers as the fifth largest 
workers compensation insurer.
    With this context as to who Zurich serves, it was two years ago 
when Zurich's senior leadership decided to act to address the risk 
management questions and concerns raised by many of our cyber 
customers. This began a global thought leadership initiative with the 
Atlantic Council and resulted in a white paper report titled: Beyond 
Data Breaches: Global Interconnectedness of Cyber Risk. This report was 
released in April 2014, and Zurich has shared its findings and 
recommendations with its stakeholder community to generate dialog and 
steps forward to address the cyber threats.
    As cyber attacks occur in ever changing forms on business and 
industry that compromise increasing amounts of sensitive information, 
this hearing is extremely timely to level set what cyber insurance is, 
what it is not, and most importantly some of the challenges marketplace 
actors are seeing.
    I will dive into specifics later in my testimony, but overall here 
is how I see the market. Unsurprisingly given recent high profile 
breaches, so-called cyber insurance is quickly becoming a need for 
commercial customers. However, as a new market it faces a number of 
challenges. Some are somewhat more straightfoward, such as capacity and 
pricing, which are in flux as the industry grows and learns of new 
challenges.
    Yet, others reflect the complexity of the challenge. The term cyber 
insurance is a misnomer. A network security and privacy event--the more 
accurate term of cyber insurance--can also be caused by something 
simple such as improper disposal of paper records. At the same time, 
one cyber event can trigger multiple types of claims, for multiple 
insureds within one company, and even cause physical damage to a 
manufacturer or utility.
    The lesson can be boiled down to the simple fact that the scope of 
the challenge is too broad to be solved by the private sector alone. 
Not all losses from a cyber attack will be or even could be covered by 
an insurance policy. This market is new and evolving daily which will 
require time to fully mature.
Market overview
    In October 2014, Dowling and Partners called security & privacy 
(also known as ``cyber'') insurance ``one of the few growth markets in 
the U.S. Property and Casualty Industry'' with growth potential up to 
$10B Gross Written Premium.\1\ Sources, including Dowling and Guy 
Carpenter,\2\ suggest the current market is $2 billion with five or six 
carriers offering primary coverage. Guy Carpenter also states that the 
six largest carriers have 70 percent of the market share, a statistic 
that remained relevant throughout 2014. These premium numbers are 
difficult to verify. The coverage can be offered on a stand-alone basis 
or blended with other coverages, such as Errors & Omissions.
---------------------------------------------------------------------------
    \1\ ``Cyber Security: with CEO Jobs Now on the Line, It's No Longer 
Just an `IT' Issue.'' Dowling & Partners IBNR Weekly #39, October 20, 
2014
    \2\ Guy Carpenter's State of the Tech/Cyber market report (2012) 
and Management Liability--Market Overview report (Oct. 2013)
---------------------------------------------------------------------------
Coverage overview and history
    The product was first introduced about 15 years ago and has its 
roots in technology errors & omissions coverage. This is a third party 
liability coverage designed to respond to financial damages resulting 
from negligent acts, errors, and omissions in the deliverance of a 
product or service. As our world and economy became more networked, 
privacy issues came to the fore, which led to the development of 
privacy regulations. Companies found they incurred first-party costs to 
respond to privacy events and to comply with these regulations. Network 
Security & Privacy Liability policies were developed to respond to this 
blend of first and third-party costs.
    The product in its current iteration has been in the marketplace 
since around 2009. There is no industry standard policy language, but 
the core elements of the coverage are as follows:

   The third-party liability costs arising from network 
        breaches and privacy events as well as some media liability 
        events;

   The first-party or direct costs a company incurs in 
        responding to a breach. These include forensics analysis, legal 
        guidance in compliant breach response, credit and identity 
        monitoring costs, and the costs associated with a call center 
        and public relations.

    First-party coverages have further expanded to include Business 
Interruption and Extra Expense. This is a familiar coverage on most 
commercial property policies, but here, instead of responding in the 
event of physical loss or damage, this optional coverage can apply to 
direct damages arising from downtime caused by a network security 
breach.
Marketplace shifts
    In January of this year, the Insurance Information Institute 
reported that market capacity for cyber insurance is on the rise.\3\ 
While this optimism is understandable given the visibility of the 
issues and the attention significant breaches have garnered from Boards 
of Directors and C-Suite executives \4\, the reality is that the shape 
of the insurance marketplace continues to shift:
---------------------------------------------------------------------------
    \3\ ``Insurance Industry Leaders Believe Market Capacity For Cyber 
Insurance On The Rise, U.S. Economic Growth On the Upswing, I.I.I. 
Survey Finds.'' Insurance Information Institute, January 14, 2015
    \4\ ``Cyber Security: with CEO Jobs Now on the Line, It's No Longer 
Just an `IT' Issue.'' Dowling & Partners IBNR Weekly #39, October 20, 
2014

---------------------------------------------------------------------------
   Capacity is in flux.

    Dowling & Partners stated more than 60 carriers wrote the coverage 
        as of October 2014. Subsequently, our broker partners tell us a 
        number of excess markets pulled out of the product line or 
        limited their appetite. Business Insurance has reported on 
        major insurers restricting their appetites for challenging 
        industry segments. The London market was tapped out for 
        retailers by December; although capacity refreshed in 2015, the 
        pressure was on to find strong support for growing programs. 
        Reinsurers are also paying careful attention to their 
        aggregations, and some have amended their appetites for 
        supporting the coverage.

   Pricing is in flux.

    The insurance industry lacks robust actuarial data around the loss 
        experience for a product that is still in its nascency. Unlike 
        general liability policies, which all commercial enterprises 
        carry, the buyers of this coverage are largely in a few key 
        industry sectors (such as health care, financial institutions, 
        technology, and retail) and in the larger company space (ie. 
        companies with annual revenues over $1 billion). As loss 
        experience emerges, and underwriters identify new attack 
        vectors, pricing becomes more refined. Some segments, notably 
        retail \5\, are experiencing significant increases in premiums 
        as high profile breaches in the past 12 months have generated 
        substantial first party loss dollars, which continue to rise.
---------------------------------------------------------------------------
    \5\ ``Data breaches prompt insurers to boost cost of retailers' 
cyber coverage,'' Business Insurance, Sept. 28, 2014

---------------------------------------------------------------------------
   Loss experience is developing

    One major retailer, who suffered a highly publicized breach in late 
        2013, is reported to have incurred over $250 million in first-
        party costs in responding to the attack. Those costs reportedly 
        continue to rise, and the liability costs associated with the 
        breach--including liability to consumers and financial 
        institutions--has yet to be determined. This example 
        demonstrates the severity potential as well as the element of 
        the unknown as the liability issues play out in court. 
        Moreover, we see attack vectors shifting, for example, 
        approximately 30 percent of breaches originate with a business 
        partner or vendor, presenting challenges to underwriting the 
        exposures and controls and to responding to breaches.

   Coverage and aggregation challenges remain

    It is important to understand the history of this product. The 
        total scope of exposures presented by a cyber security event is 
        beyond the current scope of coverage. Richard Clarke's acronym 
        \6\ for causes of cyber security events remains applicable. He 
        described them as C.H.E.W.: Crime, Hactivism, Espionage, and 
        War.
---------------------------------------------------------------------------
    \6\ Richard Clarke, ``Cyber War: The Next Threat to National 
Security & What to Do About it'', published 2012

    While most security & privacy policies do not focus on attribution, 
        the trigger of coverage must still be a network security breach 
        or privacy event. We eschew the term ``cyber'' for three 
---------------------------------------------------------------------------
        reasons:

    1.  It is not a defined term in most policies;

    2.  Privacy events may be triggered by an analog event such as 
            improper disposal of paper records containing personally 
            identifiable information;

    3.  A broad term such as ``cyber'' erroneously may suggest that the 
            coverage could respond to every type of damage caused by an 
            attack on a network.

    We understand that customers have a range of exposures that exist 
        beyond the financial loss coverage that is provided under a 
        Security & Privacy policy.

   Top areas of concern include Bodily Injury and Property 
        Damage:

    A cyber attack may cause physical damage to a manufacturer or 
        utility. For example, a December 2014 malware attack to a 
        German iron plant caused fire damage when a furnace's controls 
        were compromised.\7\ In 2014, Insurance Service Offices (ISO) 
        issued exclusions on their general liability forms to clarify 
        that cyber events are not meant to be covered on the general 
        liability policy. While some limited coverage is available in 
        the marketplace, current security and privacy forms generally 
        exclude bodily injury/property damage.
---------------------------------------------------------------------------
    \7\ ``Cyberattack on German Iron Plan Causes `Widespread Damage': 
Report,'' The Wall Street Journal, December 18, 2014

    The scope of the exposures is too broad to be solved by the private 
sector. Not all causes of loss can be transferred to an insurance 
policy.
Emerging issues
 Aggregation tracking and emerging exposures
    Multiple lines of business may be impacted as the result of a cyber 
security event. For example, a significant breach to a public company 
might result in a stock drop, which leads to a derivative suit that 
comes in as a claim under a Directors & Officers Liability Coverage.
    Also, one event might impact multiple insureds. For example, a 
recent breach at a large health insurer has resulted in claims under 
policies for a variety of companies who have business relationships 
with that insurer.
    The current coverage structure and pricing will continue to evolve 
as carriers gain a more comprehensive understanding of the full scope 
of the potential. The insurance industry is working with the public 
sector to shape policies around these issues.
 Public sector
    The 2015 World Economic Forum report states that ``global risks 
transcend borders and spheres of influence and require stakeholders to 
work together.'' \8\ The focus of the report on ``risk interconnections 
and the potentially cascading effects they create'' echoes the theme of 
the Atlantic Council's 2014 study on cyber risk.\9\ The WEF report 
echoes Chairman Thune's comments from the February 4th hearing on the 
NIST framework: ``Real progress can be made by continuing to enhance 
public-private cooperation and improving cyber-threat information 
sharing.''
---------------------------------------------------------------------------
    \8\ ``Global Risks 2015--10th Edition'', World Economic Forum, 
January 2015
    \9\ ``Risk Nexus. Beyond data breaches: global interconnections of 
cyber risk'', Atlantic Council, April 2014
---------------------------------------------------------------------------
    Work in this arena includes working groups at the Department of 
Homeland Security and the Department of Treasury on the issue of data 
repositories. Data sharing may need to take a few different forms: 
sharing of cyber event data, such as attack vectors and scope, and 
cyber insurance data, such as claim and underwriting information by 
sector. While it is too early to assert any definitive conclusions, the 
potential upside of these discussions is that more comprehensive 
information will assist insurers in developing both coverage and risk 
management solutions and best practices for our customers.

    Senator Moran. Thank you very much. Ms. Sage?

