[House Hearing, 115 Congress] [From the U.S. Government Publishing Office] PROTECTING SMALL BUSINESSES FROM CYBER ATTACKS: THE CYBERSECURITY INSURANCE OPTION ======================================================================= HEARING BEFORE THE COMMITTEE ON SMALL BUSINESS UNITED STATES HOUSE OF REPRESENTATIVES ONE HUNDRED FIFTEENTH CONGRESS FIRST SESSION __________ HEARING HELD JULY 26, 2017 __________ [GRAPHIC NOT AVAILABLE IN TIFF FORMAT] Small Business Committee Document Number 115-032 Available via the GPO Website: www.govinfo.gov HOUSE COMMITTEE ON SMALL BUSINESS STEVE CHABOT, Ohio, Chairman STEVE KING, Iowa BLAINE LUETKEMEYER, Missouri DAVE BRAT, Virginia AUMUA AMATA COLEMAN RADEWAGEN, American Samoa STEVE KNIGHT, California TRENT KELLY, Mississippi ROD BLUM, Iowa JAMES COMER, Kentucky JENNIFFER GONZALEZ-COLON, Puerto Rico DON BACON, Nebraska BRIAN FITZPATRICK, Pennsylvania ROGER MARSHALL, Kansas RALPH NORMAN, South Carolina NYDIA VELAZQUEZ, New York, Ranking Member DWIGHT EVANS, Pennsylvania STEPHANIE MURPHY, Florida AL LAWSON, JR., Florida YVETTE CLARK, New York JUDY CHU, California ALMA ADAMS, North Carolina ADRIANO ESPAILLAT, New York BRAD SCHNEIDER, Illinois VACANT Kevin Fitzpatrick, Majority Staff Director Jan Oliver, Majority Deputy Staff Director and Chief Counsel Adam Minehardt, Staff Director C O N T E N T S OPENING STATEMENTS Page Hon. Steve Chabot................................................ 1 Hon. Nydia Velazquez............................................. 2 WITNESSES Mr. Robert Luft, President, SureFire Innovations, Cincinnati, Ohio, testifying on behalf of the National Small Business Association.................................................... 5 Ms. Erica Davis, Senior Vice President, Head of Specialty Products Errors & Omissions, Zurich Insurance, North America, Washington, DC, testifying on behalf of the American Insurance Association.................................................... 6 Mr. Eric Cernak, Vice President, Cyber Risk Practice Leader, Munich Re U.S., Hartford, CT, testifying on behalf of the Reinsurance Association America (RAA).......................... 8 Mr. Daimon Geopfert, National Leader and Principal, Security and Privacy Consulting, Risk Advisory Services, Southfield, MI..... 9 APPENDIX Prepared Statements: Mr. Robert Luft, President, SureFire Innovations, Cincinnati, Ohio, testifying on behalf of the National Small Business Association................................................ 27 Ms. Erica Davis, Senior Vice President, Head of Specialty Products Errors & Omissions, Zurich Insurance, North America, Washington, DC, testifying on behalf of the American Insurance Association............................. 36 Mr. Eric Cernak, Vice President, Cyber Risk Practice Leader, Munich Re U.S., Hartford, CT, testifying on behalf of the Reinsurance Association America (RAA)...................... 40 Mr. Daimon Geopfert, National Leader and Principal, Security and Privacy Consulting, Risk Advisory Services, Southfield, MI......................................................... 48 Questions for the Record: None. Answers for the Record: None. Additional Material for the Record: AIA Statement (American Insurance Asociation)................ 62 Willis Towers Watson Statement............................... 65 PROTECTING SMALL BUSINESSES FROM CYBER ATTACKS: THE CYBERSECURITY INSURANCE OPTION ---------- WEDNESDAY, JULY 26, 2017 House of Representatives, Committee on Small Business, Washington, DC. The Committee met, pursuant to call, at 11:00 a.m., in Room 2360, Rayburn House Office Building, Hon. Steve Chabot [chairman of the Committee] presiding. Present: Representatives Chabot, Luetkemeyer, Brat, Radewagen, Kelly, Blum, Bacon, Fitzpatrick, Marshall, Norman, Velazquez, Evans, Murphy, Lawson, Clarke, Chu, Espaillat, and Schneider. Chairman CHABOT. The Committee will come to order. Good morning. We appreciate everybody being here. Cybersecurity has been one of this Committee's top priorities. We have held numerous hearings and worked on meaningful legislation to ensure small businesses have every possible resource to protect themselves against a cyber attack. Weeks ago, I, along with my friend from across the aisle, Representative Dwight Evans of Pennsylvania, introduced legislation to ensure that America's Small Business Development Centers have the best possible cybersecurity training so that they can better assist small businesses with their cyber strategies. Unfortunately, we have also heard too many firsthand accounts from small business owners who have been victims of cyber attacks. One case in particular that stands out is the story of a small business owner who testified before this Committee last year. He owned an indoor go-karting facility in Maine, and had a number of employees and families that depended on him. He told the Committee that he was struck by a phishing scam. He logged onto his bank account and to his utter disbelief his balance was zero. And that happened on a payday no less, so all his employees were at risk of not being paid that day, so he was really panic stricken. Fortunately, he caught it just in the nick of time and was able to stop the funds from being transferred, but that is usually, unfortunately, not the case. Cybersecurity experts have told this Committee about the growing number of cyber threats facing America's 28 million small businesses. In 2016 alone, the Justice Department recorded nearly 300,000 cybersecurity complaints. This number increases every year. Sixty percent of small businesses that fall victim to a cyber attack close up shop within 6 months, and the estimated average cost of a cyber attack on a small business is over $30,000. And that may not be a huge amount to a large corporate entity in the United States, but to a mom- and-pop small business person, $30,000, that can mean why 60 percent of small businesses go out of business within 6 months of being hit by a cyber attack. In our Committee's efforts to spotlight these serious and growing threats, it has become clear that we need to think outside the box as we work to thwart cyber attacks. Small businesses must also be diligent as they manage their IT systems and educate their staffs about the importance of cybersecurity. They should also be creative as they consider different ways to spread risk and manage their cyber strategies. One increasingly feasible solution is cybersecurity insurance. Many larger corporations are already exploring this approach to dealing with cyber attacks. It is likely that small businesses will follow. Of course, the widespread adoption of cybersecurity insurance policies is not without its challenges, both for small businesses and for the insurance providers. Small businesses must determine what policies and coverage options make sense for them and also implement basic cybersecurity best practices. Furthermore, the cybersecurity insurance marketplace is remarkably new and many of the providers still lack the historical data to offer appropriate plans to consumers which drives up the cost to policyholders. Yet, as they look to improve their models and cyber risk scenarios, cybersecurity insurance will become more viable and more accessible. Today, we will hear from a panel of witnesses that all have some level of experience with cybersecurity insurance and can offer an in-depth perspective on both the benefits of cybersecurity insurance and the challenges that still lie ahead. I look forward to hearing our witnesses' views on how small businesses can more effectively manage their cyber risk and possibly with the help of cybersecurity insurance. And I would now like to yield to the Ranking Member, Ms. Velazquez, for her opening statement. Ms. VELAZQUEZ. Thank you, Mr. Chairman. The internet has undoubtedly transformed the way small business operates. E-commerce empowers America's 28 million small businesses, giving them a unique opportunity to sell their products not only across the country, but around the world. Unfortunately, for small business owners, when it comes to the health of their businesses, cyber hygiene often falls to the back burner. The lack of preventive measures can result in hacks and other cyber incidents that have major and costly implications for small business and their ability to operate. The topic of this hearing is particularly timely. If Russia was able to use cyber attacks to penetrate our democratic institutions, by comparison a small business seems an easy target. The fact of the matter is there will continue to be cyber threats from those who seek to damage our national security, our economic security, and our political system. And there will continue to be criminals who seek to profit by stealing sensitive data held by the government or the private sector. Cyber criminals have realized small entities are more exposed than larger businesses that have dedicated, in-house IT personnel overseeing their systems and networks. In 2016 alone, more than 1.1 billion identities were stolen. This is worrisome, perhaps lethal, for companies that have a reputation of safeguarding their customers' information and need to maintain their credibility. Small businesses that lose customer information when their security is breached suffer significant costs financially and in the loss of customer trust. And once businesses get compromised, fully recovering from a cyber attack is extremely difficult. On average, small businesses that get hacked make the discovery more than 200 days after the attack has occurred. For the federal government, cybersecurity should be a priority, but the private sector must also stand up to the challenge and complement existing federal resources. Given the financial consequences that a cyber attack may have on small businesses, there is a new industry of insurance providers focused on providing policies to protect them; yet, there are a number of factors making this an expensive undertaking. A lack of adequate data underscores the complex nature of creating cyber liability policies for small firms. Also, the type of business that risk management procedures and the continually evolving threats make it difficult for the insurers and the small businesses. Today's hearing will help us look at this noble idea and learn what role Congress plays in streamlining such an important insurance product. I look forward to hearing the challenges small businesses face in selecting a cybersecurity insurance policy and the hurdles insurers must overcome to offer valuable and comprehensive cybersecurity insurance solutions. It is clear from recent events that these issues are not diminishing. If anything, they are growing more important. Cybersecurity concerns from Russia's attack on our political intuitions to criminal enterprises preying on small businesses merit our attention more than ever before. I would like to thank you all for being here this morning and I yield back, Mr. Chairman. Chairman CHABOT. Thank you very much. The gentlelady yields back. And if Committee members have opening statements, I would ask that they be submitted for the record. And I would now like to explain our timing rules and lights here. It is pretty simple. We operate under the 5 minute rule. There is a lighting system to assist you there. The green light will be on for 4 minutes. The yellow light will come on and let you know you have got a minute to wrap up, and then the red light will come on and you are supposed to stop. Most people do. But we will give you a little leeway. But if you could stay within those parameters, we would appreciate it very much. And I would now like to introduce our distinguished panel. Our first witness is Robert Luft, the Owner and President of SureFire Innovations, a service-disabled, veteran-owned small business and minority business enterprise located in my home district of Cincinnati, Ohio. And Mr. Luft and I actually talked about this a long time ago and he brought this to my attention. And I think that actually was how this hearing came into being here, so do not screw it up because you are the one who did it. SureFire Innovations specializes in providing network infrastructure services to companies all across the country. Prior to starting his company, Mr. Luft served our country for 16 years in the Army as a combat engineer. He is testifying on behalf of the National Small Business Association. We thank him for his service to our country and we also welcome him here today. I would now like to yield to the Ranking Member to introduce our next witness, who I believe is a constituent and whose first name is Erica, which happens to be our daughter's name. You even spell it the same way. So, and I yield. Ms. VELAZQUEZ. Thank you, Mr. Chairman. It is my pleasure to introduce Ms. Erica Davis, senior vice president and head of Specialty Products Errors and Omissions at Zurich. She is also a constituent from my district in Brooklyn, so I am very proud. Prior to joining Zurich in 2009, she was a senior underwriting officer for technology insurance specialty at the Chubb Group of Insurance Companies. Ms. Davis holds a bachelor of arts degree from the University of Arizona. Welcome. Chairman CHABOT. Thank you. And our third witness will be Mr. Eric Cernak, Vice President and Cyber Risk Practice Leader at Munich Re in Hartford, Connecticut. In his role, Mr. Cernak provides leadership in all cyber efforts overseas, Munich Re's property and casualty operations, and develops strategies to help the company compete in the cyber marketplace. He is testifying today on behalf of the Reinsurance Association of America, RAA, and the Property Casualty Insurers Association of America, PCI. We thank you for testifying here this morning. I would now like to once again yield to the Ranking Member for introduction of our fourth witness. Ms. VELAZQUEZ. Thank you, Mr. Chairman. It is my pleasure to introduce Mr. Daimon Geopfert, national leader and principal of security and privacy consulting at Risk Advisory Services. He has over 20 years of experience in a wide array of positions, including time in the U.S. Air Force. Mr. Geopfert has served as the manager and lead technician for security assessments performed on some of the largest corporations and government entities in the world. He holds a bachelor's degree from the United States Air Force Academy and a master's degree in computer science from the University of Michigan. Welcome. Thank you for being here. Chairman CHABOT. Thank you. And we also thank you for your service, Mr. Geopfert. And Mr. Luft, you are welcome here and recognized for 5 minutes. STATEMENTS OF ROBERT LUFT, PRESIDENT, SUREFIRE INNOVATIONS; ERICA DAVIS, SENIOR VICE PRESIDENT, HEAD OF SPECIALTY PRODUCTS ERRORS & OMISSIONS, ZURICH INSURANCE, NORTH AMERICA; ERIC CERNAK, VICE PRESIDENT, CYBER RISK PRACTICE LEADER, MUNICH RE U.S.; DAIMON GEOPFERT, NATIONAL LEADER AND PRINCIPAL, SECURITY AND PRIVACY CONSULTING, RISK ADVISORY SERVICES STATEMENT OF ROBERT LUFT Mr. LUFT. Good morning. Thank you, Chairman Chabot, Ranking Member Velazquez. Chairman CHABOT. You need to turn the mic on there. Mr. LUFT. I apologize. Chairman CHABOT. Yeah. You have got to turn it on. Mr. LUFT. Good morning. Thank you, Chairman Chabot, Ranking Member Velazquez, and members of the House Small Business Committee, for inviting me to testify today on the current state of cybersecurity for small companies and how cyber insurance can help small businesses transfer risk. My name is Robert Luft, and I am the owner of SureFire Innovations located in Cincinnati, Ohio. I am pleased to be here representing the National Small Business Association where I currently serve on the Leadership Council and the Technology Council. SureFire Innovations is a certified service-disabled, veteran-owned small business and minority business enterprise, specializing in network infrastructure, design installation of hardwire, wireless, security and smart city networks. After my military service in the Army, where I had the honor to serve on multiple combat deployments to Iraq during my 16-year career, I decided that entrepreneurship was my path, and hence, the founding of SureFire Innovations. Cybercrime is growing rapidly with annual cost to the global economy estimated to reach over $2 trillion by 2019. Organizations of all sizes are at risk for cyber attacks. Small business represents more than 97 percent of business in the U.S. Alarmingly, in 2015, 43 percent of all attacks were directed at small business. Despite the growing awareness of cyber-related crimes, 77 percent of small business owners believe their company is not at risk for cyber attacks. The risk of being a target for cybercrime is high. Forty- two percent of small businesses surveyed by the National Small Business Association reported being a victim of a cyber attack, with the average cost being $32,000 when business banking accounts were hacked, and $7,000 on average for small business overall. So what can we do as small businesses to address this issue? We can start with what I learned in the Army. Keep it simple. By utilizing the SBA's top 10 cybersecurity tips, this would provide a framework for all small businesses, even those who are not technologically savvy and currently have zero protections in place; simple measures, like installing antivirus software, the use of complex passwords, and backing up information. Since total elimination of threats is impossible, protecting against them should be a top management priority. Unfortunately, many small businesses do not place cyber threat as a top priority. This is evident by the fact that 60 percent of small companies go out of business within 6 months after a cyber attack. Small business need not only think of ways to mitigate cyber attacks, but also how to transfer that risk away from their company. This can be accomplished with the cyber liability insurance policy, which provides coverage in the event of a cyber attack. A typical cyber liability policy will include the following coverages: theft and fraud, forensic investigation, network business interruption, extortion, and data loss. What led to my purchase of a cyber liability policy is a subcontractor was performing services on one of my projects, suffered a bank account breach that resulted in the loss of $15,000. This was a catastrophic event. Those funds were required for payroll and put enormous strain on its employees. This event made me realize that our company was just as vulnerable, and despite having a cybersecurity plan, we did not have a cyber liability insurance policy. So in the event we were breached, we would not have any financial protections available. Unfortunately, we were not the exception, as 75 percent of small businesses do not have cyber liability coverage in place. Most small businesses do not have the appetite to purchase another insurance policy. My annual premium is $3,200. The level of security this provides my company does not completely remove all of my concerns, but it affords me the knowledge that if we were hacked, protective steps had been taken to address any potential damages to the company and my employees. There are enormous amounts of resources available to help educate small businesses on cybersecurity and the potential ramifications of not having the appropriate plan and policies in place. The issue is awareness. The more we can help inform small businesses on how to mitigate and transfer these risks, the greater the positive impact small business will have on our economy. Thank you for the opportunity to address this very pressing issue. Chairman CHABOT. Thank you very much. Ms. Davis, you are recognized for 5 minutes. STATEMENT OF ERICA DAVIS Ms. DAVIS. Mr. Chairman, Ranking Member Velazquez, and members of the Committee, thank you for the opportunity to speak with you today about the private sector's role in providing risk management solutions to protect businesses from cyber risk. My name is Erica Davis and I lead a team of market-facing underwriters at Zurich North America, one of the five providers currently leading the North American cybersecurity insurance marketplace. Zurich has invested in identifying risks and delivering solutions for our customers. Zurich is a member of the American Insurance Association, the leading property-casualty insurance trade organization representing approximately 325 major insurers. I appreciate AIA's focus on cybersecurity. The cyber landscape continues to evolve, making companies increasingly vulnerable to the potential harm of a security or privacy event. While awareness of the threats is growing across all sizes of organizations, businesses are still struggling how to understand cyber risk. That is, the full scope of their exposures and how best to protect themselves. They must determine whether they should retain the residual risk or transfer it through the purchase of a cyber insurance product. Our approach to cybersecurity includes understanding attitudes to cyber risk, providing tailored coverage to meet our customers' needs, and working with businesses to adopt a mindset of resilience rather than just protection. Last fall, Zurich and Advisen released a survey of risk managers and other risk professionals. It found that 87 percent of respondents believe a technology interruption would have a moderate to significant impact on their organization. As with any line of insurance, risk culture is critical to underwriting cyber insurance. Businesses must build a culture of resilience and operational awareness at all levels, rather than simply viewing cyber risk as a technology issue. Insurance is just one piece of the cyber risk management puzzle, but the role of insurance is increasing as customers seek risk insights and feedback from their insurance advisors. It has really become more of a partnership with businesses now focusing on not just what happens post-event and a loss being paid. They value having qualified, vetted resources available to them, especially in their moment of crisis. And they are focusing more on risk-mitigation tools their insurance providers can provide to them. The business community's interconnectivity and reliance on technology has increased and that creates additional points of entry and new threat vectors. The cyber insurance and exposure has broadened to include potential property damage for something like critical infrastructure, supply chain ripple effects, bodily injury from autonomous vehicles, or cyberespionage. And the issue is only becoming more complicated. In an effort to continuously help customers and protect themselves from risk, Zurich began participating as a key industry consult in a public-private partnership by the University of Maryland and the National Institute of Standards and Technology. We are proud to be part of this initiative. Zurich is also collaborating with Deloitte to help improve a business' cyber resilience. Policyholders can complement Zurich's cyber insurance solution with risk management services through Deloitte to understand their level of cyber exposure and resilience. Underwriting of the cyber product is evolving, as are the risks. The insurance community is continuously working to understand the full scope of the exposures and what the controls may need to be. Each business needs to be underwritten differently, and as insurers, we must continue to refine our own understanding of those exposures. Finding solutions to the most complicated of cyber risks will require collaboration between the insurance industry, governments, academia, and other think tanks to establish standards, encourage information-sharing, build resilience, and create adequate global governance. As the market evolves, Zurich is committed to staying at the forefront of the cybersecurity issue, and we will continue to develop additional insurance solutions going forward. Thank you for the opportunity to testify today, and I look forward to answering your questions. Chairman CHABOT. Thank you very much. Mr. Cernak, you are recognized for 5 minutes. STATEMENT OF ERIC CERNAK Mr. CERNAK. Good morning. I am Eric Cernak, vice president, U.S. cyber and privacy risk practice leader at Munich Re U.S., testifying on behalf of the Reinsurance Association of America and the Property Casualty Insurers Association of America. Munich Re and HSB provide cyber and privacy-related insurance and reinsurance protection for small and large businesses in the United States and throughout the world. HSB Group has an A++ and Best Financial Strength rating. We were one of the first companies to provide reinsurance for cyber risk to small businesses. In addition to reinsurance, we underwrite cyber risk, develop products, and work with small businesses to help mitigate cyber-related exposures. Today's hearing is an important discussion to highlight the success of the private sector in developing cyber insurance. It will help raise awareness among the small business community about the importance of purchasing cyber insurance as a preventative risk management tool and critical safety net should a cyber event occur. A 2017 Risk Management Solutions report concluded that the number of large magnitude data exfiltration events has grown substantially, and companies are increasingly investing in their own cybersecurity systems. However, a June report by broker Aon estimated that only 19 percent of small businesses in the United States had purchased cyber insurance compared to around 75 percent of certain large companies globally. More insurers have offered cyber insurance over time, from less than a dozen in the early 2000s to more than 70 in 2016. As we see more high-profile cyber events, small businesses are increasingly aware of their exposure. This has prompted the insurance industry to add cyber endorsements to existing small business insurance policies. A significant part of the value proposition of these cyber insurance policies is loss prevention services. Participants in a 2016 Hartford Steam Boiler survey listed vulnerability assessments, next-generation firewalls, IT security audits, and intrusion detection as the most helpful loss prevention services. Participants also listed reasons that they did not purchase cyber insurance: they did not need it, cost of coverage, and an application process that is too complicated and confusing. These results suggest that education is key to increasing the take-up rate of cyber insurance by small companies. The public and private sectors have a role to play in increasing the cyber insurance take-up rate, helping businesses overcome the ``it will not happen to me'' mentality, constructively addressing cyber vulnerabilities, and preparing for the aftermath of a cyber event. Cyberattacks may not be a matter of if, but when. It is essential for businesses, which are increasingly interconnected, to be prepared, protected, and resilient. Insurance can help with all three. The insurance marketplace needs to continue to refine the process in coverage to reduce complexity associated with the purchasing of cyber insurance. For example, common coverage form terminology could help applicants better understand what different policies cover. Insurers are also grappling with four factors in offering cyber insurance. As both the chairman and ranking member have stated, there is no significant historical loss data. Second, the cause of loss is generated by an active adversary that changes with new technology. Third, insurers are grappling with the evolving patchwork of State, Federal, international cyber- related requirements. And fourth, cyber is not bound by geography and poses potential aggregation risk for insurers. As these factors evolve, Munich Re and HSB are continuously talking to our small business customers to better understand their needs. We are also monitoring the technological, regulatory, and society trends that could pose cyber risks. So what can Congress do to improve cyber protections for small businesses? We specifically encourage Congress and the administration to coordinate cybersecurity policy among Federal agencies and designate lead agencies to coordinate discussions where appropriate. It is critical that this coordination include State insurance regulators and that we all work together to avoid a conflicting patchwork of State, Federal, and international standards. Munich Re and HSB Group stand ready to work with you to protect small businesses from cybersecurity threats. Thank you. Chairman CHABOT. Thank you very much. Mr. Geopfert, you are recognized for 5 minutes. STATEMENT OF DAIMON GEOPFERT Mr. GEOPFERT. Thank you, Chairman Chabot, Ranking Member Velazquez, and members of the Committee. Thank you for the