            STATEMENT OF OLA SAGE, FOUNDER AND CEO, 
                          e-MANAGEMENT

    Ms. Sage. Good morning, Chairman Moran, Ranking Member 
Blumenthal, and to the other members of the Subcommittee. It is 
an honor for me to be here today, and thank you for the 
opportunity to testify on behalf of my company, e-Management, 
as a small business consumer of cybersecurity insurance 
products.
    My company's journey into the cybersecurity insurance 
market began in 2013. Small businesses had become the fastest 
growing segment for cyber attacks, and I was advising other 
small businesses to obtain appropriate business and legal 
protections, such as cybersecurity insurance.
    However, my company, a 15-year-old IT services and 
cybersecurity firm, was not covered. I decided that needed to 
change. Working through our insurance broker, we began 
researching cybersecurity insurance products but could not find 
products designed specifically for small businesses.
    We submitted applications to several large insurance 
companies, and these applications varied in length and 
substance with very little consistency in the questions asked.
    Comparing the policies against one another was virtually 
impossible, as the language used in one policy was quite 
different from the next, and it was unclear whether or not they 
covered the same conditions.
    Regrettably, I cannot tell you that our selection of a 
cybersecurity insurance product was based on a simple and easy 
analysis of options, and I also cannot say with confidence that 
we picked the best policy for us.
    Our process took 4 months and our policy cost over $10,000. 
This was a significant investment for a company our size.
    We recently passed our one year anniversary, and this time 
around, the process started with a letter from the insurance 
company informing us that our coverage would not automatically 
renew. The abbreviated three page application included one 
cyber-related question that asked about changes regarding the 
security and protection of our facility and network.
    Three weeks later, our policy was renewed. That was the 
good news. The surprising news was that our premium increased 
by 12 percent. Stunned, confused, and frustrated are just a few 
words that described our reaction.
    Our broker explained that there were a variety of factors 
that went into the underwriting process, and in our case, 
ironically, because our revenues grew in 2014 over 2013, that 
appeared to be the primary contributor to our increase.
    After a year of using the voluntary NIST Cybersecurity 
Framework and investing in processes and tools to improve our 
overall cybersecurity readiness, it was discouraging to be in 
essence rewarded with an increase in our premium.
    My experience though is not unique. As I speak to small 
business CEOs across the country, many elements of our story 
resonates.
    In addition, there is a general lack of awareness in four 
areas. One, the need for cybersecurity insurance for small 
businesses. Two, the availability of insurance products on the 
market. Three, what the various policies cover, and last, what 
these insurance products cost.
    I would like to offer three recommendations that I believe 
would encourage more small businesses to take greater advantage 
of cybersecurity insurance products.
    First, increase the awareness of cybersecurity insurance as 
a risk transfer option for small businesses. According to a 
recent industry survey, only a third of small and mid-sized 
businesses are even aware that cybersecurity insurance exists, 
and of that number, only 2 percent actually hold cybersecurity 
insurance.
    With the average annual cost of cyber attacks to small 
businesses reported to be close to $200,000 and the median cost 
of down time reported at $12,500, the majority of small 
businesses just cannot sustain these costs, leading many to 
close their doors.
    Cybersecurity insurance can be an important tool to help 
small businesses manage significant financial exposure.
    Second, make cybersecurity insurance affordable for small 
businesses. Cybersecurity insurance needs to provide meaningful 
coverage that small businesses can actually afford. We believe 
offering competitive cybersecurity products designed for the 
small business market will ultimately lead to better deals for 
small businesses.
    We recommend that insurance companies consider a company's 
use or application of the voluntary NIST Cybersecurity 
Framework as a best practice factor in their underwriting 
processes.
    Third, reward small businesses who are actively managing 
their cybersecurity risks and implementing reasonable security 
measures. Based on our own experience, we strongly believe that 
any small business that uses the NIST Cybersecurity Framework 
can significantly reduce their cybersecurity risk exposure and 
should be preferred candidates for lower premiums.
    In closing, I welcome and appreciate the emphasis that 
Congress, Federal, state, local agencies, and private sector 
organizations have placed on small business cybersecurity 
protection. As the threat and challenge to small businesses 
continues to persist, we at e-Management are committed to 
continuing to work with all parties to identify and develop 
simple and affordable solutions.
    Thank you again for the opportunity to testify, and I am 
ready to answer any questions you may have.
    [The prepared statement of Ms. Sage follows:]

     Prepared Statement of Ola Sage, Founder and CEO, e-Management
Opening Remarks
    Good morning Chairman Moran, Ranking Member Blumenthal, and 
distinguished members of the Committee. It is an honor for me to be 
here today.
    My name is Ola Sage and I am the Founder and CEO of e-Management, a 
small business provider of high-end IT services and cybersecurity 
solutions to clients in the private and public sectors, including the 
largest U.S. Federal agencies. Founded in 1999 and headquartered in 
Silver Spring, Maryland, we employ close to 60 IT professionals who 
deliver services in our core areas of IT Planning, Engineering, 
Application Development, and Cybersecurity. In 2013 we were honored to 
receive the Department of Energy's Cybersecurity Innovative Technical 
Achievement award, highlighting the expertise of our cybersecurity 
experts in designing and implementing advanced cybersecurity detection 
and risk management capabilities. Our newest cybersecurity risk 
intelligence software solution, CyberRx, automates the National 
Institutes of Standards and Technology (NIST) Cybersecurity Framework 
(CSF) and is designed to help small businesses easily measure their 
cybersecurity capabilities, manage their cybersecurity risks, and 
communicate their cybersecurity readiness to internal and external 
stakeholders.
    I am a champion and advocate for Small and Medium-Sized business 
(SMB) cybersecurity readiness. I currently serve as an elected member 
on the Executive Committee of the National IT Sector Coordinating 
Council (IT SCC). The IT SCC, comprised of the Nation's top IT 
companies, professional services firms, and trade associations, works 
in partnership with the Department of Homeland Security (DHS) to 
address strategies for mitigating cybersecurity threats and risks to 
our Nation's critical infrastructure, especially for organizations and 
businesses that are particularly vulnerable such as SMBs. I am also an 
8-year member of Vistage, an international organization of 19,000 CEOs 
that control businesses with annual sales ranging from $1 million to 
over $1 billion. I regularly meet with and speak to small business CEOs 
in Vistage, and other small business forums about why cybersecurity 
should matter to them and how it can affect their ability to keep 
business, stay in business, or get new business. In the last 3 months 
alone, I have spoken to more than 100 SMB CEOs that represent a diverse 
mix of industries.
    Thank you for the opportunity to testify today on behalf of e-
Management as a small business consumer of cybersecurity insurance 
products. In my testimony today, I will discuss:

   My company's involvement with cybersecurity insurance 
        including our application and renewal process

   Perspectives that I have as a CEO and from other CEO's 
        relative to cybersecurity insurance

   Opportunities for the cybersecurity risk insurance industry

   Concluding thoughts
Our Driver
    My company's foray into the cybersecurity insurance market began in 
November 2013 as I prepared for a webinar on cybersecurity titled 
``We've Tipped: 5 Ways to Increase Your Cybersecurity Resiliency.'' The 
webinar discussed the wave of cyber-attacks that were occurring across 
all industries, highlighting the significant increase in attacks on 
small businesses and the impacts--including financial, legal, and 
reputational--that they were having on all sizes of business, including 
the disproportionate and negative impact to small business. According 
to the Cyber Security Alliance, 60 percent of small businesses go out 
of business within 6 months of a significant cybersecurity event.
    Among the five key recommendations I made in the webinar was for 
businesses to make sure they had appropriate business and legal 
protections (e.g., business policies, insurance, etc.). I thought about 
my own company and whether we had taken appropriate steps to include 
business and legal protections in the area of cybersecurity. As a 
company, we had participated for more than a year with NIST as they 
worked with thousands of security professionals in government and 
private industry to develop the CSF. Upon release of the Preliminary 
Draft of the CSF, NIST encouraged companies and organizations to try it 
and provide feedback that could inform the final version (v 1.0 which 
was ultimately published in February 2014). We took the challenge.
Methodology
    In our ``test drive'' of the CSF, we used the Framework as a way of 
assessing our cybersecurity readiness in the five core cybersecurity 
functions (Identify, Protect, Detect, Respond, and Recover) and mapped 
the results to the four Implementation Tiers to help us to understand 
how our current cybersecurity risk-management capabilities measured up 
against the characteristics described by the Framework and to assess 
the degree of risk management rigor we were applying to each of the 
five core functions. Overall, the CSF provided a common language that I 
could use with my management and IT teams in organizing our thinking 
around cybersecurity. We were able to distill where we needed to 
prioritize our efforts and focus our dollars. We found it to be a very 
effective and useful tool.
Our Cybersecurity Insurance Experience
    In addition to technical and operational changes we made after our 
initial CSF readiness assessment, we decided to move forward with 
researching what cybersecurity insurance products were available on the 
market, specifically available offerings for SMBs. As I'm sure it will 
come as no surprise to anyone here, we could not find cybersecurity 
insurance products designed specifically for SMBs. The cybersecurity 
insurance industry was and is still in a nascent stage.
    Working through our insurance broker, we submitted applications to 
several large insurance companies. The applications varied in length 
and substance, with very little consistency in the questions asked. 
When the quotes arrived, they ranged from a couple thousand dollars 
from one insurer to twelve thousand plus for another. Comparing the 
policies against one other was virtually impossible as the language 
used in one policy was quite different from the next and it was unclear 
whether or not they covered the same conditions. As expected, all of 
the policies contained exclusion clauses, however it was not clear from 
policy to policy whether the exclusions were similar or not.
    Regrettably I cannot tell you that our selection of a cybersecurity 
insurance product was based on a simple and easy analysis of options. 
We ended up with a policy that combines cybersecurity liability and 
errors and omissions, but honestly, as I sit here today, I cannot say 
with confidence we have the right policy for us. All told, the process 
from start to finish took four months and cost over ten thousand 
dollars. This was a significant investment for a company our size.
    We continue to regularly monitor and manage our cybersecurity 
risks, and implement preventative measures based on the results of our 
Framework assessment. We call it ``operationalizing'' the CSF. We 
understand it is not possible to achieve 100 percent cybersecurity, but 
as a provider of IT and cybersecurity services, we believe it is 
important to convey to our employees, customers, and vendors that we 
take cybersecurity seriously and understand the potential damage it 
could cause to them. In addition to doing it for the right reason, we 
also see it as a competitive advantage.
    We have taken it a step further. Understanding the value the CSF 
gave us, we wanted to share our experience with other small businesses. 
Drawing on our entrepreneurial instincts, we created and brought to 
market a software solution that automates the CSF in a way that is 
simple and affordable for other small businesses to use. In two hours 
or less, a small business can conduct a ``fitness'' review of their 
cybersecurity readiness in the CSF's five core areas. In addition, the 
small business CEO receives information unique to their company that 
provides them insight into their level of technical, operational, and 
financial exposure. It is actionable risk intelligence. We call it 
CyberRx. CyberRx makes it easy for a small business to understand how 
prepared their business is to identify, protect, detect, respond, and 
recover from cybersecurity attacks and alerts them to areas that need 
attention. They quickly know what areas to focus on and what their next 
steps should be. We use CyberRx in our company today to continuously 
manage our own cybersecurity risks.
Renewing our Cybersecurity Insurance
    This brings me back to our cybersecurity insurance experience. We 
have just passed our one year anniversary and this time around the 
process started with a letter from the insurance company informing us 
that our coverage wouldn't automatically renew. We received an 
abbreviated application (3 pages vs 15) which we completed and sent 
back. There was only one question around cybersecurity asking whether 
there had been any changes regarding the security and protection of our 
facility and network. The instructions indicated that if the response 
was ``Yes'', we needed to indicate if we had experienced a security 
breach? As we thankfully did not experience a breach (that we know of) 
we were able to answer no. We received our renewed policy in 
approximately three weeks, which was the good news. The surprising news 
was that our premium increased by 12 percent.
    Stunned, surprised, frustrated, confused, discouraged, etc. are all 
words that would accurately describe our reaction. After a year of 
investing in processes and tools to strengthen our cybersecurity 
posture, the result was an increase in premiums. Doing the right thing 
didn't seem to pay, literally. We went back to our broker to better 
understand how this could have happened and were informed that there 
were a variety of factors that went into the underwriting process. In 
our case, ironically, because our revenues grew in 2014 vs 2013, that 
appeared to be the primary contributor to the increase. When we asked 
whether or not using the CSF could be a factor, our broker wrote that 
``although they do not specifically inquire as to whether or not an 
insured is following the voluntary cyber security framework provided by 
NIST, they obviously take into consideration any preventative measures 
an insured implements when underwriting a risk.''
SMB CEO Perspectives
    My experience is not unique. As I speak to small business CEOs 
across the country, there is a general lack of awareness about (1) the 
need for cybersecurity insurance; (2) what cybersecurity insurance 
products exist on the market; (3) what the various polices cover; and 
(4) what the costs are.