opportunity to discuss the cybersecurity challenges that have become a constant material threat within the small business community. My name is Daimon Geopfert, and during my career I have performed hundreds of security assessments and cyber breach intrusion investigations within small businesses. I was asked to speak today regarding how legislation, such as H.R. 3170, and private sector solutions, such as cyber insurance products, can help organizations manage their cyber risk. In a study performed last year, RSM performed extensive data mining within a set of cyber insurance claims and found that 50 percent of the reported attacks were against organizations with $50 million in revenue or less. Attacks against small businesses are not an anomaly; they are the norm. This is the key demographic that is being targeted by hackers. What is needed is a venue through which small businesses can find simple, direct guidance on how to protect their environments and mitigate risk, and that also provides access to resources with the necessary expertise to chaperone them through the implementation of that guidance. The current legislation addresses part of this requirement by essentially creating cyber mentors within the Small Business Development Centers. These personnel could quickly become the frontline advisors that are so desperately needed to guide small businesses through the deployment of technical security solutions and administrative risk management techniques, such as acquiring cyber insurance. While this is a critical first step, the SBDCs hold the promise of a myriad of benefits that could be made available in the future. Again, to make material progress on this issue, we need to move to clear, concise, pragmatic solutions. While it might seem like an abnormal suggestion, what is needed is to emulate our peers within the hacking community. The underground markets excel and become exceedingly efficient at turning large masses of unskilled, technically challenged individuals into groups of, while not elite, at least effective cyber attackers. We lack that equivalent process on the defensive side in which we can rapidly take a large number of small businesses and have them become at least efficient and effective at basic cybersecurity. While it sounds relatively simple, reference environments, as they are known, are not common in the small business community, which often leads to organizations cobbling together their security architecture and governance based on their individual interpretations of best practice. Similar to the methods of our adversaries, small and middle markets need a dedicated hub where they can find simple, realistic guidance on how to deploy security solutions that are complete and effective at a basic level. This would then need to be paired with programs dedicated to delivering to security training directly to the IT and management members of those small businesses as most of these organizations simply cannot acquire the necessary security talent on the open market. The SBDCs could play a critical role in the process of working with government entities, private sector consultants, and vendors to create standardized models and security training. It should be mentioned that an additional benefit of deploying such common models is that it would then allow the SBDCs to address the need for actionable cyber threat intelligence that could be easily consumed and put to use by small businesses. If common reference environments are made available to small businesses, many of these entities would be highly interested in deploying these frameworks if they knew they can consume and utilize threat intelligence in a plug-and- play manner. It should be noted that this support was included in the prior H.R. 5064 legislation that passed this Committee last year, but then later expired in the Senate. At this point, the foundations would be laid for a base- level accreditation program for small businesses in which they can demonstrate that they have achieved basic cyber controls and processes. The SBDCs would be a natural fit to oversee this program and could then coordinate between newly accredited small businesses and insurance carriers to facilitate the acquisition of cyber insurance. These suggestions create a process that naturally flow from a set of standardized security templates, through the training and the deployment of those templates, through the accreditation that the controls were deployed properly, through the coordination with the cyber insurance market to offset the residual risk. This process in its entirety represents the most requested types of support by small business executives encapsulated in a clear, concise, and pragmatic approach. It would materially improve the current security status of approximately 50 percent of the U.S. economy. The final point I would suggest would be to use the SBDCs as a coordination point between small businesses and a designated, responsive law enforcement entity. Currently, when a small business is compromised, they can contact their local police departments, which are often willing to help, but technically unable to do so, or they can contact the FBI or Secret Service that are technically able to help, but typically do not have the bandwidth to do so. This situation has created a mindset within the small business community that when it comes to cyber matters, they have essentially been abandoned to the Wild West where the rule of law does not apply. Legislation that addresses the points I have described above would greatly improve the security and longevity of the U.S. small and middle market businesses. Mr. Chairman, this concludes my statement, and I look forward to further questions. Chairman CHABOT. Thank you very much. And I will yield myself 5 minutes. Mr. Luft, I will go to you first. Could you tell us what process you went through in determining what cyber insurance coverage you ultimately ended up with? And are there any recommendations that you would make to other small businesses who might be considering, first of all, whether or not they should get insurance coverage? And then secondly, you know, who they should get it from? I am not saying what company, but just kind of the process. Mr. LUFT. Well, it was my first assumption that cyber insurance should just be as simple as any type of insurance, so I reached out to my existing insurance provider. What I quickly found out is that is not the case. He was not familiar with a lot of policies. So once I saw some hesitancy on his end, I sought some additional resources and found an agent that was exclusive to cyber insurance. That would be my first suggestion to any small business. And one of the first things that a company needs to look for when they are looking at that, there are some standard coverages in there: the extortion coverage, data loss. So the company could assume that those things are going to be included in a policy. But one thing that they need to ask for is retroactivity. When you first initially buy that policy, it is going to become effective that inception date, but anything that may have happened previously, it would behoove that small business to ask for maybe a year of retroactivity, just in case there is something lurking there in their network, to ensure that they are safe. Chairman CHABOT. Thank you very much. Ms. Davis, let me go to you next. You mentioned in your testimony that not all causes of loss are covered by a particular insurance policy. Could you provide the Committee with an example of what would be an uninsured loss and how small businesses can protect themselves from that type of liability? Ms. DAVIS. Sure. So the exposures that arise from cyber threat continues to evolve and there are certain elements of loss that at this point are not transferable to an insurance policy. There is work being done by the insurance community to try and develop insurance solutions for some of those losses, but my advice to small businesses really echoes some of the comments that we have heard already, and that is just providing additional education to those businesses, so things like this hearing today really bring awareness to the topic. But where assistance is needed is helping them connect the dots. I think small businesses today have an understanding of what the exposures are and what risks they may bring to the business, but they are struggling with the ``how.'' What sort of action items they can implement to make their operation more resilient and secure. So it really does come down to businesses understanding the risk and protecting themselves from it, which is really done through risk mapping. Smaller businesses need to understand what downtime could mean to their organization. Also, the sensitive data that they are holding, what sort of costs they may incur if that data is compromised, and I think that qualitative aspect is an area and it is an opportunity where the insurance community can assist with some of that process. The other point that I will mention is just in terms of connecting the dots and bringing action items to them, it is about understanding if employee training is only being offered by roughly 80 percent of organizations now, that does not translate to the fact that we have seen a growing number of threats really come out of exploitation of that human element, of that big vulnerability. And 50 percent of respondents to that Advisen Zurich survey noted that humans or their employees unintentionally infecting their network was a top concern. So just helping bring together those pieces. Chairman CHABOT. Thank you. I have got less than a minute to go and I have got two witnesses. I am going to throw this question up and it is kind of maybe an impossible question, so if either one of you want to answer this. If a business has X- amount of insurance where they are covering fire and a whole range of things and now they have got to consider cybersecurity insurance, and let us say they are going to go with the insurance company they have now, how much more typically could they expect to pay for this that they are not paying without it right now? Percentage-wise, are we talking an additional 10 percent, 25 percent? And I know that is a tough question. It would depend on how big the company is. What would your estimate be if you have one? Mr. CERNAK. That is an excellent question, and as you point out, it is going to depend on the class of business that they are in, the amount of data that they have, what coverages they are actually looking for. And there are two approaches to cyber insurance in the marketplace today. One is a standalone policy, which is probably going to cost you thousands of dollars. Chairman CHABOT. Yeah. I would guess that would be probably more. So let us say you went with the company that you have now and they did have the expertise, unlike what Mr. Luft had said he experienced, I mean, ballpark, what range are we probably talking about? Either one of you want to venture this? Mr. GEOPFERT. Again, that is hard to formulate because every one of the organizations, when we work with them--and I am not on the insurance side; I am on the breach investigation side, so I see the flip side of it--every one of the organizations, the question is going to come down to what does your network look like? How much data do you have? How does the data pass through? Do you pass through credit card payments to a third party? Depending on how they answer that, you can have two organizations that are the same size in the same industry that have put together their networks differently. They are going to pay vastly different amounts for insurance. Chairman CHABOT. I told you it was an impossible question. Do either one of the first two witnesses want to take a quick stab at it, ballpark? Ms. DAVIS. So there are a number of factors that contribute to that. So coverages, but also limits and retention. So it really depends on what an organization's risk tolerance is. Somebody may say to themselves, ``I feel as though I can retain this risk. I am not at high risk of this sort of event occurring,'' and they may be purchasing a $1 million limit with a $250,000 retention purely to satisfy a contractual requirement; somebody else may opt for hundreds of billions in coverage. So those are some of the influencers. Chairman CHABOT. Mr. Luft, you are from Cincinnati. I expect you to give me an answer. Mr. LUFT. So, Chairman, I can talk specifically about what is happening with my company. And so for my liability policy, covering our installation, for a million-dollar policy that is about $4,000. When I bought that standalone cyber insurance policy, that was $3,200, so roughly about 80 percent. Chairman CHABOT. Good. Thank you very much. I appreciate it. My time is expired. I apologize for going a little bit over. The Ranking Member is recognized for 5 minutes. Ms. VELAZQUEZ. Thank you. Mr. Cernak, I believe that you stated that it is not if small businesses are at risk, the question is when is it going to happen. So we need to operate under the assumption that aggressors are already inside our networks. With that said, what alternatives do small businesses have once they become aware an aggressor already has access to that information and technology? Mr. CERNAK. Sure. Yeah, once you have identified that someone may be within your four walls, I think it is incumbent and imperative that you get somebody, like my colleague here to the right, that could come in and identify exactly what is wrong. And not to stop at the first answer. We have seen instances where ransomware is extremely popular now. A lot of businesses are being impacted by ransomware, and it is a very visible attack. But what the criminals are doing on the other side of that is they are loading additional software in the back end so that once you rectify the very visible issue, and you may think your problem is solved and go back to managing your business, there is this other software that is going to start exfiltrating data down the road. So you really need to get a professional in to do a thorough analysis and your insurance company can help you identify those people. Ms. VELAZQUEZ. Mr. Geopfert? Mr. GEOPFERT. The part I am going to hit is this actually delineates quite a difference between the small business market and even the mid-market