  1.  The need for cybersecurity insurance

    Many SMB CEOs just don't believe they have anything cyber hackers 
        would want. ``We're too small,'' some will say, believing that 
        hackers are only interested in the large companies where they 
        can get more ``bang for their buck.'' Interestingly, another 
        subset of SMB CEOs believe that cybersecurity insurance is 
        already included in their professional liability coverage, and 
        therefore do not see the need for additional or separate 
        coverage.

  2.  Availability of cybersecurity insurance products

    Of the 100 or so SMB CEOs I have spoken to over the past three 
        months, easily 70 percent were not aware of what cybersecurity 
        insurance products are available on the market. Once informed 
        they were curious to learn more. This aligns with a recent 2015 
        survey by Gartner company, Software Advice, who reported that 
        after defining cyber insurance to the SMB decision-makers in 
        their survey, they found that a combined 52 percent were either 
        ``very'' or ``moderately'' intrigued, with another 32 percent 
        ``minimally'' intrigued, giving an overall 84 percent who 
        expressed some level of curiosity.\1\
---------------------------------------------------------------------------
    \1\ http://www.softwareadvice.com/security/industryview/cyber-
insurance-report-2015/

---------------------------------------------------------------------------
  3.  Policy Coverage

    Understanding what the different cybersecurity insurance policies 
        cover can be a challenge, not just for SMBs, but also for many 
        brokers. There does not appear to be any common terminology or 
        contract organization amongst carriers, thus making it 
        difficult and costly to truly understand what an individual 
        policy covers and to compare competing insurance products.

  4.  Cost of Coverage

    The cost of cybersecurity insurance varies widely. Our own 
        experience with a range of quotes from $2,000-$13,000 is not 
        uncommon. This large variance can discourage SMB CEOs from 
        making needed investments in cybersecurity insurance. In 
        addition, for many SMBs, such rates are cost prohibitive for 
        what they might consider ``elective'' insurance. Given the 
        challenges with understanding and comparing the scope and 
        coverage of various insurance products on the market, SMBs may 
        incur additional costs in connection with the placement or 
        renewal of insurance in addition to the cost of the insurance 
        itself.
Opportunities for the Cybersecurity Risk Insurance Industry to Assist 
        SMBs
    There is no 100 percent level of cybersecurity. At e-Management, we 
strongly believe cybersecurity readiness is about risk management. We 
offer the following straightforward recommendations that we believe 
would encourage SMBs to take greater advantage of cybersecurity 
insurance products.

  1.  Increase awareness of cybersecurity insurance as a risk transfer 
        option for small businesses.

    Cybersecurity insurance can be an effective tool to help small 
        businesses manage their financial risk and should be a key part 
        of a company's cyber and information security practice. Several 
        years ago, Symantec reported that the average annual cost of 
        cyberattacks to small businesses was $188,242 with median cost 
        of downtime for an SMB reported at $12,500 per day. These costs 
        can be devastating, in many cases leading small businesses to 
        shut their doors. However, a majority of small businesses are 
        not aware of cybersecurity insurance. According to the 2015 
        survey by Software Advice, only a third of small and midsize 
        businesses are even aware that cybersecurity insurance exists 
        and of that number only 2 percent actually hold cybersecurity 
        insurance. I understand that in the last year there have been 
        extensive discussions among government, private companies, 
        insurance groups, and other relevant stakeholders about 
        expanding the role of cybersecurity insurance in public and 
        private industry business agreements. While I think this is a 
        necessary and important conversation to have, I encourage these 
        discussions to continue to be as thorough and transparent as 
        possible including a full review of potential impacts or 
        consequences that particular policy decisions could have, 
        particularly to SMBs.

  2.  Make cybersecurity insurance affordable for SMBs

    Cybersecurity insurance needs to provide meaningful coverage that 
        SMBs can actually afford. Various industry reports indicate 
        that SMBs continue to be the fastest growing segment of 
        cyberattack victims, creating a huge vulnerability, not just 
        for the SMBs, but for their customers, vendors, and suppliers. 
        We believe offering competitive cybersecurity insurance 
        products designed for the SMB market can lead to better deals 
        for SMBS. We recommend that insurance companies consider a 
        rating system based on the CSF that underwriters could consider 
        as a factor in the underwriting process. SMBs that demonstrate 
        use of the CSF could receive a higher rating as they have 
        mitigations in place which line up with industry standards and 
        best practices.

  3.  Reward SMBs who are actively managing their cybersecurity risks 
        and implementing reasonable security measures.

    In 2014, the Online Trust Alliance indicated in a report that 90 
        percent of the year's breaches could have been prevented if 
        organizations implemented basic cybersecurity best 
        practices.\2\ The CSF is a model cybersecurity best practice 
        and offers a defensible way to assess and manage cybersecurity 
        risks. Based on our own experience, we strongly believe that 
        any small business that uses the CSF can significantly reduce 
        their cybersecurity risk exposure. Small businesses that are 
        actively managing their cybersecurity risks should be preferred 
        candidates for lower premiums and tax incentives.
---------------------------------------------------------------------------
    \2\ https://www.otalliance.org/news-events/press-releases/ota-
determines-over-90-data-breaches-2014-could-have-been-prevented
---------------------------------------------------------------------------
Conclusion
    At e-Management, we continue to find the CSF to be a useful tool in 
helping us and other SMBs organize the way we think about cybersecurity 
risks and the best practices we need to implement to reduce our overall 
cybersecurity risk exposure. We appreciate the emphasis that Congress, 
NIST and the DHS have placed on educating SMBs about the increasing 
cybersecurity threat and raising awareness of the CSF. We welcome 
continued efforts in this area and encourage the addition of 
cybersecurity insurance in the discussion as another tool that SMBs can 
consider along with other risk management solutions.
    While simply obtaining cybersecurity insurance cannot be viewed as 
a silver bullet, I believe cybersecurity insurance can be an important 
tool in helping SMBs manage significant financial exposure associated 
with a successful cyber attack. As the cybersecurity threat and 
challenge to small business continues to persist, we at e-Management 
are committed to working with government and industry to identify and 
develop simple and affordable solutions that enable small businesses to 
strengthen their cybersecurity readiness and posture.
    Thank you again for the opportunity to testify, and I am ready to 
answer any questions you may have.

    Senator Moran. Thank you very much. Mr. Menapace?

 STATEMENT OF MICHAEL MENAPACE, COUNSEL, WIGGIN AND DANA LLP, 
 AND ADJUNCT PROFESSOR OF INSURANCE LAW, QUINNIPIAC UNIVERSITY 
                         SCHOOL OF LAW

    Mr. Menapace. Good morning, Senator Moran, Senator 
Blumenthal. Thank you for inviting me to today's hearing.
    I have submitted written testimony, but I appreciate the 
opportunity to highlight a few of the issues that I discussed 
in that testimony, including the evolution of cyber insurance 
and its cost drivers, breach notification requirements, data 
breach information sharing, and data protection standards.
    As you have heard, in the early 2000s, a small group of 
insurers did start offering cyber insurance. Those early 
insurers have now acquired somewhat significant experience and 
are sophisticated participants in this specialized market, but 
the market also has smaller insurers who are less experienced 
and do not necessarily have the same level of expertise as the 
market leaders, and have less mature books of business.
    When cyber insurance was first conceived, we originally 
thought the cost driver would be third-party litigation against 
insureds as well as first-party property losses. While 
litigation is still an important consideration, there was not 
an appreciation at that time of what would become the cost 
drivers.
    According to several industry sources, data breach response 
costs, sometimes referred to as ``crisis response costs,'' now 
account for up to 50 percent of the cost of data breaches. 
These response costs include technology forensics services, 
legal guidance, consumer notification, credit monitoring, call 
centers, public relations.
    With regard to the legal guidance and consumer 
notification, there is an available strategy to lower the 
costs. Currently, there are 47 states with separate breach 
notification laws, some of which are inconsistent with each 
other.
    As a result, when a breach occurs, businesses and insurance 
companies engage lawyers like me to perform 47 legal analyses 
based on the facts at hand. As you can imagine, 47 separate 
legal analyses can get expensive. Moreover, the diversity of 
the 47 states means that a consumer in one state may be 
notified while a consumer impacted by the same breach who lives 
in another state may not be notified.
    A single Federal standard that preempts the current 
patchwork could save time and expense and provide for the 
uniform treatment of consumers.
    With regard to data sharing, I mentioned that some insurers 
have mature books of business, and they rely on their own 
proprietary analytics to analyze the data they hold. Other 
market participants, however, could benefit by accessing a 
nationwide pool of data to help them decide which risks to 
underwrite and the appropriate premiums to charge.
    A nationwide database of cyber breach information, 
particularly with regard to the origins and causes of the 
breaches, could also assist non-insurance businesses as they 
assess their own processes and protocols and look to spot 
trends with the goal of avoiding loss.
    I appreciate the competing positions and interest on this 
issue, but whether the database is created and maintained by a 
public agency, the private market, or a public/private 
partnership, I do believe the market as a whole could benefit 
from sharing information about data breaches.
    Finally, I would like to say a few words about data 
protection standards. HIPAA provides one model, it provides the 
model of Government mandated data protection standards. Another 
model is the development of flexible industry led and voluntary 
guidance for specific industries, like we have with the NIST 
Framework.
    Now, the existing NIST Framework cannot simply be applied 
to other industries, but it is an example of what a public/
private partnership can look like. That type of framework can 
inform businesses on their own practices, and even though they 
are largely subjective in nature and therefore of limited value 
to insurance actuaries, the goal and guidance in the Framework 
could be incorporated by insurers as part of their underwriting 
considerations.
    Appropriate data protection practices will likely evolve 
over time without government involvement, but government 
involvement or encouragement could be an efficient way to help 
the standard evolve more quickly across a variety of markets.
    I am happy to answer and respond to any questions.
    [The prepared statement of Mr. Menapace follows:]

 Prepared Statement of Michael Menapace, Counsel, Wiggin and Dana LLP; 
           Adjunct Professor of Law, Quinnipiac School of Law
    Sen. Jerry Moran, Sen. Blumenthal, and other members of the 
Subcommittee--