in that both of those groups are going to struggle preventing the breach. It is very difficult in today's day and age with the types of exploits and malware to keep them out. The more complex the organization, quite often they will notice that they are breached earlier. And even if the attacker did get in, quite often they have stood up security monitoring of the tools that can let us retrace the steps of the attacker so we can reconstruct what did the attacker do in the environment, how long were they there, what did they take, what did they touch? In the small markets, quite often they are not even that mature. The attackers can get in. By the time the organization finds out that an attacker is in, when we show up there is no evidence or the small business has already destroyed the evidence in their initial response. They have overwritten it. And so when we are talking about the damages for small businesses, a big part of their problem is they always have to assume the worst-case scenario. Because they either did not have the evidence or they destroyed it, we have to assume the attacker essentially reached everything and legal precedence says they have to do mass notification, whereas in the larger environments it might be the same attacker who did the same thing, we can constrain. We can put bounds around what the breach actually was. So it inordinately impacts the smaller environments simply because they are less able to reconstruct what the issue was even if they could not stop the attack. Ms. VELAZQUEZ. Thank you. Ms. Davis, cyber insurance is in its infancy as an insurance product. How has it evolved since its inception to meet the demands of small firms and the needs of neutralizing relentless cyber attackers? Ms. DAVIS. So the roots of the product were really in the technology, you know. And as some of the first-party costs to an organization, the immediate costs after a breach began to evolve with notification standards and credit monitoring, et cetera, the policy was built out to include those first-party coverages. And what we are finding now is that financial institutions, healthcare organizations, those early adopters in heavily regulated segments are really more driven towards that personal information and healthcare information. Next, we have a three-tail organization, and what we are finding now is that the coverages have evolved to really address the interdependencies that we are seeing across the supply chain. And so business interruption, loss of income, extra expense that an organization would have to pay in the event of downtime is becoming a key driver in the coverage discussion. Ms. VELAZQUEZ. And can you explain how the process to create policies is complicated by various state and federal laws and a disjointed federal cybersecurity effort? Ms. DAVIS. Sure. So we talked about some of the first steps when an organization realizes that they have been compromised, and certainly, forensics is a big piece of that to understand what went wrong and why and how many, you know, the extent of the information that was compromised. I would argue that very early on in that process there also needs to be legal representation, attorney breach coaches who are helping to prioritize those notifications and needs to individuals who were impacted. And the challenges that creates is really each and every State, at this point an attorney general is handling those topics differently. What is considered legal compliance and what timeframe individuals need to be notified? How they need to be notified, does it have to be through USPS? Is email sufficient? And so the costs, the legal costs for small businesses really add up in that process, and so standardization of those requirements would help bring down the costs associated with it. Ms. VELAZQUEZ. Thank you. Chairman CHABOT. Thank you. The gentlelady's time is expired. Ms. VELAZQUEZ. I yield back. Chairman CHABOT. Thank you. The gentleman from Missouri, Mr. Luetkemeyer, who is the Vice Chairman of this Committee, is recognized for 5 minutes. Mr. LUETKEMEYER. Thank you, Mr. Chairman. This is a subject that we are talking about today that 10 years ago it would not even be on our radar, and yet today, here we are. And so it is kind of scary from the standpoint of what are we going to be talking about 10 years from now that is not on our radar today? And so that is how fast our society and evolution of all these things is happening. That is just an aside. Mr. Cernak, you represent a reinsurance company, and we are talking about cyber today and your company provides cyber insurance. Why are you a reinsurance company that reinsures insurance companies here today talking about cyber? Mr. CERNAK. Thank you for the question. And it is a great question. I think the role that reinsurers play in this realm is to help make more coverage available to the end consumers, the small businesses, by enabling other property and casualty insurance companies to put products out in the marketplace, and not only provide those carriers with the capacity, but also the technical knowledge to provide a sustainable product that they can feel comfortable bringing to their insured customers. And so beyond the dollars that a reinsurer can provide to these P&C carriers, it is also the claims expertise, the service provider networks, the forms development, and the rate development. You need all of those things to create a compelling product, and by doing that we help other carriers introduce products in the marketplace, thus helping the end insureds. Mr. LUETKEMEYER. Very good. Evaluating the risk here is really difficult, and I know Mr. Luft made a comment in his opening statement that 43 percent of the attacks are on small businesses. My staff has got a number here of businesses under $300 million in value, 50 percent of cyber attacks are on those businesses. This tells me we have got a very vulnerable group of folks here that probably do not have the expertise to deal with it. And so how do we protect them? So that is where insurance comes in. So I guess my concern is not necessarily, I know we have talked a little about the business interruption, basically coverages that you guys are involved in, but to me the biggest risk for a small business is the liability exposure. And liability exposure is such that if I am in the lending business and I am lending to a small business and I see that they are very highly leveraged and I see that they deal with lots of personal information, to me there is an exposure there that could really harm that credit. Therefore, that whole line of credit is in danger. Therefore, it is going to hurt me as a financial institution. And I can see that at some point the regulators are going to get involved in this and start asking and requiring for cyber insurance for certain lines of business that deal with more information. So if Mr. Cernak or Ms. Davis would like to take this, it looks to me like small businesses are the low-hanging fruit for the bad guys to go after and I think in some cases, I was talking to some folks a while ago, that it can even be the back door to bigger business, which means you have an even bigger liability risk. So would you like to talk about that just for a second, how you want to approach that particular part of the coverage? Mr. CERNAK. Sure. And I think you are right on with that assessment that we are starting to see small businesses be that back door into the larger businesses, and we are starting to see the larger businesses require contractually that these smaller businesses carry some level of cyber insurance. The struggle there is oftentimes they may or may not have an arbitrary dollar amount in terms of the limit they want carried, and they also do a fairly poor job of identifying the exact coverages they want those folks to carry. Your comment relative to the lending industry in particular, I don't think I have seen that as of yet, but I think it is a valid concern. Mr. LUETKEMEYER. Go ahead, Ms. Davis. Would you like to comment? Ms. DAVIS. I totally agree. And thank you for the question. Absolutely, we are seeing that back-channeling take place where it does feel as though the larger organizations are locked and loaded when it comes to their information security measures, but that supply chain that we reference has become a huge vulnerability, especially in the manufacturing space and when we think through items like corporate confidential information. Mr. LUETKEMEYER. I think Mr. Luft made a comment a while ago with regards to a question I think one of our other folks made. And the comment was made with regards to covering things that may have happened prior to the coverage being effective. And so my question is, does your policies, are there policies out there that will take care of things that you put in place that were not accurate or that exposed you not only before, but what happens if you put something in place, you let the policy drop or go to a different carrier, do you have tail coverage or something as well with this? Can you kind of explain the before and after coverages here if there is such a thing? Ms. DAVIS. Yeah. So it is an important development in the cyber insurance space, the idea of prior acts. And the reason why it came about is because of the statistic that Congresswoman Velazquez noted of 200 days potentially where a perpetrator has been in the network and we found the nature of the threats has changed as attackers used to enter a network, grab as much information as they can, and then get out, and now they tend to lurk and try to stay under the radar, grabbing small bits of information at a time. So that coverage is available in the marketplace, and typically, we do find that affordable coverage to that effect is available as customers change carriers as needed. Chairman CHABOT. The gentleman's time has expired. The gentlelady from New York, Ms. Clarke, is recognized for 5 minutes. Ms. CLARKE. I thank you, Mr. Chairman. And I thank our ranking member. I want to also thank our witnesses for your expert testimony today. This is very important information. I think the average small business is really at a disadvantage in this day and age, not really conscious of the intrusion of those who would want to either extort them or use them as a tool for penetrating even larger enterprises. So I want to thank you once again for your insights. Ms. Davis, I did want to find out from you how does your company tailor insurance policies? Is it for each client? Is there a ``one size fits all'' package? Can you give us some insights into that? Ms. DAVIS. Sure. So it is helpful to understand the underwriting process when answering this question, so let me start with that. Organizations would typically complete one to two underwriting applications and those are submitted to various carriers by an insurance broker. It was noted earlier to really partner with a broker who has expertise in this space since it is such an evolving area. And those applications have questions on them. Some are reflective or inclusive of controls kind of noted through the NIST framework; others are outside of that. So there would be various applications and levels of information that are provided at the time of the application process. But what the customers request, what an insured requests is really driven again by more of their risk tolerance, why they are purchasing the policy. Are they looking at it as more of a contractual requirement? Or are they looking for a more robust, cutting-edge solution? So, and a lot of that will influence the price as well. Ms. CLARKE. So it is more of a tailored process based on the questionnaires that the individuals fill out? Ms. DAVIS. That is correct. Ms. CLARKE. And how widespread would you say this sort of practice within insurance, how widespread has that become to your knowledge? Ms. DAVIS. The tailoring of solutions? Ms. CLARKE. No, I am sorry. This sort of insurance practice for small business getting cybersecurity insurance? Ms. DAVIS. So just so I understand, you are asking how widespread is it that the small businesses---- Ms. CLARKE. Within the industry of insurance, your company is one that has been identified. Have other insurers begun moving into this space? Ms. DAVIS. Yes, absolutely. There is a growing recognition that small businesses are looking and actively seeking to raise their risk awareness, and insurance is one piece of that puzzle. It should not be the entire solution, but we are seeing increases in small- to medium-sized organizations actively seeking out insurance policies for cyber. Ms. CLARKE. Yeah, because sort of most brick-and-mortar type of businesses have insurance, right? Ms. DAVIS. Right. Ms. CLARKE. Theft insurance, what have you. But not many of those types of mom-and-pop establishments, which are very prevalent in Brooklyn, New York, where we are from---- Ms. DAVIS. Yes. Ms. CLARKE.