    I am pleased to provide testimony today concerning this Committee's 
interest in the growing cybersecurity insurance market, the evolution 
of the insurance coverage, opportunities to strengthen the insurance 
industry, and the insurance market's impact on cybersecurity.
    I would be pleased to respond to specific questions posed by the 
Committee and I would like to cover in my testimony several specific 
issues concerning the evolving cyber insurance marketplace. 
Specifically, I would like to discuss the cost-drivers for cyber 
insurance, the role that the insurance industry and the government can 
play in helping in the development and evolution of standards for 
breach notification, the sharing of data breach information, and 
flexible, industry-specific standards for protecting consumer data.
    The testimony I provide is my own and not necessarily that of any 
of my firm's clients.
Background and Introduction
    I practice law at the law firm of Wiggin and Dana after having 
previously practiced at a large international law firm. In addition, 
for the past 6 years, I have taught Insurance Law at the Quinnipiac 
University School of Law and have published articles and books on a 
variety of property and casualty insurance issues. In my law practice, 
I, along with my colleagues, represent companies in a broad spectrum of 
industries by helping them develop data security and privacy protocols 
and procedures, and I represent insurance companies in several areas, 
including cybersecurity. In both my academic role and in private 
practice, I have the opportunity to work closely with businesses in 
many market segments, insurance companies, and regulators.
    Examining the intersection of insurance and cybersecurity is an 
important and timely topic for this Committee. Insurance often evolves 
slowly, but we are in the midst of a period in which technological 
advancements and the development of a relatively new product are 
occurring simultaneously. No doubt, we are living through a dynamic 
period in the insurance industry and we should not underestimate the 
importance of the insurance industry in terms of risk transfer and the 
information insurers provide to insureds on loss mitigation strategies 
and loss trends.
    The insurance industry is in a unique position to help regulators, 
businesses, and consumers assess and respond to the ever-growing threat 
of data breaches. Insurers can help businesses and consumers respond 
quickly and efficiently when breaches unfortunately, but inevitably, 
occur. Insurers have first-hand experience with large amounts of 
consumer data. Moreover, insurers are in the business of examining and 
responding to risks, tracking emerging trends, and finding ways to 
mitigate their impact. Indeed, insurers often provide information and 
best practices to their insureds to help avoid losses.
    By definition, insurers deal with events that are uncertain from 
the viewpoint of the insured. There is an element of fortuity at the 
heart of insurance that insureds cannot predict. While this element of 
uncertainty is present to insureds, insurers can pool large amount of 
data and experience to see trends as they evolve--this helps them price 
insurance policies appropriately and remain in a financial position to 
pay claims.
    In addition to the traditional goal of providing risk transfer, 
insurers can help insureds avoid loss in the first instance. For 
example, insurers have traditionally helped in the development of 
safety programs to help employers and employees avoid workplace 
injuries. Obviously, such programs help workers, but they also assist 
the purchasers of insurance by bringing down premiums. In all, the goal 
of the insurer is for their insureds to avoid losses and to make those 
losses that inevitably occur smaller and easier to rectify.
    The insurance market can play a similar role in cybersecurity with 
risk transfer products and sharing information and experience with 
their insureds.
Evolution of Cyber Coverage
    There are some insurers, particularly the large insurers, who have 
been writing some form of cyber coverage for well over a decade. They 
have become quite sophisticated and efficient in providing excellent 
risk transfer products to a variety of markets. However, there are 
approximately 40 insurers in the U.S. that are currently providing 
cyber coverage, and among those insurers are some that are relatively 
small by comparison to the market leaders and who are less experienced 
and sophisticated in providing cyber insurance. While the insurance 
market as a whole could benefit from the topics we are discussing 
today, it is the smaller companies and those with a less mature book of 
business that would likely benefit the most--and, by extension, their 
insureds would see benefits in the form of lower premiums and thriving 
insurance marketplace.
    I will discuss breach notification standards, the sharing of data, 
and the development of data protection standards in a few moments, but 
I would first like to discuss how the cyber insurance market has 
evolved to where we find it today.
    During the ``dot com'' boom of the early 2000s, some insurers 
started offering insurance products for technology companies. 
Originally, those insurers provided first party property loss coverage 
along with some third party liability coverage. The first party 
property loss coverage was designed to cover, for example, losses the 
policyholder experienced for damage to its own technology equipment and 
infrastructure. The third party liability coverage was designed for 
exposure to third party lawsuits against the insureds.
    The early coverage was written that way because, in those nascent 
years, the insurance market believed that the liability losses would be 
driven by the cost of defending lawsuits and paying settlements or 
judgments as a result of those lawsuits. But the predictions on the 
cost-drivers were not entirely accurate and today's products have 
developed to reflect this reality.
    While third party lawsuits are still one factor insurers consider 
how they draft policy wordings and price the coverage they offer, we 
have seen that data breach response costs have come to the forefront in 
the minds of insurers and insureds alike.
    Neither insurers nor insureds anticipated that these breach 
response costs, sometimes called crisis service costs, would be the 
significant cost drivers that they have become. These breach response 
expenses have become costs drivers for several reasons, including the 
fact that many data breach lawsuits are dismissed in the early phases 
of litigation. These lawsuits are often dismissed because the 
plaintiffs cannot show or even plead concrete damages--in response to 
breaches, businesses or their insurers often provide credit monitoring 
at no cost to consumers and until actual damage to the consumer can be 
alleged as a result of the data breach, the damages are speculative. 
Obviously for those cases that are dismissed, there are no settlement 
or judgment costs borne by insurers and the defense costs are 
extinguished, whereas every breach will have breach responses expenses.
    According to a recent insurance industry survey, the initial crisis 
service costs account for about half of all data breach costs. Those 
breach response services include technical forensic investigations, 
attorney oversight, breach notification to and credit monitoring for 
affected consumers, call centers, and public relations services. The 
other half of the costs go towards legal defense and settlement, 
regulatory response and defense, regulatory fines, and fines imposed by 
credit and debit card issuers.
A Federal Breach Notification Standard--Reducing the costs of breach 
        responses and treating consumers equally
    As of today, the are 47 states, plus Puerto Rico, Washington D.C., 
and the Virgin Islands, that have requirements for notifying customers 
after the unauthorized access of personally identifiable information or 
protected health information. Many of these state requirements also 
require notification of the state attorney general when a certain 
number of residents have been impacted.
    But, these state requirements are not uniform in terms of when they 
are triggered and what information must be contained in the consumer 
notices. Therefore, when responding to a nationwide incident, lawyers 
like me must assess the impacted data and consumers under 47 different 
sets of requirements. Among the questions we must ask for each state 
are:

        Has the breach notification standard been triggered?

        Must the consumer(s) be notified under the facts of the 
        incident?

        What information must be contained in the notification?

        Must we notify state regulators or attorneys general?

        Must notice be given in a specific timeframe?

        Are we required to provide specific consumer protection 
        services such as identify theft insurance and/or credit 
        monitoring?

    This 47-state exercise can be a costly endeavor and, frankly, can 
result in a situation where some consumers and state officials are 
notified in one state while consumers and officials in other states are 
not notified about the very same incident. As both industry members and 
regulatory authorities have noted, this current patchwork quilt of 
state breach notification requirements creates gaps in consumer 
protection as well as additional burdens for businesses that experience 
cyber-attacks
    A nationwide standard for breach notification that preempts state 
law requirements would eliminate the time, expense, and inconsistencies 
involved in the 47-state analysis for each breach and would provide for 
uniform treatment of consumers. I note, however, that any such Federal 
standard must carefully consider the time-frame within which business 
must notify consumers whose data may have been affected. The time-frame 
must balance the needs of timely notice to consumers with the concern 
of providing consumers with accurate information. Increasingly, large 
breaches involve complex attacks that require equally complex forensic 
investigations to determine the actual scope of data losses.
Nationwide Data Clearinghouse--Assisting underwriting and spotting 
        trends
    There are many lines of insurance that have fairly standardized 
coverage terms and conditions regardless of which insurer is issuing 
the coverage. For example, the vast majority of general liability 
policies purchased by businesses are based on standardized policy 
language. The Insurance Services Offices, Inc. (ISO), publishes 
standard liability policy language for many lines of property and 
casualty insurance. Insurers can choose to adopt the ISO forms and, in 
the case of general liability policies, most insurers do adopt the ISO 
policy or use policy wording that is very similar.
    However, there is no standard insurance policy language for cyber 
insurance. ISO did recently publish cyber coverage terms, but I know of 
no insurer that has adopted the ISO policy terms or has plans to do so 
in the near future.
    Among the approximately 40 insurers that offer cyber insurance, 
there are some with significant experience and who have policy language 
that they have developed over the course of more than a decade of 
experience. Those insurers are comfortable with their policies even 
though they will undoubtedly continue to evolve. Other insurers, some 
who are newer entrants into the cyber insurance market and others who 
are looking to differentiate themselves from their competitors, have 
their own policy language that has not been tested to the same extent 
as the policy terms used by the insurers with more mature books of 
business.
    Understanding these differences in policy language from one insurer 
to another can be a challenge to insurance purchasers and brokers, but 
the diversity in the market also gives purchases more choice to 
purchase insurance tailored to their specific needs.
    In and of itself, this diversity of policy terms and conditions is 
not problematic for individual insurers. What can be challenging for 
some insurers is making sure they have enough data to make prudent 
underwriting decisions when they sell policies.
    For insurers to have good underwriting in terms of deciding what 
risks to insure and how to price the coverage, it is important for them 
to have a good data set of past experience and loss information. There 
are some insurers who have been active in the cyber insurance space for 
a long time, they have developed their own database of loss experience, 
have a mature book of business, and have refined their criteria for 
underwriting decision. But, for the smaller insurers and for new 
entrants into the market, they do not necessary have the same 
foundation from which to make underwriting decisions.
    A nationwide database or clearinghouse for data breach information, 
specifically recording how each breach occurred and who was responsible 
for the breach, could be helpful to the insurance market generally and 
for businesses that are implementing their own data protection 
practices, processes, and protocols. Insurers could use the information 
to supplement their existing underwriting criteria. In addition, 
businesses in many industries could use the data to learn about the 
causes of other breaches and apply that information to improve their 
own efforts to keep consumer information safe. All market participants 
would be able to use the data, for example, to spot trends in cyber-
attacks and hopefully respond before those attacks are repeated.
    I do not intend to imply that insurers are making underwriting 
decisions in a cavalier or uninformed manner. But there is no doubt 
that not all breach incidents receive national attention in the press 
and a nationwide database to which business could report information 
and from which they could learn from others could be a positive force 
in combating the evolving threat of cyber intrusion and data 
misappropriation. The Federal Government could play a role in 
encouraging the creation of and participation in such a clearinghouse.
    I can envision several ways the database or clearinghouse could be 
established and administered, either by private market participants, 
the Federal Government, or a public-private partnership. I do not have 
a view on the best method to accomplish this, and I concede there is 
debate on whether this kind of sharing is prudent, but there is a valid 
argument that more information can be a net positive for the market in 
general.
Flexible and Industry-Specific Data Protection Guidelines--Assisting 
        Businesses and Underwriters
    As this Committee and the other witnesses here today know, there 
are data protection standards that have been imposed on, or adopted by, 
certain business segments. For example, HIPAA provides, among other 
things, a set of national standards to protect personal health 
information and applies to ``covered entities'' and ``business 
associates.'' This is an example of government imposed standards. On 
the other hand, the NIST Cybersecurity Framework that was published 
about a year ago provides a different model from HIPAA. As this 
Committee is aware, the NIST Cybersecurity Framework was a 
collaborative effort between industry and government and consists of 
processes, guidelines, and practices to promote the protection of 
critical infrastructure. The prioritized, flexible, repeatable, and 
cost-effective approach of the Framework helps owners and operators of 
critical infrastructure to manage cybersecurity-related risk. The 
Framework is not a fixed, uniform standard, but instead is a 
generalized framework for managing cyber-risk based on a continuous 
cycle of threat assessment and risk mitigation measures which can be 
customer by industry sector and by each organization. While still 
evolving, the Framework may over time become a baseline or benchmark of 
cybersecurity preparedness in some sectors.
    There are other markets and industries that have neither legally-
mandated nor widely-adopted voluntary security standards and guidance. 
For example, the mobile apps industry, education institutions and 
retailers do not yet have industry-specific guidance on what 
protections they should employ to protect the data they collect, use, 
and store. As a result of recent `mega' data breaches, such as Target 
and Home Depot, we may see more coordinated industry efforts in this 
regard.
    Industry guidance, even if voluntary, can serve several purposes. 
One, it could provide a standard that businesses can use to gauge their 
own policies, protocols, and procedures. Two, the insurance market can 
look to that industry-specific guidance during the underwriting process 
to assess whether to underwrite a specific business and what price is 
appropriate for coverage. The NIST Framework contains subjective 
criteria--it is not a list of quantifiable metrics. Nevertheless, 
businesses can look to such frameworks as they examine their own 
business practices and as they consider what to expect when applying 
for cyber insurance.
    Insurance company actuaries may find the Framework less helpful, 
but guidance like the NIST Framework can provide some common 
expectations that insurers and insureds alike can use. Three, when 
government sponsored guidelines are industry-led, market participants 
can have some confidence in the standard that will be applied by a 
regulatory body in a post-breach inquiry. And, four, the standards 
could be a useful tool as private litigants and courts look to the 
appropriate standard of care that a business should be held to.
    It seems that the intent of any guidance or standards is to provide 
businesses with data protection expectations or best practices. But as 
a secondary benefit, insurers could choose to use the guidance as part 
of the criteria considered during the underwriting process.
    Any data protection guidance or framework, however, consistent with 
the approach of the NIST Framework, must be industry specific. For 
example, the data protections guidelines applicable to retailers are 
different than those applicable to entertainment companies, banks, 
education institutions, or health care providers to name just a few 
industries with uniquely specific needs.
    In addition, the industry standards must remain flexible to 
accommodate the size of the company, the data at issue, and technology 
as it emerges. Software will change, existing technology will continue 
to evolve, and we will see the use of wearable technology, drones, and 
the Internet of Things expand in use. Therefore, any government-
sponsored or encouraged security guidance must be able to adapt in real 
time and should be technology-neutral and risk-based.
    Insurers understand already that business should not be required to 
use specific software or hardware. Instead, when deciding whether to 
cover a particular business or how much the coverage should cost, 
insurers sometimes are more interested generally in the business's 
culture towards data protection. If a company is committed to securing 
the data it holds, that company will likely update its software, its 
procedures, and its processes, making insurers more likely to 
underwrite coverage for that business. In examining the data protection 
culture of a business, cybersecurity frameworks, like the NIST 
Framework, can be useful tools even though, as stated earlier, they 
will not provide the actuaries with objective metrics on a particular 
insured or industry.
    If the government decides not to move forward with security 
guidelines for particular industries, such industry-specific standards 
and expectations will nevertheless likely develop over time in the 
marketplace. But, a partnership between the government and private 
industry could accelerate the development and adoption of flexible 
guidelines that will, ultimately, benefit consumers without restricting 
innovation.
    Getting businesses to examine their own practices in the course of 
purchasing insurance does have a recent precedent. Several years ago, 
when insurers started asking their business customers how they viewed 
their susceptibility to climate change impacts and what they were doing 
to address those risks, some business began looking at those issues for 
the first time and responded accordingly. There was no government 
mandate for insurers to ask these questions, but insurers did so 
because they saw that climate change risks could impact their customers 
and, by extension, themselves. The insurance market could spur the type 
of self-examination by businesses with cybersecurity measures and there 
does seem to be a role that the government can play to encourage this 
outcome. In the end, if insurers are confident that their concerns have 
been incorporated into any cyberssecurity guidance that is developed 
and they adopt that guidance as part of their underwriting processes, 
businesses will be encouraged and incentivized to address those issues 
even if security standards are not mandated by the government.
    I thank you for the opportunity to provide this testimony and am 
available to try to address any specific questions the Committee has 
for me on these or related topics.

    Senator Moran. Thank you very much. We appreciate the 
testimony. I look forward to the dialogue that now will occur 
with you.
    Let me start with a typical congressional question, which 
is about legislation. You, Mr. Menapace, talked about the 
standard, the information sharing. Mr. Beeson, you indicated 
the industry would be supportive.
    As you heard me say and maybe know, this subcommittee had a 
hearing a few weeks ago on those topics, what the standard 
should be, how it should be enforced.
    Let me ask, if you were in our shoes, and this is really a 
question to all the witnesses, if you were in the shoes of a 
Member of Congress, what is the legislative solution that would 
drive the increase in an insurance market, and what I think 
would be the consequence of that would be better security 
practices and less opportunity for breach.
    What public policy should we pursue, what legislation 
should be passed by Congress that would enhance the chances for 
that scenario to occur?
    You do not sound like you are from Kansas City, but we 
consider you one of us.
    Mr. Beeson. Thank you, Chairman. I think as you heard in my 
testimony, there is a real linkage between improved 
cybersecurity and potentially the growth of the insurance 
market itself. I was arguing that more statistics can help 
drive that, more data can help drive that, but equally, if 
there was legislation passed that helps industry improve its 
security posture, which I believe the proposed legislation to 
do with threat indicator information sharing between industry 
and Government and between industry.
    As we have seen, that has been very effective already in 
some of these ISACs, information sharing analysis centers, 
within the private sector. Actually, it would help industry 
improve its security and thereby help the insurance market sign 
onto risks, if you like, that it otherwise would not have done. 
That would in and of itself help grow the market.
    Senator Moran. Anyone else? Ms. Mulligan?
    Ms. Mulligan. Thank you, Mr. Chairman. I would support what 
Mr. Menapace said around a national database of information 
because the breaches right now are really outpacing the usual 
time it would take for an insurance product and pricing to 
develop.
    That information would help us, as Ms. Sage points out, 
differentiate the pricing and the coverage for different sizes 
of insurance and industry segments.
    Senator Moran. You agree with Mr. Menapace about the 
national standard as compared to 40 some states?
    Ms. Mulligan. I agree with him actually on both points, the 
national standard for notification, because that would 
streamline the process and the cost for insureds, but also on a 
data repository of sharing information.
    Senator Moran. I am actually surprised that there is enough 
information in today's current world for you to price an 
insurance policy. What is out there that allows you to have 
this market to the degree that it exists today?
    Mr. Beeson. As you heard from Mr. Menapace, the cyber 
insurance market has been around for roughly 15 years, and 
really since the first breach notifications in California in 
2003, the market has built up data.
    Specifically, it is important to delineate this, because 
there are different types of assets at risk here. The cyber 
insurance market is focused primarily on the risks of handling 
personal data, consumer, patient, employee. There is quite a 
bit of data around to model, ``data'' being statistics, around 
frequency severity, to model the risk in that area.
    The problem at the moment is there is a dearth of 
information now as the risk has morphed, for example, into the 
risk of physical assets. On the utility, maybe I am not so 
worried or that is not my primary concern, handling of personal 
data. I am more worried about physical damage to the turbine 
from a cyber attack, for example. That is very challenging 
right now, and frankly, ambiguous as well for the insurance 
industry in terms of how to handle that.
    Senator Moran. While the industry is growing, it is growing 
everywhere, but different from segment to segment, it is 
coverage to coverage, the type of risk that you are insuring?
    Mr. Beeson. As I say, to some extent, this is a symptom of 
the insurance industry, it is fairly siloed and risks are 
looked at in different boxes, if you like, with different 
specialist underwriters.
    Cyber is a challenge, of course, because it sits across 
just about everything, and it is only recently, and thanks 
really to the Federal Government shining the light on the issue 
through the creation of the NIST Framework, that cyber is being 
viewed in a much broader perspective.
    It is not just about data breaches. It is actually now 
also--I think this in many ways should be seen perhaps as a 
greater concern to Government. It is a critical infrastructure 
industry, many of which are more worried about physical damage, 
business interruption loss, bodily injury, as Ms. Mulligan 
hinted on as well.
    That is where there is a real challenge right now in the 
marketplace, and where the focus is shifting. I am not saying 
the handling of personal data is not an issue. It certainly is, 
and we have seen that over the last year. There is no doubt 
about that. It is much broader than that now.
    Senator Moran. Do the suggestions that you have made 
regarding public policy improve the circumstances for all the 
silos you described?
    Mr. Beeson. Certainly, as I mentioned before, I support the 
threat indicator legislation. I think frankly if you talk to 
experts in the security industry in particular, they will tell 
you security has to become more intelligence based to tackle 
this problem, and clearly threat information is key to that.
    There is a whole debate about legacy defenses around 
firewalls' intrusion detection systems, which is still 
important, but they are not enough. How do we provide industry 
with that type of intelligence, and I think public policy or 
legislation proposed around threat information would be hugely 
helpful.
    Senator Moran. Across the board?
    Mr. Beeson. Yes.
    Senator Moran. Senator Blumenthal?
    Senator Blumenthal. Thank you. Just to follow up on that 
question, Mr. Beeson. What would that threat indicator or 
intelligence look like? A requirement by the insurance company 
that there be access to government intelligence or what 
specifically would that be?
    Mr. Beeson. In order to help facilitate an insurance 
company to underwrite the risk? Is that the premise of your 
question, Senator?
    Senator Blumenthal. Yes.
    Mr. Beeson. I will quickly, and then I am going to defer to 
the underwriter here, but in my opinion, in Lockton's opinion, 
I think there needs to be a change in the way insurance 
companies have been underwriting this risk, which has been much 
more, as I think we have heard from Ms. Sage already, a 
snapshot or questionnaire, which is a sort of static look at 
security, which now needs to change to something that is much 
more dynamic, which is a partnership with both government and 
probably the security industry to provide that type of 
intelligence as part of the underwriting process.
    Actually, as we heard from the Chairman in his opening 
remarks, that has already started with this firm BitSite.
    Senator Blumenthal. What do you think about that, Ms. 
Mulligan?
    Ms. Mulligan. I think Ms. Sage's testimony rightly points 
out the challenges underwriters have, asking the questions. We 
are trying to evaluate in an efficient way, people, process, 
and technology.
    Right now, we have an issue where attack vectors are 
changing more quickly than I think we know how to ask the right 
questions. Historically, the assumption at the enterprise level 
was that it was an IT issue, and that is something that has 
changed in the last 18 months, where now boards of directors 
are really on notice that there has to be a high level 
governance of this problem.
    We really encourage a culture of awareness from the board 
room to the mail room. Protection is probably not 100 percent 
possible for any one company. We really look to help companies 
move to resiliency rather than just protection.
    Are we asking the right questions, can we ask the right 
questions tomorrow when the attack vector has changed or the 
attacker has changed, and then are we able to design coverage 
that can respond to all the consequences of an attack?
    The issues are outpacing where we are right now, so the 
availability of information, underwriters think in trends, so 
it is not necessarily that I need to know the specifics from a 
government perspective for just Ms. Sage's industry sector or 
some other sector. It helps me to think in terms of trends, 
where is the frequency, where is the severity, and then that 
helps me design coverage and pricing.
    Senator Blumenthal. Let me ask Mr. Menapace, because you 
emphasized in your testimony the importance of culture, are 
companies asking the right questions? Obviously, as Ms. 
Mulligan says, they have been on notice for a while about these 
threats. Are they doing enough? Are they asking the right 
questions, and are they acting sufficiently?
    Mr. Menapace. I think there are two areas where insurers 
are looking into. One, as we talk about the national database, 
it would be helpful in a sense to look at industries. Is this 
potential insured a retailer, are they a health care provider, 
are they a manufacturer, and a national database will help the 
insurers identify those trends.
    When you get to the specific level of that insured, 
however, insurers are trying to keep up with what are the right 
questions that we want to ask of this potential insured, and 
that is much trickier, there is no doubt about that. I have no 
doubt that the collection and sharing of data will help in that 
regard.
    A number of underwriters now are looking toward what is the 
business' culture toward data protection as opposed to do you 
have this particular piece of software in place. That question 
is almost useless.
    Senator Blumenthal. Software changes and it is so dynamic.
    Mr. Menapace. Yes.
    Senator Blumenthal. Are there not sort of fundamental 
questions? The question I heard asked repeatedly in the wake of 
the Anthem breach was, why was there no encryption? In the wake 
of the Target breach, why are retailers not using chip and PIN 
rather than swipe technology? Evidently, chip and PIN 
technology is widely used, maybe almost universally used in 
Europe.
    Costs and the sharing of costs and the allocation of costs 
has been an obstacle. Lack of agreement on allocation of costs.
    It strikes me there are certain elements to protection that 
are changing. Technology is changing, the type of encryption is 
changing, but the complete absence of certain techniques maybe 
is reflected in the culture. Maybe that is what you mean by 
``culture.''
    Mr. Menapace. That is exactly what I mean. When an 
underwriter can go into a business and speak with the IT, the 
management, everybody, all the stakeholders, they will be able 
to get a sense of that culture in the sense of what they have 
now is fine, but everyone needs to realize that three months 
from now, that may not be fine.
    Both the insurers and the insureds need to understand this 
is a continuous process because the technology is advancing so 
quickly, and the threats are evolving so quickly.
    My guess is the questions that insurers like Zurich and 
others are asking today are going to be different questions 
that they will be asking 6 months or 12 months from now of 
their applicants.
    Senator Blumenthal. I have other questions which I hope to 
ask on a second round, but I am going to defer to my colleagues 
who are here, because they are on schedules as well.
    Senator Moran. Senator Blunt?