--would be looking to essentially look at their sort of connectivity and determining how they would add that to a current policy. Ms. DAVIS. And I think that is a great point and it really gets at the way that the product has evolved from just a couple of years ago, where it was really focused on more privacy exposed organizations, and now we are at that new cusp of buyers and coverages that are more driven towards that business interruption, that network interruption, and the downtime and financial impact that it could mean to those mom-and-pop organizations. Ms. CLARKE. Wonderful. Thank you. Mr. Luft, in your testimony, you point out that small businesses often do not perceive themselves as being targets for cyber attacks. What can we do to educate the general public on the risks of not being protected? And what can we do to ensure that they have a place to go after a cyber attack takes place? As it stands now, where do they go? Mr. LUFT. Well, I would say the first step is the small business needs to understand that there is extreme risk out there and they need to look no further than to television. There are plenty reports about what is happening to major corporations, to small businesses on a daily basis. So my first suggestion is that small businesses need to take that initiative. From an education standpoint from this body, I do know from the Federal resources, from the SBA, especially within Cincinnati, they do a tremendous job of having events informing small businesses about cybersecurity and actions they need to take place. So I would think more what needs to happen is the initiative from the small businesses to take action. Ms. CLARKE. And probably partnering with some Chambers of Commerce? Mr. LUFT. Absolutely. Yes. Ms. CLARKE. And things of that nature? Thank you very much again for your testimony here today. Mr. Chairman, I yield back. Chairman CHABOT. Thank you very much. The gentlelady's time is expired. And the gentlelady from American Samoa, Mrs. Radewagen, who is the Chairman of the Subcommittee on Health and Technology is recognized for 5 minutes. Mrs. RADEWAGEN. Talofa. Good morning. Thank you, Mr. Chairman and Ranking Member, for holding this critical hearing. Thank you all for appearing today. Ms. Davis, my first question is for you. You mentioned that businesses with personal health and personal financial information consider data security as more of an issue. Are there any industries that you believe are prone to cyber attacks, but currently do not see cybersecurity as a pressing issue? Ms. DAVIS. I would say the one class of business where we are definitely seeing an increase in awareness is in the manufacturing space. And again, that gets back to more of the corporate confidential information, the supply chain, and what interruption, network interruption could mean to those organizations. Manufacturers, historically, had felt like the product did not necessarily speak to their coverage needs, to their exposures, and we are definitely seeing that maturity start to change in their thought process. Mrs. RADEWAGEN. Thank you. My second question is actually for all of you. What do you think are the biggest risks for cybersecurity insurance providers that do not exist in other insurance markets? Mr. Luft? Mr. LUFT. Your question was specific to the cyber insurance companies? Mrs. RADEWAGEN. Insurance providers. Yes. Mr. LUFT. In speaking about the small businesses, the reason why they need to think about that as the statistic has been mentioned several times today, that after a cyber attack, 60 percent of small businesses are out of business within 6 months. I think that is the greatest call for action from a small business perspective. Mrs. RADEWAGEN. Ms. Davis? Ms. DAVIS. I think one of the biggest challenges to insurers right now is really not having a solid sense of what their aggregation concerns may be. When we think through property as an example, you are able to model, right, what your windstorm-exposed areas are. When it comes to cyber, there are all of these hidden or sort of silent interdependencies that you may not be able to track or to model in the underwriting process. So that is definitely a concern for us. I would also say the intersection of the various lines of business is unique to the cyberspace. We are talking today about kind of the standalone cyber policies, but what we are finding is that as the threats evolve, some of these coverages are creeping into different policy lines, and so making sure that we have a way of identifying those gaps and redundancies to make sure we are providing good, holistic, meaningful solutions to our customers. And lastly, I would just say that this is a product still in its infancy and so we are learning together across the industry to make sure that we provide more consistent underwriting processes, more consistency in our application process, and in the language and vernacular that is being used. And I think all those things are hurdles for us at this time. Mrs. RADEWAGEN. Mr. Cernak? Mr. CERNAK. Thank you for the question. I see two major challenges right now, in addition to the ones that Ms. Davis pointed out. First is the patchwork of regulations that we are faced with in terms of trying to address and create products. We have to not only worry about the State, but the Federal, and now international regulations and security standards. So that is one item. The other, as Congressman Luetkemeyer mentioned in his remarks, is the smartphone is turning 10 years old this year, right? Never have we tried to insure an exposure that is evolving this quickly. It is moving with the speed of technology, and that in and of itself poses challenges. Mrs. RADEWAGEN. Thank you. Mr. Geopfert? Mr. GEOPFERT. I will speak as the neutral third party in the room. Quite often when things go bad, what we see working as responders with the insurers and the small businesses, it is more of a syntax issue. There is no common language to talk about security and risk within these organizations. So what we see is the insurance companies reaching out to the small businesses trying to put together their policies and packages and understand the risk of the organization they are going to insure. And the small business, not being malicious, they simply do not understand security. When they are filling out the package and trying to communicate how much data do they have? How do they control it, their business partners, their systems? They do not know how to fill out the packages and applications in the right way. So quite often the insurance companies will pick up that policy and not really understand what is underneath the hood until there is a breach, until we come in on the technical side and start touching the environment. Quite often, the insurance companies really do not understand how bad bad can get. And so until we can get to the point where there is sort of a standardized language where the insurance companies know how to rate the risk of a small organization and the small organization knows how to rate themselves, there simply could be missed expectations on both sides. Mrs. RADEWAGEN. Thank you. Thank you, Mr. Chairman. I yield back. Chairman CHABOT. Thank you very much. Thank you very much. The gentlelady's time is expired. The gentleman from Pennsylvania, Mr. Evans, who is the Ranking Member of the Subcommittee on Economic Growth, Tax, and Capital Access, is recognized. And I would like to thank him for his leadership on this issue and introducing legislation to ensure that the SBDCs accredit the people that will help to train small business folk to better protect themselves against cyber attacks. So we appreciate his leadership on this. And he is recognized for 5 minutes. Mr. EVANS. Thank you, Mr. Chairman. I appreciate you and the ranking member's leadership collectively on the fact that this is really a bipartisan approach and we have all got to work together. So what I want to piggyback a little bit and expand a little deeper on what Ms. Davis said and the term that she used, ``risk mapping.'' And used that term, and kind of if you have a crystal ball, if you say ``risk mapping,'' what particular industries, much more subject to the risk aspect in terms of where we are today? You said risk mapping. Give me a sense on categories of small businesses. Ms. DAVIS. So when I speak through risk mapping, I am thinking through, you know, it varies by industry, but it is also about identifying what is at risk from a pure data network security view, but also the broader implications that that may have on your organization. So the lost revenue or the downtime, it could mean the reputational risk. It could mean bodily injury or property damage, and bringing together a multi- stakeholder approach when evaluating cyber risk so that you are thinking of it as an organization, as an enterprise level. And in terms of the cyber or the IT risk mapping component of that, it could mean from a retail organization how many records you are holding. How long are you retaining them? For what reason are you retaining them? So that you are always keeping a proper calibration between your data risk and your data value. Mr. EVANS. Okay. I am starting my business. I mean, where would you go to kind of get that little sense of the mapping and understanding? To your knowledge, does anybody keep track of what takes place in terms of the community? Because listening, you just said the smartphone is 10 years old. Is there anywhere you can go to get a little sense of that? Ms. DAVIS. So there are businesses that you can turn to to help you do that, but I would say the very first step is doing it internally. And again, engaging your stakeholders within an organization to make sure that you have got either a risk manager or somebody who is acting in a risk manager role. You know, talking with HR or if you have somebody handling the IT business in-house. But really just beginning to have that dialogue internally so that you can start to gain and act on the information that you learn through something like an incident response plan to help you engage and limit your damages if and when an event does occur. Mr. EVANS. To the rest of the panel, hearing what Ms. Davis said, we just had this discussion about risk mapping. And as you look at it, what would you say in your particular case to your clients, understanding the aspect of risk mapping? Mr. GEOPFERT. The first point I am going to make is this is, again, dealing with small businesses. If you tried to explain this concept to them, to your point, they do not know where to start. Mr. EVANS. Right. Mr. GEOPFERT. This would be a perfect role for the Small Business Development Centers. Mr. EVANS. Right. Mr. GEOPFERT. Because they touch so many different entities, in a lot of cases they become the de facto knowledge- sharing centers. And in a lot of cases, they would be able to start you on that process and lay that out. The other point that I want to make out, when we deal with risk mapping, in a lot of cases that operates off the mindset that, like what you see in the news, that there are hacking crews that are out targeting your specific organization and going after you. A lot of small businesses, when they are trying to consider their risk, they do not feel that they are at risk because we are too small, we are too new. No one is shooting at us. It misses the point that the vast majority of breaches are not targeted and you cannot plan for that risk. If you are plugged into the internet, there is sort of the background radiation of the internet that is constantly grinding through looking for anybody that happens to be vulnerable and it might happen to be you. And so a lot of organizations, when we first sit down to do risk mapping with them, they are shocked with that realization that they are not targeted; they simply were a target of opportunity on the network. And so I think the Small Business Development Centers would be great at communicating that message of in your specific industry, this is what a risk map would look like. But do not forget there is a permanent residual risk that you simply cannot excuse yourself because you are too small or you are not in that industry. Mr. CERNAK. I think there is also an opportunity for insurance agents and brokers to begin that process as well. Because as they are sitting down discussing with their clients what their exposures are, they can start to ask the leading questions, if you will, as to what data do they have, where is it stored, and how do you use it, a lot of the points that Ms. Davis suggested. So I think insurance agents and brokers need to raise their level of education to help the clients. Mr. EVANS. I yield back the balance of my time. Thank you, Mr. Chairman. Chairman CHABOT. Thank you. The gentleman's time is expired. The gentleman from Iowa, Mr. Blum, who is the Chairman of the Subcommittee on Agriculture, Energy, and Trade, is recognized for 5 minutes. Mr. BLUM. Thank you, Mr. Chairman. Thank you to the panelists for being here today to talk about a very important issue to small businesses. I am and was a small business person, and a few years back my high-tech company was compromised via a cyber attack. I was absolutely shocked at how untrained law enforcement was on how to handle this situation because we lost value. We lost value. Two questions concerning that for the entire panel: A, has that changed? Is law enforcement, in general, across the country better trained now to handle the theft of a company's information via cyber attack? And B, what can Congress do or what can government do, assuming we are not where law enforcement needs to be? What can we do to--any ideas or suggestions on how we can change that? Mr. LUFT. To your first question, I hope. And the second question, as far as what Congress can do, whatever can be done to help inform small businesses about the number of threats that are there and helping small businesses understand what steps they can do to protect themselves is the greatest thing that could be done right now. Mr. CERNAK. Again, I think, you know, the patchwork of regulations also can hinder a little bit of that because there is this attitude of, you know, well, who is ultimately responsible for that portion of the law enforcement if you have got different regulatory bodies that are involved in cyber events? So I think, again, streamlining that may help as well. Mr. BLUM. In your opinion, is law enforcement better trained than they were 5 or 10 years ago on cyber attacks? And how to prosecute and how to find out what the value is of what was taken, et cetera, et cetera? Mr. CERNAK. Yeah. No, and that is an excellent question. Unfortunately, my focus is more on helping the small businesses recover relative to the issue and that is where my expertise stops. Mr. GEOPFERT. Sir, it pains me to say, as I am a former special agent, so that is where I came from, are they better than they were 5 or 10 years ago? Yes. Has it materially improved the situation? No. Per my comments earlier, in a lot of cases, what happens with a small business especially is they do not register on the Richter scale enough to draw the attention of the law enforcement entities that could actually do something to resolve the situation. And so the FBI and Secret Service have a lot of very skilled people that do exceptional work, but there is only so much availability, so much bandwidth. And they are naturally going to gravitate to the larger events. And so while they would be interested to hear of the issues within the small businesses, the idea that they are going to send an agent down to start working on those cases is just not reasonable. And so what you are left with is local law enforcement, who usually are very