                 STATEMENT OF HON. ROY BLUNT, 
                   U.S. SENATOR FROM MISSOURI

    Senator Blunt. Thank you, Chairman. Thank you and the 
Ranking Member for holding this hearing.
    Obviously, cyber and all elements of cyber need to get a 
lot of attention. I am hopeful this Congress can move forward 
in a couple of different areas, data breach, as well as 
information sharing.
    My view on this is if we have a dramatic cyber event and 
have not legislated, we will overreact, so this is an important 
time for us to be having this discussion so we have something 
in place when this happens.
    Mr. Menapace, one of the things in the bill we voted out of 
the Intelligence Committee that I serve on last week, and I am 
not sure how available that bill is, but I do know one of the 
topics in the bill is allowing competitors to share information 
in this area, with no concerns about price fixing or any of the 
things we would normally be concerned about there, but for them 
to be able to share with others in the industry the kinds of 
attacks they are having, fighting off successfully or not.
    Do you want to make a brief comment on that as a concept?
    Mr. Menapace. Certainly, Senator. The idea of sharing would 
be helpful in several areas. Insurers generally are not in the 
game of guessing. They rely on actuarial analyses. Without the 
data to back that up, that is impossible to do.
    Some insurers have robust and mature books of business but 
newer entrants do not. The sharing of the data would allow new 
entrants into the market, and for those existing insurers would 
provide more certainty and more available data to incorporate 
into their own underwriting to make sure that the premiums 
charged are appropriate.
    The other area where the sharing can be helpful is for non-
insurance businesses. They, too, if they had access to the data 
would be able to test what is going on, what are the trends, 
spot the trends, and then compare that to what are we doing 
right now. If we see this trend, are our protections robust 
enough that we would be able to respond, mitigate, or even 
avoid that kind of loss.
    Senator Blunt. Mr. Beeson, one of the things we have 
consistently talked about here is some liability protection if 
you followed the standards that a new Federal law would set 
forth for cyber protection, and that would be one of the 
elements I am sure we want to look at, but another thing I am 
wondering about, is there any evidence yet of insuring against 
the actual loss?
    Is there anything publicly available frankly that any of 
you know about these data breaches that we have already had 
that would give us a sense of how much might be lost in terms 
of the destruction to your internal system, the equipment, the 
information, the cost it takes to replace that, and is this 
something you are seeing people interested in trying to insure 
against as well?
    Mr. Beeson. Yes. The insurance market outside of insuring 
the costs of a data breach or a violation of an individual's 
privacy has also provided coverage for what is called ``non-
physical damage business interruption.''
    Attacks that bring down corporate networks or impact 
corporate networks, impact revenue, and other related costs 
such as the cost to restore data. Those types of attacks we 
know now exist.
    The actual costs, as you asked, is not public knowledge, I 
think, other than between a client and its insurance broker. 
When you see some of these losses disclosed in 10-Ks, what have 
you, as public filings, typically they seem to appear as a 
total amount. It does not seem to break down those costs, 
unfortunately.
    In my experience, I will say at least to date, the biggest 
component of a cost from a breach that involves personally 
identifiable data, protected health information, is dealing 
with that itself, rather than the cost on your infrastructure.
    I think that is starting to change, and we have seen a 
precedent from that last year where the attacks were becoming 
more destructive or could certainly become more destructive, 
rather than just about what they call ``exfiltrating,'' 
stealing data to monetize it. This goes back to how the attacks 
are changing and what will be the consequential losses from 
that.
    Senator Blunt. Exactly. I think that is something that we 
are seeing as a growing problem. Mr. Chairman, I am already out 
of time.
    Senator Moran. Thank you. Senator Klobuchar, welcome.

               STATEMENT OF HON. AMY KLOBUCHAR, 
                  U.S. SENATOR FROM MINNESOTA

    Senator Klobuchar. Thank you very much, Mr. Chairman, for 
holding this important hearing. I think we all know this is an 
issue whose time has come, and we also need to spur the private 
sector to increase the securities and protections.
    I want to start out with actually a small business 
question. We have a lot of big businesses in my state, some of 
which has been kind of notable for having some cybersecurity 
attacks, as you may know. While those kinds of attacks get 
attention in the headlines and affect millions of customers, 
many small businesses and community banks are also the victims 
of these kinds of cyber attacks.
    Ms. Sage, how would the insurance agency help these 
businesses manage the risk of cyber attacks and provide 
insurance at a reasonable rate? What do you see as the unique 
challenges facing small and medium-sized businesses, and what 
can we do to help them?
    Ms. Sage. Thank you, Senator. I agree with a number of the 
comments that have been made about company culture, and the 
need to really understand what the perspective is of the 
management of these small businesses toward cybersecurity 
risks.
    In my submitted testimony and also in my oral testimony 
this morning, there were a number of themes that I have been 
hearing in my travels and talks with small businesses. For 
example, there is a segment of the small business community 
that just does not believe this applies to them and have the 
sense that they do not have information that anybody would 
want.
    I think it really does speak to culture. I think this is 
where insurance can have a role in making it a priority for 
small businesses to think about.
    Senator Klobuchar. OK. Ms. Mulligan, even larger companies 
with policies from several different insurance providers cannot 
find policies to cover their cybersecurity needs. I know some 
of our companies may often have to purchase multiple policies 
with different retention levels and still have to partially 
self-insure.
    How does the lack of the availability of a comprehensive 
cyber insurance policy affect a company's ability to manage 
risk?
    Ms. Mulligan. Every company will manage their risk 
differently, so the idea of risk transfer is really only one 
element of a risk manager's tool, available in their toolbox.
    There will be decisions to self-insure, but this is where 
we get back to the information sharing. The availability of 
information that would help a company like Zurich determine 
appropriate pricing for capacity would then allow for an 
expansion of capacity, and as Mr. Menapace pointed out, for new 
entrants to come into the marketplace to build out more robust 
programs. We are not there yet.
    Senator Klobuchar. Also, 90 percent, Mr. Beeson, of the 
critical infrastructure in our country is privately held, and 
these companies are on the front line, and every exercise we 
have ever had where we talked with our national security 
people, it is always about some kind of a private 
infrastructure company. I believe it is in their own best 
interest to establish robust policies.
    In general, do you believe critical infrastructure sectors 
in the economy and companies are taking appropriate steps? What 
more do you think they should be doing?
    Mr. Beeson. I think there are a lot of challenges there. I 
have spent quite a bit of time looking at certain industries, 
such as energy, for example, over the last couple of years. The 
more you dive into that, the more you see the challenge.
    I think number one is risk awareness, education on these 
risks throughout the organization. Does the board realize the 
differences between, for example, corporate information 
technology and what is called ``industrial control systems,'' 
operational technology. They are very different. One is built 
to be available and one is built to be secure, but they are 
interlinked, and the challenges that go around that.
    I would say there is a lot of work to be done in this area, 
and it goes back to what I said earlier about cyber risk, cyber 
insurance needs and can be an incentive to help that process, 
but to do that, if we are going to look at other enterprise 
assets that the insurance industry can address, and if you look 
at critical infrastructure, you are now talking about physical 
damage, business interruption loss.
    I agree with my fellow witnesses here we need more data and 
more information to help drive that process.
    Senator Klobuchar. For the first time, some of our smaller 
rural electric companies raised cybersecurity with me, which I 
think is a sign that people are starting to see it and 
understand they need to start preparing for it.
    Thank you very much.
    Senator Moran. Thank you, Senator. Ms. Sage, do you know, 
and in a broader question to the panel, do the insured know 
what is covered? Can you tell from your policy that if 
something happens, it is either included or excluded in 
coverage?
    Ms. Sage. Chairman, the answer is no. It is very difficult, 
and not just the cost of the policy, but legal assistance to 
help us understand the policy, so now you have costs on top of 
the policy itself to understand what your policy covers and 
does not cover.
    Senator Moran. What do you think your policy covers? What 
events, what might happen to your company that you feel pretty 
certain are covered and ones you have doubt about?
    Ms. Sage. I think some of the costs associated with let's 
say there was an attack and there was equipment potentially 
that was compromised, those costs might be covered. I believe 
costs associated with notification and things like that might 
also be covered.
    What is more unclear is what is not covered. We keep 
hearing, well, it is claim-specific. Well, you do not know what 
your claim is going to be until you have that, and hopefully 
you never have that. That is a little bit of a challenge in 
understanding.
    Senator Moran. I do not know your business, but would you 
be subjected to litigation by those damaged by the 
cybersecurity, your customers or clients?
    Ms. Sage. Possibly. We provide services to the Government 
as well as the private sector. I think there is exposure, we 
hold information that is perhaps sensitive, business sensitive, 
et cetera.
    In terms of what we are seeing in our Government contracts, 
it is really a mix. Some agencies are more focused on 
cybersecurity and including language in contracts that address 
that. Others do not have anything that speaks specifically to 
cybersecurity and just speak to security in general, and in 
protecting the Government's information. I think really right 
now it is a mix.
    Senator Moran. You have heard Ms. Sage's testimony plus her 
response to me. My question to the rest of the panel, are the 
policies any more standardized now than when Ms. Sage described 
what she went through with different companies? Mr. Menapace?
    Mr. Menapace. No, there is no standardized policy language. 
You may be aware, there is an organization called ISO, the 
Insurance Services Office, that does provide standardized 
wording for a whole line or many lines of insurance.
    ISO recently did issue cyber policy wording. However, I 
know of no insurer who has adopted the ISO form, and I know of 
no insurer who plans to adopt the ISO form.
    What we have out in the marketplace are 40 or 50 different 
policy wordings for these coverages. I have to say this is an 
area where brokers are important, and this is where they earn 
their money, to help the insureds assess their own risks and 
then match those up to the different protections that are being 
offered.
    Senator Moran. Do agents know--does the agent in my home 
town know when the businessman or woman came to him or her--
would they be knowledgeable about this topic?
    Mr. Menapace. Certainly, the big insurers do. Excuse me, 
the big brokers do, certainly. The smaller brokers, if they 
have taken the time to educate themselves, are valuable, and 
certainly there is a group of smaller brokers who I refer 
clients to for this very reason, because they have taken the 
time to understand the coverages, and they take the time to go 
into the businesses and assess what their risks really are, 
rather than pulling something off the shelf and saying here is 
cyber insurance.
    Senator Moran. You said 40 or 50 companies, the market is 
not yet sophisticated enough to say these are the companies 
that have the best policies. Have we narrowed this down to 
those who know what they are doing and those that do not?
    Mr. Menapace. I am even underestimating the 40 to 50 
companies, because each of those companies offer different 
policy coverages depending on the size of the business, what 
sector of the business they are in, and what their needs are.
    The matching up of the risks and the needs will continue to 
be a problem, and it is certainly something that large 
businesses look at extensively, but with smaller businesses, it 
takes resources to do this kind of analysis, and it takes 
resources on the insurance companies as well to do individual 
underwriting. That is really hard to look at individual small 
businesses one at a time.
    Ms. Mulligan. Mr. Chairman, the data that I have says that 
five or six carriers write the coverage on a primary basis, and 
those five or six carriers write approximately 70 percent of 
the gross written premium, so while there is 40 or 50 markets 
who may offer the coverage, it is really sort of centralized 
with those markets.
    The other thing I would say on your coverage question is 
this is where the history of the product becomes useful and 
understanding what may be covered in the event of a claim.
    It was designed originally to respond to third party 
liability costs arising from a network breach or a privacy 
event, and now there has been the inclusion of first party 
costs to a privacy breach remediation and response, which can 
include some business interruption costs in the event of a 
network security breach. That is really where it stands right 
now.
    Senator Moran. Is the market mature enough that there has 
been litigation related to the coverage issue?
    Ms. Mulligan. Yes. Well, I am not sure to the coverage 
issues, but the litigation around liability has been evolving. 
If we had been having this conversation three years ago, I 
would have told you the cases were not getting through to 
discovery. That is not the case now. The plaintiff's bar is 
asserting new theories of liability; they will continue to do 
that.
    Senator Moran. That would be in instances maybe where it 
was not even necessarily the intention of the insured to have 
that coverage, but you look at the policy and maybe this is 
covered and then you litigate it?
    Ms. Mulligan. Well, no. I am thinking specifically around 
security and privacy liability policies, meaning the liability 
is arising from alleged mishandling of data or breached 
personal data.
    Those are still evolving in courts. We do have some 
publicly available information about the significant breaches 
that have happened in the last 12 to 18 months.
    One major retailer reported recently that their first party 
costs are over $250 million and rising right now, but their 
liability costs to their customers and potentially to financial 
institutions are still playing out in the courts. We do not 
know where that will land at the moment.
    Senator Moran. Do the policies provide limitations on 
coverage, an amount not to exceed something?
    Mr. Beeson. Could I just make an additional comment? I do 
not want the Committee to get the perception that all these 
insurance policies are different, some are covering one thing, 
and some are covering another. That is not actually the case.
    Yes, I absolutely agree the actual policy language is 
different from one insurance company to another, but if you 
really boil it down, the specialist policies are trying to 
cover fundamentally three things.
    Number one, costs of dealing with the breach response, 
notification, forensics, credit monitoring, that type of thing. 
The other two buckets really fall into liability coverage, to 
your point, Chairman, the second one being privacy regulatory 
action, you are sued by a regulator, and it is the cost of 
defending yourself against that and any civil fine you could be 
hit with.
    Finally, the third one being civil action, for example, a 
suit in class. It could be from the banks, the individuals who 
own the data.
    Really most of the policies in the marketplace are trying 
to address those three things. Yes, they are doing it sometimes 
in different ways. Yes, there are exclusions here where there 
might not be in another, and a broker has to navigate that on 
behalf of their client, and that is where one broker is better 
than another.
    I think it is important just to say although it is not 
commoditized and it is not commoditized because frankly it is 
still a new area of risk, there is some sort of streamlining in 
that regard.
    Senator Moran. Thank you. Senator Blumenthal?
    Senator Blumenthal. Thank you. Those three areas, the first 
two areas seem very much alike in terms of both being 
responses, that is to say notification, aid for consumers who 
may be harmed, and then the regulatory response. The third is 
somewhat different. Is that correct?
    Mr. Beeson. The biggest difference between one and two and 
three is that one is a first party loss, so it is under your 
legal obligation typically at state level to notify 
individuals. The first party, costs you have associated with 
that, follow on from that.
    The other two are liability. A third party, whether that is 
a regulator or somebody else, has to come along and take action 
against you. That is the fundamental difference between one and 
two and three, if that makes sense.
    Senator Blumenthal. How would you define the third?
    Mr. Beeson. It is a civil action, so it could be a bank 
suing a merchant for the cost of canceling and reissuing credit 
cards. It could be the victims who own the credit cards who sue 
in a class action to recoup their costs.
    There is another area that is emerging, but it is starting 
to emerge, which is of course the board now gets sued 
potentially as well under a derivative action from the 
shareholders. That is something that is starting to emerge as 
well.
    Senator Blumenthal. Mr. Menapace, I do not know whether you 
had the same kind of analysis in your statement, and I do not 
have it in front of me, that more than half the costs of a 
breach involve the responses like technical forensics 
investigations, attorney oversight, breach notification, credit 
monitoring, call centers, public relations services, and the 
other half being legal defense, settlement, regulatory 
response.
    In effect, you are saying half the costs are in that first 
category of responses?
    Mr. Menapace. The industry surveys that I have seen have it 
ranging anywhere from 45 to 50 percent, and some slightly more 
than 50 percent, but that is what we have seen to be the cost 
drivers.
    I am not sure that amount or those statistics cover what 
Mr. Beeson was talking about, however, which is the cost of 
damaged infrastructure, which there is not public information 
about that, but certainly with the reportable and the 
discoverable data that we have been able to find, that is 
accurate, Senator.
    Senator Blumenthal. I understand that in talking about 
captive insurance, it is basically self-insurance or very much 
like self-insurance, because a company establishes in effect a 
wholly-owned subsidiary or an entity to protect itself from 
risks, and it is insured through that captive entity.
    My concern is that these types of arrangements could result 
in private companies in effect reaping the financial benefits 
of collecting personal data, but the costs could still be 
spread or socialized among consumers and taxpayers if they 
underestimate the risks. In other words, the benefits go to the 
company but the costs hit the consumers.
    If companies use this self-insurance approach, cyber 
insurance, but do not have the funds to adequately cover the 
costs of cyber incidents, the companies would not have funds 
available to compensate consumers whose information has been 
stolen. In other words, in that sort of category of costs where 
consumers, third parties, are impacted.
    Are you aware of captive insurance being used in the cyber 
insurance market?
    Mr. Menapace. That is an interesting issue with the captive 
insurance companies, as you have stated it. Certainly, for 
companies that have difficulty placing their risks or need 
additional capacity or perhaps have a large self-insured risk 
before insurance attaches, and those companies have or will set 
up captive insurers.
    I would be interested to see how that plays out, and I 
think that is an area where state regulators who do regulate 
these captives as they do what we think of as regular insurance 
companies--we will have to take a look at that to see if 
companies are shifting this risk to their captive insurers.
    As insurers have difficulty, both pricing and setting 
reserves for losses, captives who would necessarily have even 
less data to go on, this would have to be taken very seriously 
by the regulators if we do see a trend in people or businesses 
transferring the risk via the captive insurer.
    Senator Blumenthal. Is there active discussion of the use 
of captive insurance for cyber?
    Mr. Menapace. I know that the NAIC is looking at the cyber 
insurance marketplace in general. I do not know if there is 
specific discussion within that group with the captive 
insurers.
    It would be interesting to know if some of the large--I do 
not know but I would be interested to know if the regulators, 
the individual state regulators, who have large captive 
populations domiciled in their states are looking at that.
    We also know many captives are regulated offshore in other 
countries. I do not have statistics on that, but it does raise 
a good point, an important point, which is are these captives 
set up and appropriate for that kind of risk.
    Senator Blumenthal. Right, exactly. Thank you, Mr. 
Chairman.
    Senator Moran. Thank you, Senator Blumenthal. On a national 
database, on that concept, there are some who have general 
concerns about the Federal Government running that database, 
and then if you reach the conclusion they should, then the 
question becomes who is that, is that the Department of 
Homeland Security or Treasury. Is there a public/private 
partnership.
    Is there an outsider that could effectively run a database 
that we could then rely on? I think the National Association of 
Insurers is working on this topic. Is there a conclusion or 
direction they are going?
    Ms. Mulligan. I can comment that the Department of Homeland 
Security has had three different working groups over the last 2 
years, and now has commenced another group. We have had one 
meeting so far. We are just starting off.
    Because your questions are exactly right, these are the 
details that need to be ironed out really. In theory, the idea 
of a data repository is a good one, but the question of 
ownership, who has access, what kind of information would be 
put in there, how would it be anonymized, and then how would it 
be made most useful to the insurance community and the non-
insurance community.
    These are all the questions that we have on the table right 
now as part of the working group.
    Senator Moran. On information sharing analysis centers, 
does the insurance industry have one?
    Ms. Mulligan. We do not have one centralized place for this 
line of business. Mr. Menapace mentioned ISO. ISO is an 
organization that has information about a multitude of 
insurance.
    As I mentioned in my testimony, this line of business is 
something that is largely purchased by specific industry 
segments, so we do not have data for every single company 
irrespective of industry, irrespective of size. We just do not 
have that data that way, so we are unable to really create 
those trends from ISO or anywhere else.
    Individual insurers are relying on the data that we have 
about our cyber customers, and we can use information and 
extrapolate it from general liability and other lines of 
business where we have experience. That is quite fragmented.
    Senator Moran. Should it be a public policy goal of having 
ISACs in a wide array of arenas, industries, businesses?
    Ms. Mulligan. Well, to the extent that it would help us 
differentiate coverage, and as Ms. Sage pointed out, price, by 
industry segment, that might be useful. Again, I think we have 
an issue of a lot of details that would need to be ironed out.
    Senator Moran. Ms. Sage, do you participate in an ISAC?
    Ms. Sage. Not officially. I think one of the challenges for 
a lot of small businesses is we do not fit neatly into specific 
industry segments. I know that was part of the discussion 
around the ISAOs, of which ISACs are considered a type.
    As a small business, we are on the ground. We are really 
just trying to get new customers, keep our customers, et 
cetera. Some of these activities that require a lot of 
resources, participating in working groups, attending meetings, 
these are things that typically we just do not have a lot of 
time and resources for.
    Senator Moran. Senator Gillibrand and I have discussed 
legislation that would create a tax credit for the 
participation in an organization like that. Does that have any 
appeal to you or to the industry?
    Ms. Sage. Absolutely. As I mentioned in my testimony, even 
things like the voluntary NIST Cybersecurity Framework, if 
insurers could even consider that, like the other ISO, the 
international standards organization, that sometimes is used as 
a way of understanding what areas of emphasis an organization 
has, whether it is quality, risk management, et cetera.
    Using something like the Cybersecurity Framework could be a 
factor, so we do not have to worry now about what specific 
questions do we have to ask this company or that company. At 
least it could begin to move us in that direction. Offering 
incentives for small businesses to use the Framework, for 
example, would really be helpful.
    Senator Moran. Thank you. I am going to see if Senator 
Blumenthal has any additional questions in another round, and 
before we conclude, I want to give you a chance to tell us 
things you wish you would have said or you wish we would have 
asked you.
    Senator Blumenthal. I do not have any further questions, 
but I may follow up in writing with some, and I want to simply 
thank everyone on the panel for being here and contributing so 
well today.
    Senator Moran. Anything you would like to make certain that 
we know?
    Mr. Beeson. I would just leave the thought that certainly 
at Lockton we view the opportunity as a market incentive as 
much as anything to where the insurance industry has a role 
right now to help drive better security. That is the key 
component, I think, as far as we are concerned.
    Thank you for the opportunity to testify today.
    Senator Moran. Thank you for your testimony. Anyone else?
    Ms. Mulligan. Thank you. I would just comment the 
importance of the public and private sector cooperation in this 
arena, this problem is just too large to be solved by just an 
insurance solution.
    Having said that, the insurance community really is in a 
great position to contribute to the risk management 
conversations and issues, and I think it is essential to get 
the conversation out of the IT focus only, so we can really 
help companies move to a place of a culture of awareness and 
resiliency rather than protection.
    Senator Moran. Thank you.
    Ms. Sage. I would just thank you again for this 
opportunity. There is a saying, if you are not at the table, 
you might be on the menu. As small businesses, we appreciate 
the attention and consideration of small businesses in any 
legislation that you are considering.
    Senator Moran. Ms. Sage, I felt very guilty when you told 
me that in a sense your every day effort is to survive, get new 
customers, and grow, which I very much support. I feel badly 
that we invited you to Washington, D.C.
    Ms. Sage. I actually live locally.
    Senator Moran. Very good. Mr. Menapace, anything?
    Mr. Menapace. Senator, I appreciate the fact that you 
commented before that you had taken a look at our written 
testimony, which is obviously more extensive than we were able 
to present here today. I stand on that testimony, but I am 
willing to provide answers to any written questions that the 
Committee may have afterwards.
    Senator Moran. Thank you very much. In that regard, the 
record will remain open for 2 weeks for members to submit 
questions, and we would ask you to respond to those as quickly 
as possible.
    With that, the Subcommittee hearing is adjourned.
    [Whereupon, at 11:19 a.m., the hearing was adjourned.]