excited to help, but they technically cannot do anything. They are very effective, and they have put a lot of people through training where if you have internal theft, if you have an employee that is committing fraud or something, they can assist with those types of issues, but at the end of the day, the goal of law enforcement typically is to affect an arrest against somebody. And with the vast majority of the attackers overseas, it is quite often hard to get them interested. And what they seem to miss is they do play a key role in this. Take a typical small business that might not have great security monitoring themselves, so they do not produce the evidence internally for us to reconstruct what the events were. But let us say we can see an offending IP address that touched them where the attacker came from on the last hub. That IP address is in somewhere else, another business, another citizen of the U.S. We cannot go acquire that system. But if I worked with a law enforcement entity, I could very rapidly get some type of search authority. They can go acquire that system. We might be able to recover the evidence we need to see how bad the event was off of that system. And when we try to do that now, quite often that is weeks or months to go through that process. By that time, all the evidence we could have used to limit the damage is gone. And so there is a role, but because they normally are not going to end up in arrest, it is hard to get them engaged. Mr. BLUM. Thank you very much. Last question, assuming the value of the compromised data is covered by insurance, how do you quantify? How do you put a number on compromised data? How does that work? That has got to be, I mean, that has got to be a tough thing. Give me some insight into that, please. Ms. DAVIS. So it is a tough thing. In talking about the patchwork of laws, it largely depends when you talk about how those records are compromised, you know, where they were compromised, the extent of them, the number of people who are going to require notification. There is a general sentiment that there is desensitization happening across the population, so fewer and fewer people are taking carriers up on offers for things like credit monitoring. It depends largely on the forensics, how long they were in your network, how much information was compromised, and really driving up those forensics costs; any fines and penalties that could be resulting from that and if there were data restoration costs involved. So the sums, they range wildly. To get to your earlier question, I just want to point out that they say the prosecution rate for these kind of nefarious actors only ranges around 10 percent, and so that means that criminals who were sort of lurking in the dark web are currently coming out because there is no reason to be in the dark and that means they are talking to each other. And so the sophistication and nature of the attacks really continues to increase. Chairman CHABOT. The gentleman's time is expired. Mr. BLUM. I yield back the time I do not have, Mr. Chairman. Chairman CHABOT. Thank you very much. The gentleman from Florida, Mr. Lawson, who is the Ranking Member of the Subcommittee on Health and Technology, is recognized for 5 minutes. Mr. LAWSON. Thank you, Mr. Chairman. And welcome to the Committee. Ms. Davis, as you are well aware, many small businesses may be unaware of the lack of capital to purchase cyber insurance. What can small business organizations, SBAs, as well as local entities, do to better educate the small businesses about the risk of cyber attacks and the importance of purchasing cyber insurance? And I say that because I was in small business and I have been trying to wind some things down. And a young person came in. I heard Mr. Cernak talk about the birthday of this here is 10 years old and I had a typewriter in the office, an IBM Selectric typewriter. And one of the young persons said, what is that? You know, and I said this is one of IBM's best. They said, they still make those? So my question is, I just wanted to say that because when you talked about the birth of this, what can we do to educate small businesses about it? Ms. DAVIS. So I think when it comes to small businesses, you know, we really have to think through the culture of an organization. When it comes to controls, the expectations across industry class are really going to vary wildly, so you cannot say this one control will make you a better risk. There is no silver bullet answer, but it is about building a culture of resilience. It is about understanding what your risks may be. It is about ongoing employee training. And these are items that do not have a significant price tag associated with them. That is just an ongoing effort to make sure that you are bringing the right people into the conversation and that you have that multi-stakeholder incident response plan in place if and when an event occurs. Because what we do find is organizations who are lacking that sort of preparation are the ones who have a longer amount of downtime, more financial impact to their organizations because they were not prepared. I would say from an insurance perspective, do keep in mind that although the costs will vary based on some of the subjectivities we have talked about, you know, they cannot afford to be out of business for a prolonged period of time. And so when you think of the safety net that an insurance policy can bring to the equation, it will likely be a fairly small financial cost compared to that longer hardship if the downtime is significant. Mr. LAWSON. Okay. And I have read the staff report on cyber insurance can be customized to the specific needs of the company. Mr. Cernak, what are some of the more innovative ways that you see cyber insurance can be crafted to the specific needs of small businesses? Mr. CERNAK. One of the trends we have seen lately is tailoring it to small businesses by making it even more comprehensive. So a lot of the policies that may be out there currently offer higher limits, but you have to choose which exact coverages you feel you need as a small business owner. And the concern is maybe I select the wrong coverages for what I need. So we are seeing a trend of packaging multiple coverages under a common limit, making it a very streamlined approach so that they do not have to answer 12 pages of underwriting questions where you are going to get the wrong information, not by any malicious intent, but simply by the fact that they do not understand the application. Perhaps provide cyber insurance as an endorsement to a policy they might already be buying. So perhaps they are already buying a business owner policy that is providing them with property and liability insurance. Can we add on a very nice and tidy package of cyber coverages as an endorsement to that? Mr. LAWSON. And a real quick question, anyone can answer. Will small businesses in the small business be able to do group coverages, hopefully, to stabilize their premiums? Mr. CERNAK. So along the lines of almost a captive or some sort of that, there has been, I know, some conversations around that idea. It is a little bit of a challenging idea because as we stated earlier, you know, cyber does provide some level of aggregation exposure. And so by doing a group approach, you may be doubling down on that aggregation exposure as well. But there may be some cost savings, especially as these policies tend to bring services into play. Those services may be had at a more competitive price. Mr. LAWSON. Okay. My time has expired, but I hope you all remember the IBM Selectric typewriter. Mr. Chairman, I yield back. Chairman CHABOT. Thank you very much. The gentleman yields back. And we want to very much thank the panel here for helping the Committee to better understand an issue that more and more small businesses all across the country are facing, and that is the cyber risk that is out there, the attacks that they could be facing. We are committed as a Committee to doing everything we can to assist the small business community to better protect themselves, whether it is best practices, whether it is potentially cybersecurity insurance, and you all have assisted us in doing that, so we thank you very much for that. I would ask unanimous consent that members have 5 legislative days to submit statements and supporting materials for the record. Without objection, so ordered. And if there is no business to come before the Committee, we are adjourned. Thank you very much. [Whereupon, at 12:22 p.m., the Committee was adjourned.] A P P E N D I X [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Testimony of Erica Davis Senior Vice President and Head of Specialty Products Errors and Omissions Zurich North America before the House Committee on Small Business ``Protecting Small Businesses from Cyber Attacks: the Cybersecurity Insurance Option'' July 26, 2017 Chairman Chabot, Ranking Member Velazquez, and Members of the Committee, thank you for the opportunity to speak with you today about the important issue of cybersecurity and the role of the private sector in providing risk management solutions to businesses to protect against cyber risk. As a leader of a team of market-facing underwriters at Zurich North America, I work with brokers and customers on the placement of cyber insurance. While there is increased awareness of the threats across all sizes of organizations, businesses are still struggling to understand cyber risk: the full scope of their exposures and how best to protect themselves and their customers. Zurich Zurich is a leading multi-line insurance group with more than 140 years' experience serving businesses worldwide. Zurich employs approximately 54,000 people and serves customers in more than 210 countries and territories. Zurich entered the United States in 1912, and for more than 100 years has served businesses of all sizes in America, including Fortune 500 companies, small and medium size businesses, as well as farmers and ranchers. We are proud to help them manage risk and give them the confidence to contribute to the U.S. economy. Zurich's North American headquarters is in Schaumburg, Illinois, and supports the jobs of over 9,000 employees across the United States. We are proud to have a market and employment presence in each of your states. We are also pleased to offer risk management solutions to customers in Puerto Rico and will explore the marketplace of American Samoa. As one of the five insurance providers currently leading the North American cybersecurity insurance market, Zurich is invested in identifying risks and delivering solutions for its customers. Zurich is committed to staying at the forefront of the cybersecurity issues, as both the likelihood of a security breach and costs continue to escalate. Zurich's Approach to Cyber Risk Understanding Attitudes to Cyber Risk. As the cyber threat landscape continues to evolve, companies across all industries find themselves increasingly vulnerable to potential harm from a security or privacy event. Most loss dollars arise from first-party privacy breach costs, such as forensics, breach coaches, consumer notification and credit monitoring. We are also seeing:Business interruption loss Liability lawsuits Regulatory fines Reputational damage Shareholder suits Businesses today face difficult decisions about cybersecurity and how best to manage their risks: deciding whether they should retain the residual risk or transfer it through the purchase of a cyber insurance product. The role of insurance is continuously increasing as customers are now seeking industry feedback and risk insights. It has become more of a partnership, with businesses focusing on not just what happens post-breach and a loss being paid. They value having a stable of pre-vetted vendors available to them if they are impacted by a data or security event. They are also focusing more on pre-breach services to guide them through risk mitigation tools like technology assessments. In October 2016, Zurich and Advisen (a leading provider of data, media and technology solutions for the commercial property and casualty insurance market) released a sixth annual survey of risk managers, insurance buyers, and other risk professionals on the current state of trends in information security and cyber risk management. Key findings included: Eight-seven percent of respondents believe a technology interruption would have a moderate-to- significant impact on their business. Over the last six years, the proportion of companies buying security and privacy cyber insurance has increased by 85%, from 35% in 2011 to 65% in 2016. For the firsts time in the six years of this study, general counsel has surpassed information technology as the department most frequently responsible for assuring compliance with all applicable federal, state, or local privacy laws, including state breach notification laws. Most companies surveyed (97 percent) clearly recognize the importance of collaboration between their risk management and information technology departments on issues related to cyber security. Industries with substantial personally identifiable information, personal health information and/or personal financial information, in general, consider data security and privacy to be a more significant risk. As a result, they also are more likely to purchase security and privacy insurance and engage in risk management activities. Costs related to a breach of customer/ personal information are the leading reason for purchasing cyber insurance. Coverage. Zurich provides coverage for cyber risk to businesses of all sizes, and cyber coverage is tailored based on customer need. While the historical reason for purchasing cyber insurance is liability concerns and costs related to breach of customer or personal information, coverages recently have focused on business interruption and supply chain downtime as the result of a cyber event. Risk culture is also critical to underwriting any line of business. Cyber insurance is no exception. It is critical for businesses to build a culture of awareness at all levels. Events in recent years have raised awareness of cyber risk across all industry segments. Businesses must adopt a mindset of resilience rather than just protection. More businesses are beginning to view information security as