                            A P P E N D I X

    Response to Written Questions Submitted by Hon. Jerry Moran to 
                               Ben Beeson
    Question 1. What challenges do brokers like Lockton face when 
determining whether to participate in the cyber insurance marketplace? 
What types of information would be helpful to better analyze risk?
    Answer. The primary barrier to entry for a broker seeking to advise 
their client is education. Driven by the fear of lost business and the 
high profile of cyber risks that now exists many brokers are developing 
a greater knowledge base and understanding. However, it is probably 
fair to say that you can still count on one hand those brokers that 
have the resources to handle a Fortune 500 client.
    The biggest challenge to brokers once they begin to advise clients 
is risk quantification. What is the consequential loss value to the 
client following some form of cyber event? There is some ability to 
quantify losses that involve personally identifiable information or 
protected health information. However, no actuarial data exists at all 
for losses involving property damage, business interruption or bodily 
injury.
    The insurance industry also a very little information on the 
frequency and severity related to the types of attack vectors, and the 
mitigation tools used that were or were not successful.
    The net result means that brokers have a difficult time explaining 
to clients how much money they should invest in cyber security, 
particularly the cost of transferring residual risk through insurance.

    Question 2. Are there countries outside of the U.S. who have 
developed a functioning cyber insurance market? What lessons can we 
learn from those countries?
    Answer. No. The U.S. is really the only fully functioning cyber 
insurance market driven by mandatory data breach notification laws. 
Internationally the requirement to disclose is sporadic and businesses 
do not yet perceive enough of a severity risk to warrant buying 
insurance. However, the emergence of physical damage risks from cyber 
attacks suggest that international take up could now accelerate.

    Question 3. How has the NIST framework helped your company to 
participate in the cyber risks insurance marketplace?
    Answer. Yes very much so. The NIST framework has helped Lockton 
articulate a governance and enterprise wide risk management approach to 
boards of directors and senior executives. Cyber insurance forms part 
of that discussion.

    Question 4. One cost in addressing a data breach is legal support 
to comply with the patchwork of state data breach notification laws. 
Would a uniform national data breach notification standard improve the 
cyber insurance marketplace? Why or why not?
    Answer. Yes. It would help our clients--businesses--respond faster 
to those whose data has been compromised. Improved incident response 
should also help our clients mitigate both their regulatory and civil 
liability, leading to fewer losses to insurers and ultimately a more 
competitive premium structure for buyers.
                                 ______
                                 
    Response to Written Questions Submitted by Hon. Jerry Moran to 
                           Catherine Mulligan
    Question 1. Are there countries outside of the U.S. who have 
developed a functioning cyber insurance market? What lessons can we 
learn from those countries?
    Answer. There are a number of countries in addition to the U.S. 
that have functioning cyber insurance markets. The UK, France, and 
Australia have experienced moderate Gross Written Premium growth over 
the past few years due to an increase in interest and buying behavior 
from companies operating in highly exposed industries such as finance/
banking, retail, healthcare and hospitality. Markets are also beginning 
to take shape, albeit more slowly, in a number of other countries such 
as Canada, Hong Kong, Singapore, Spain, Germany, Switzerland, Italy, 
and Mexico just to name a few. Buyers of cyber insurance outside the 
U.S. tend to place more value on first party coverage grants such as 
privacy breach costs and business income loss as opposed to third party 
liability coverage. This is generally due to lower frequency of 
litigation resulting from data breach incidents. However, this may 
change as more and more countries pass more stringent data privacy 
laws. Ex-US buyers also perceive significant value in pre and post 
breach service capabilities offered by each carrier, or service 
providers with whom carriers partner, relative to risk assessments, 
forensic investigations, fraud remediation, legal advice, and public 
relations.

    Question 2. How has the NIST framework helped your company better 
understand the preparedness of the companies you seek to insure?
    Answer. The NIST framework is a useful tool for risk managers to 
use in identifying their exposures and any gaps in best practices. This 
mapping process may help them take corrective action if necessary and 
make decisions around risk transfer. It creates a common vernacular for 
IT professionals, risk managers, and underwriters to use in the 
discussion of cyber security and privacy event exposures and controls. 
To the extent this tool brings forth information about a company's 
awareness of their risk landscape, it creates a good dialogue with 
underwriters. But good cyber security and privacy practices are not 
just an IT issue; an underwriter must review people, process, and 
technology. We look for an overall culture of awareness, which cannot 
be summarized in any one document or tool. Moreover, the exposure 
landscape is moving too fast for the underwriting community rely on one 
single tool or method. Still, the NIST framework has established an 
effective methodology for building our collective understanding of the 
exposures and controls in this space.

    Question 3. One cost in addressing a data breach is legal support 
to comply with the patchwork of state data breach notification laws. 
Would a uniform national data breach notification standard improve the 
cyber insurance marketplace? Why or why not?
    Answer. A company cannot rely on one single approach to responding 
to data breaches due to the variety of reporting requirements under the 
various state statutes. There is no single definition of Personally 
Identifiable Information, nor is there a standard requirement around 
the way notification must be sent, to whom it must be sent (including 
the States' Attorneys General), and in what time frame. Companies 
express confusion around which laws apply to them in different 
circumstances. There is also confusion about when and how to report an 
event to their insurers under the policy requirements. A uniform 
standard could streamline process for the enterprise, consumers, and 
the insurance community. This would help get information to consumers 
in a timely fashion as well as mitigating tools such as credit and 
identity monitoring. There could be cost benefits to the company and 
their underwriters, which could contribute to the development of 
improved pricing methodology for this line of insurance.
                                 ______
                                 
    Response to Written Questions Submitted by Hon. Jerry Moran to 
                                Ola Sage
    Question 1. What are the biggest challenges for a small or medium-
sized business like yours in determining whether or not you need cyber 
risk insurance?
    Answer. There are three primary questions that a small business 
like e-Management should answer in considering cybersecurity insurance.

  (1)  Do We Really Need It?

    According to a threat awareness poll of small businesses conducted 
        by Symantec, 50 percent of small to medium-sized businesses 
        don't feel they are at risk because they are a small business 
        and are therefore not a target for cyberattacks. The reality is 
        very different. Over the past few years, small businesses 
        represent the fast growing segment for cyber-attacks according 
        to data from Verizon's annual data breach report. There are 
        many reasons that small businesses are richer targets for cyber 
        criminals. A very common experience is that many small 
        businesses do not have the resources to invest in the same 
        level of protection that some larger organizations do, thereby 
        making them easier targets to compromise. At the core is the 
        question, ``what do small businesses have that cyber criminals 
        want?'' The answer is data. This data can be about the small 
        business itself (e.g., employee information, personal 
        information about the principals of the business, confidential 
        or proprietary business information, etc.) or it can be data 
        about people or companies that the small business is connected 
        to (e.g., professional colleagues, high profile customers or 
        celebrity clients, vendors or suppliers, professional 
        organizations, etc.). Armed with this knowledge, every small 
        business must then ask the question, what would our legal and 
        financial exposure be if the data we hold or have access to is 
        compromised? Industry reports indicate that the average cost to 
        a small business to recover from a significant cybersecurity 
        attack is estimated at $300,000. For many small businesses the 
        cost exceeds their ability to cover such exposure and 
        significantly increases the likelihood that a small business 
        shuts its doors.

    Cybersecurity insurance can be an effective tool in helping to 
        mitigate financial risks associated with a cyber-breach. Small 
        businesses are wise to at least learn what cybersecurity 
        insurance products are available and consider whether or not it 
        make sense for their business. While this type of insurance is 
        relatively new, several leading insurance providers now offer 
        separate cybersecurity insurance policies that small businesses 
        can take advantage of.

  (2)  Does It Cover What We Need?

    During our process of comparing policies, we found it virtually 
        impossible to compare policies against one another as the 
        language used in one policy differed from the next. An 
        experienced and knowledgeable broker is a must have to help 
        interpret what the different insurance products cover. Having a 
        multi-faceted cybersecurity policy is ideal. This type of 
        policy covers costs associated with notification, incident 
        response, legal, regulatory fines, etc. Keep in mind that costs 
        associated with equipment replacement or refurbishment may 
        already be covered by other general liability or business 
        insurance. Importantly, small businesses must understand that 
        cybersecurity insurance is not a silver bullet and cannot cover 
        things like company downtime, reputational damage, loss of 
        business, or intellectual property theft.

  (3)  Can We Afford It?

    The cybersecurity insurance market is in its infancy with only 
        about 50 insurance carriers issuing policies.\1\ As a result, 
        the cost to purchase a policy can range from a couple thousand 
        dollars to tens of thousands for a small business. This is out 
        of range for a large number of small businesses. However, we 
        believe cybersecurity is about risk management. It boils down 
        to how much risk a small business willing or able to take. The 
        question small businesses should ask is ``can we afford NOT to 
        invest in cybersecurity insurance?'' As small businesses answer 
        this question, they should consider, at a minimum, what 
        industry or sector their business is in (e.g., critical 
        infrastructure like energy, financial services, healthcare), 
        what valuable data could be compromised, are there other 
        alternatives to cybersecurity insurance to reduce or transfer 
        some of the financial risk?
---------------------------------------------------------------------------
    \1\ Cyberattack Insurance a Challenge for Business, The New York 
Times, June 8, 2014

    In addition, small businesses should make sure they communicate to 
        their insurance underwriters, directly or through their 
        brokers, what they are doing to implement reasonable 
        cybersecurity measures or what steps they have taken to 
        strengthen their cybersecurity posture. These are factors that 
        insurance underwriters can take into consideration when 
        evaluating an application, and may result in more affordable 
---------------------------------------------------------------------------
        pricing.

    Summary

    At e-Management, we considered these three questions and came to 
        the conclusion that for our business, cybersecurity insurance 
        was a necessary business investment. We recognize that for a 
        variety of reasons, cybersecurity insurance may not be the 
        right solution for all small businesses. However we encourage 
        small businesses from start-up phase to those who are planning 
        an exit, to at least start the conversation about whether or 
        not cybersecurity insurance is right for their business based 
        on their answers to these three straightforward questions.

    Question 2. Has the process of seeking cyber risk insurance helped 
your company improve its cyber posture? If so, how?
    Answer. At e-Management, we are using the NIST Cybersecurity 
Framework to improve our cyber posture. We view improving our posture 
as good cyber hygiene, a competitive differentiator, and an indication 
to our clients and partners that we take protecting their information 
seriously. Cybersecurity insurance is one of several tools in our risk 
mitigation portfolio to help reduce or transfer some of the financial 
risk associated with a potential breach.
    We believe cybersecurity risk insurance can play an important role 
in driving companies to improve their cyber posture by stipulating 
specific requirements. Examples could include policies and procedures 
that address cybersecurity, baseline technical requirements for company 
network infrastructures, and demonstration of a company's ongoing 
cybersecurity risk management approach.

    Question 3. One cost in addressing a data breach is legal support 
to comply with the patchwork of state data breach notification laws. 
Would a uniform national data breach notification standard improve the 
cyber insurance marketplace? Why or why not?
    Answer. It is unclear how much a national data breach notification 
standard would ``improve'' the cyber insurance marketplace. 
Conceivably, having some degree of consistency among the approximately 
48 current state notification breach laws could help companies doing 
business in multiple states lower legal costs associated with 
interpreting and complying with the various notification requirements. 
Over time, this could provide insurance carriers with better data about 
the costs associated with breach notifications which are covered by 
most cybersecurity insurance policies today. Ultimately better data 
should lead to better decision-making, resulting in better pricing of 
cyber insurance products over the long term.

                                  [all]