an organizational challenge rather than just a technology issue. The business community's interconnectivity and reliance on technology has increased, which creates more points of entry and new threat vectors. The exposure has broadened to include potential property damage for something like critical infrastructure, bodily injury caused by autonomous vehicles or cyber espionage. Therefore, the underwriting of the cyber product is evolving as the risks are morphing. The insurance community is continuously working to understand the full scope of the exposures and what the controls might need to be. Each business needs to be underwritten differently. Resilience. Organizations of all sizes now realize they are at risk of a security or privacy event. Finding solutions to the most complicated of cyber risks will require collaboration between the insurance industry, governments, academia and other think tanks to establish standards, encourage information sharing, build resilience and create adequate global governance. In an effort to continuously help customers understand and protect themselves from risk, Zurich began participating as a key industry consultant in a ``first of its kind'' public- private partnership by the University of Maryland and the National Institute of Standards and Technology (NIST). The partnership embarked on a research project to assist companies ascertain the effectiveness of their information security and cyber supply chain best practices, with an end goal of helping organizations increase their cyber risk assessment and management capability. The project built on an existing Cyber Risk Portal, which collects data by allowing participating businesses to anonymously upload information to compare their cybersecurity capabilities to the existing NIST Framework, as well as to their peers and competitors. To further assist businesses with their security and privacy risk management, Zurich is also collaborating with Deloitte to help improve a company's cyber resilience. Policyholders can complement Zurich's cyber coverage with pre- breach cyber risk assessment and management services through Deloitte to understand their level of cyber exposure and resilience. These services include standards-based risk assessment of an organization's threat detection and incident response capabilities, as well as risk mitigation recommendations. This is just one area where Zurich is focusing on cyber risk mitigation rather than solely risk transfer. Insurance Issues Data Breach Uniformity. Because there is a myriad of state laws governing data breach, we are interested in a national, uniform standard on data security and breach notification. While this is not directly in the jurisdiction of this committee, it is certainly relevant for you as Small Business Committee Members to recognize the complexity of cybersecurity governance from a business perspective. We appreciate the efforts of Congressman Luetkemeyer in this regard. Cyber Accumulation. A challenging issue for all insurers is cyber accumulation. Given the cyber interconnectedness of potential data loss, business functions, and supply chains, the ability to quantify exposures, accurately price risks, and manage accumulations and capital requirements will remain a difficult issue for the insurance community for the foreseeable future. Cyber as a Peril. Zurich is contributing to the public dialogue around interconnectivity and the full range of exposures from cyber as a peril. The extent of exposures presented by a cybersecurity event is beyond the current scope of coverage. For example, physical damage is rarely offered on a cyber insurance policy, but can result from a cyber attack. The full range of the exposure is too broad to be covered by the private sector; not all causes of loss can be transferred to an insurance policy. Cybersecurity breaches can cause losses including property damage, bodily injury and reputation risk, and we are investigating the best way to consider these impacts. Conclusion Zurich continues to refine its understanding of cyber exposures so we can help our customers understand the risk, make thoughtful decisions on our current product, and develop additional insurance solutions going forward. With data breach, ransomware and other attacks on small businesses occurring daily, we appreciate your focus on risk management solutions provided by the private sector. Thank you again for the opportunity to testify today. I look forward to answering your questions. [GRAPHIC] [TIFF OMITTED] T6297.010 Chairman Chabot, Ranking Member Velazquez, and members of the Committee, thank you for inviting me to testify. My name is Eric Cernak, and I am Vice President U.S. Cyber and Privacy Risk Practice Leader at Munich Re, US. Munich Re provides a range of reinsurance and insurance solutions through various companies that are part of the Group. In the U.S., Munich Re provides cyber- and privacy-related insurance for small businesses through Hartford Steam Boiler Group (HSB) headquartered in Hartford Connecticut. HSB has an A++ (Superior) financial strength rating from A.M. Best Company and has underwritten cyber reinsurance and insurance for over 12 years. Small business cyber insurance clients are served by over 1,500 HSB employees in our Hartford office and regional offices throughout the U.S. I am testifying today on behalf of the Reinsurance Association of America (RAA) and the Property Casualty Insurers Association of America (PCI). The RAA is the leading trade association of property and casualty reinsurers doing business in the United States. RAA membership is diverse, including reinsurance underwriters and intermediaries licensed in the U.S. and those that conduct business on a cross border basis. The RAA represents its members before state, federal and international bodies. PCI is composed of nearly 1,000 member companies, representing the broadest cross section of insurers of any national trade association. PCI members write $202 billion in annual premium, 35 percent of the nation's property casualty insurance. Member companies write 42 percent of the U.S. automobile insurance market, 27 percent of the homeowners' market, 33 percent of the commercial property and liability market and 34 percent of the private workers' compensation market. Today's hearing is an important discussion to highlight the success of the private sector in developing cyber insurance and to help raise awareness among the small business community about the option of securing cyber insurance, which can offer both preventative, risk-management tools and act as a critical safety net should a cyber event occur. My perspective today is from that of a reinsurer and insurer. Munich Re's Hartford Steam Boiler Group, as a reinsurer (insurance for insurers) for primary insurers, provides reinsurance to share in the risk of loss, helps primary insurers underwrite cyber risk and develop products, and provides other services to primary insurers that are writing, for example, cyber insurance specifically for small businesses. HSB, as a primary insurer, also offers cyber insurance and services directly to customers (via brokers and agents). ORIGIN AND DEVELOPMENT OF CYBER INSURANCE Cyber is a rapidly evolving risk and reinsurers and insurers continue to develop products to meet the increasing demand and needs of the insureds, including small businesses. The magnitude of known attacks, development of new technologies and security measures to protect against such attacks are growing dynamically. As reported by Risk Management Solutions in its 2017 Cyber Risk Landscape Report, the number of large magnitude data exfiltration events has grown substantially in the years prior to 2016 (with 2016 showing some recent flattening of incident rates). To protect against these threats, companies are increasingly investing in their own cybersecurity systems. And, per the RMS report, global expenditure on cybersecurity is estimated to have grown 14 percent year-on-year, from $75B in 2015 to $86B in 2016. According to a report published last month by Aon titled, ``Global Cyber Market Overview, Uncovering the Hidden Opportunities,'' the global stand-alone cyber insurance market in 2016 was around $2.3 billion in premium, up from $1.7 in 2015, and the U.S. accounted for 90% of the 2015 market. The report noted that ``the market is still believed to be in its infancy and penetration levels are still relatively low.'' It estimated that globally ``over 75%'' of certain large businesses but ``less than 5%'' of small and medium-sized businesses secured some cyber insurance. In the U.S., around 19% of small businesses secured some cyber insurance. Aon's report projected that the U.S. stand-alone cyber insurance market gross written premium will continue to grow at 30% per year and could more than triple from 2015 to 2020, from $1.5 billion to $5.6 billion. More insurers have become interested in offering cyber insurance over time. Less than a dozen insurers offered some cyber insurance in the early 2000s compared to more than 70 in 2016. Reinsurance risk transfer options for insurers with regard to cyber may also become increasingly available. Aon's report mentioned another study by Aon Benfield that ``estimates the 2015 global reinsurance market to be worth c. $525m in annual premium.'' Further, ``more than 15 reinsurers actively write standalone cyber treaties and the number is increasing.'' Most cyber insurance policies have their roots in liability coverage. Initially, these policies were considered ``stand- alone,'' meaning the business needed to purchase the coverage separately from any other insurance, such as general liability, they might be purchasing, as these policies did not provide explicit coverage for cyber-related losses. The first cyber policies were often expensive, difficult to obtain, and required a relatively cumbersome and confusing application process. For these reasons, the initial success related to cyber policies came from the larger end of the market--Fortune 1000 companies--and provided limits generally ranging from $10M to $25M+. Early on, many insurers required the applicant to submit to an external data system penetration test. The results of the test were then submitted as part of the insurance application. As cyber insurance became more prevalent, most insurers dropped the penetration test requirement and focused on the application. As the market has evolved, it is now possible for an insured to obtain up to $5M in coverage by answering as few as 4-20 questions. As more attacks on larger businesses occurred and media coverage increased, smaller business began to take notice of the exposure. The insurance market responded by creating cyber insurance endorsements, which is simply an insurance product that is added to policies the small businesses were already purchasing, such as their business owners' policy or commercial property policy. Business owners' policies typically cover small business property and liability exposures in one simple insurance package, and commercial property policies typically cover the property exposures of larger businesses. A cyber insurance endorsement can cover various exposures not addressed by Businessowners' or Commercial Property policies by providing coverage for costs resulting from a breach of personal information, cyber extortion, transmission of a virus to another entity, breaching another entity's propriety information, etc. These endorsements afforded the insured a streamlined product and application process (generally an application is not needed for base limits), and lower premium for a commensurate limit (e.g. $100,000). Often these cyber endorsements could be automatically quoted without the insured ever completing an application--greatly simplifying the process. With either the stand-alone cyber insurance policy or the endorsement approach, a significant part of the value proposition is the value-added loss prevention services that can be ``bundled'' into the policy to reduce the insureds' exposure. For example, a cyber insurance policy could include risk-management services such as vulnerability assessments, next generation firewalls, IT security audits, and intrusion detection/penetration testing. These were ranked as a the top five most helpful services related to cyber insurance in a 2016 survey of small businesses conducted by Hartford Steam Boiler. In that same survey, 36% of participants gave three reasons why they did not purchase cyber insurance. The number one reason given was that they claimed they did not need it. The second was the expense of coverage, and the third was that the process was too complicated and confusing. These results suggest that education is key to increasing the take-up rate of cyber insurance by small businesses, particularly given that 86% of the respondents stated that they store Personally Identifying or Personal Health Information. HOW TO INCREASE THE TAKE-UP RATE OF CYBER INSURANCE BY SMALL BUSINESS The small business objections to cyber insurance noted above, two of the three speak to the misunderstanding of the value proposition of cyber insurance relative to the exposure. Small businesses would benefit greatly from better understanding the risks presented to their operations by cyber- related exposures and the cyber insurance option to address those risks. Almost every business now relies upon at least one computer to conduct business, whether it is for accepting payments, designing parts, or servicing customers. It is important for small businesses to better understand their reliance upon technology and the impact to their operations should it not perform as expected due to a cyber event. The public and private sectors have a role to play in helping businesses, small and large alike, to overcome the ``it won't happen to me'' mentality and constructively address cyber vulnerabilities while preparing for the aftermath of a cyber event. Cyber attacks may not be a matter of ``if'' but ``when.'' It is essential for businesses, which are increasingly interconnected, to be prepared, protected, and resilient, and insurance can help with all three. Businesses are no longer being attacked solely for the data they have but increasingly for the access to larger businesses with which they conduct business. This exposure is now being recognized by larger companies as they frequently require smaller business partners to carry cyber insurance as part of their contractual relationship. In addition to education efforts, the insurance marketplace needs to continue to refine the process and coverage to reduce the complexity associated with purchasing cyber insurance. One significant challenge is that the terminology in a coverage form can vary greatly from insurer to insurer, thus making it harder for an applicant to understand what is covered in different policies. Last year, Munich Re's Hartford Steam Boiler Group participated in a Treasury-led project to develop a glossary of cyber insurance terms to help simplify and standardize cyber insurance terminology. LIABILITY THAT MAY STILL BE PRESENT EVEN IF AN INSURED PURCHASES CYBER COVERAGE As previously discussed, the terminology used in coverage forms can vary greatly from insurer to insurer, which makes understanding coverage difficult when a business is evaluating its needs. Typical cyber-related coverages can include: Data Breach Response Data Breach Liability Computer attack Network Security Liability Media Liability Cyber Extortion Misdirected Payment Fraud (e.g. Business Email Compromise) Fines and penalties (may not be insurable in all jurisdictions) Some cyber policies also are beginning to examine and/or address the exposure related to: Property and bodily injury resulting from a cyber event Failure of the Internet and the potential impact to business operations However, the insured may still need to examine other policies for potential coverage for cyber-related exposures. These other policies may include: Crime Directors & Officers (which covers legal actions against top company executives) Contractual Liability (which protects a policyholder from liabilities assumed under a contract) Technology Errors & Omissions for exposures resulting from IT products the insured creates MINIMUM SECURITY EXPECTATIONS FOR OBTAINING COVERAGE Where an application is required for a cyber product, insurers may want to understand if the applicant complies with various security requirements (when applicable for the industry in question) such as the Payment Card Industry Data Security Standard (PCI-DSS), Health Information Technology for Economic and Clinical Health Act (HITECH), Gramm-Leach-Bliley Act (GLBA), Red Flag Rule, and Sarbanes-Oxley. Additionally, from a technical perspective, many applications will inquire about encryption being deployed, systems patching cadence, back-up procedures, password management, firewalls installed, anti-malware software, intrusion detection/protection devices deployed, etc. However, there is growing recognition that strengthening companies' security culture, embodied by various policies (privacy/security and document retention/destruction), criminal and credit checks conducted on employees, and robust training programs, deserves strong consideration as part of the underwriting process. This also is supported by the above- referenced Hartford Steam Boiler survey finding that nearly half (47%) of all data breaches were attributed to a vendor/ contractor, followed by employee negligence or malfeasance (21%), and lost or stolen mobile device (20%). Hacking or other cyber-attack only represented 11% of data breaches. By contrast, when no application is needed for an endorsement-based cyber product, often the form may contain language stating that the insured needs to comply with reasonable and industry-accepted protocols. These protocols may include: Providing and maintaining appropriate physical premises, computer, and Internet security Maintaining and updating at appropriate intervals backups of computer data Protecting transactions, such as processing credit card, debit card and check payments Appropriate disposal/destruction of files containing sensitive personal or corporate information/data HOW INSURERS DETERMINE COVERAGE AND PRICE Cyber insurance is unlike most other insurance coverages in four fundamental areas. Insurers are grappling with the following factors in offering cyber coverage and at what premium/limit. There is no significant historical loss data. The exposure is relatively nascent as the Internet has only been commercially viable since the late 1990's. Further, the loss data generated even 10 years ago does not fully represent the exposure today. For example, virtual currencies and smartphones did not exist 10 years ago. Due to the lack of loss data, insurers have adapted pricing, terms, and conditions from other lines of business, such as technology errors and omissions, crime, media liability, etc. Some insurers also have looked to conduct primary research and have interviewed experts in various fields, including IT forensics, attorneys, breach response service providers, public relation firms, and others. Through this process insurers can better understand the frequency of events, how long events may take to address, and the associated costs for the various services. These figures are then converted into insurance premiums. As experience develops, these initial figures can be blended with the actual insurance claims results to refine the premiums being charged. Another tool insurers have deployed to improve cyber insurance products and pricing is the survey of potential customers (e.g., business owners) to understand specific kinds of concerns, the frequency of issues they face, and the costs to address them. This helps insurers prioritize which coverages to develop and include in a cyber insurance product and determine associated terms and pricing. The cause of loss is generated by an active adversary, which is capable of changing tactics and targets to suit their needs based on advances of technology. As new technologies are introduced, exposures that previously did not exist become commonplace. For example, cyber extortion was typically limited in scope to targeted attacks where the attacker threatened to release data that had been stolen or to continue with a Denial of Service attack unless a ransom was paid. These attacks took significant time to conduct and often posed a significant risk to the perpetrator as they needed to interact with the company to receive payment. With the advent of virtual currency, ransomware exploded and is now a leading cause of loss. Legislative and regulatory requirements continuously evolve. Insurance companies need to monitor the evolving state, federal, and international privacy and data protection laws. While these laws are designed to protect consumers, they may create an exposure to small business owners. For example, there are 48 different state breach notification/data protection laws with which a small (or large) business must comply. Many of the first cyber insurance policies focused solely on liability exposures of third parties (as opposed to those faced by the entity purchasing the coverage) and only provided a small sublimit (the maximum amount for which the insurance policy would pay for in the event of this type of loss, which is less than the overall limit of the policy) for costs the insured might incur complying with various breach notification laws. As more states followed California in the mid-200's with their own breach notification laws, insurers responded by expanding their breach response coverages. Cyber poses potential aggregation or accumulation risk for insurers. Cyber risk is not bound by geography, which greatly increases the aggregation risk from an insurer's perspective. Many insurers will identify potential causes of aggregation (e.g. particular industry, service providers, failure of the Internet, etc.) and either decide to exclude that cause of aggregation or to monitor the amount of insurance being provided very closely. For example, an insurer may monitor the number of insureds using a particular cloud service provider. CONCLUSION As the private cyber insurance market continues to rapidly expand, reinsurers and insurers will continue to monitor and analyze cyber risks, survey and work to better understand the needs of existing and potential customers, develop insurance products and services accordingly, and help insureds following a cyber event. It is equally, if not more important, to U.S. businesses for federal and state governments' lawmakers, regulators, and other entities focusing on cybersecurity and evaluating potential regulatory changes, to develop clear, consistent requirements and to avoid a patchwork of different requirements and standards. Such a patchwork would impede companies' ability to effectively implement cyber security protocols and respond quickly and appropriately to a cyber security event. Although the nature of reinsurance means that reinsurers do not directly interact with consumers, and therefore reinsurers' obligations in the event of cyber security events differs somewhat from the primary insurance industry, the entire insurance and reinsurance industry (as well as consumers) benefit from uniform, consistent standards that are both proportional and flexible enough to work in an ever-changing cyber environment. We also encourage the Administration to coordinate cybersecurity policy among federal agencies and designate lead agencies to coordinate discussions where appropriate. This should include discussions with state insurance regulators to encourage healthy cyber standards while eliminating conflicts and duplicative regulation. Thank you for your time and your interest in this very important issues. [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] House Small Business Committee ``Protecting Small Businesses from Cyber Attacks: the Cybersecurity Insurance Option'' AIA STATEMENT July 26, 2017 In today's increasingly interconnected world Cybersecurity is a risk that no business is immune from regardless of industry or size. We appreciate the House Small Business Committee (Committee) holding the hearing. ``Protecting Small Business from Cyber Attacks: the Cybersecurity Insurance Option.'' The comments below are intended to provide a brief overview of cybersecurity insurance and some potential challenges for this market. As with many other emerging and complex risks, insurance is, first and foremost, a useful targeted risk transfer mechanism. A cyber event can be costly for any business, including small and medium businesses, so minimizing that financial impact through cyber insurance is beneficial. And, just as cyber risks continue to evolve and develop, so has the cyber insurance market. Therefore, a key point is that the insurance market is developing responsibly to meet changing client demands and offering produts tailored to meet small, medium and large business needs. Approximately 15 years ago, ``cyber insurance'' originated as a technology errors and omissions product that provided coverage for negligent acts, errors, and omissions in the deliverance of technology products and services. Today, stand- alone ``cyber insurance'' products may include coverage for forensic activities, legal fees associsated with determining how best to comply with each state or territory's notification rules, notification and credit monitoring costs, business interruption, and damages and expenses incurred in connection with claims brought against a third party, such as costs associated with responding to or defending against regulatory inquires, payment of fines, and lawsuit liability. More recently, some insurers may also offer dedicated cyber coverage for bodily injury or property damage. Importantly, cyber risk should be considered a peril. Coverage for the cyber peril can be addressed, in whole or part, in a dedicated, stand-alone product or embedded in a multi-risk policy that might include cyber as one of the many causes of loss, for instance a commercial property policy or a directors and officer's policy. Moreover, cyber insurance can serve as a valuable tool in crafting a risk management program. Hence, communication is an important aspect of the cyber insurance purchasing process. The process typically begins with a conversation with the insurance carrier and with the advice of an insurance agent and broker whose expertise guides the insured in evaluating its coverage needs and existing insurance products to determine whether insurance gaps exist and how best to address those gaps. Additionally, cyber insurers continually innovate and offer add-on products and access to strategic partnerships that small business may find invaluable. For instance, many insurers have partnerships with computer forensic firms, public relation coaches, and expert legal counsel. Timing is critical in the event of a breach, therefore, having a list of identified resources could be crucial. As well as post-event resources, pre-event resources may also be important to a small business. For example, risk assessments, employee training, and table-top exercises are useful tools that an insurer may offer. It is important to note that there are clear business benefits to cyber insurance, as identified above, but cyber insurance should not be seen as a driver of behavior, guarantor of cyber security, or a standard-setting vehicle. Regardless of a business's size, cybersecurity requires an ever-evolving adaptable approach that is incorporated into an entity's overall risk culture and each individual company is uniquely and best able to assess its own risk and global approach to managing cyber exposures and deciding what role insurance will play. We recognize that small and medium businesses have limited resources and the decision to purchase cyber insurance is one that should remain within the businesses sole discretion. As such, our industry is committed to responsibly meeting market demand and offering innovative solutions that best suit our client's needs. Therefore, the cyber insurance market should be allowed to grow organically without undue pressure that could stifle innovation and market growth. Rather, through public-private partnerships we should explore solutions for addressing the challenge that confront market growth. Some of these challenges include the following: Education - Businesses are not always convinced that they are at risk of a cyber-event. Size and industry may be factors that convince an entity they are not at risk, but unfortunately, today's connected society and supply chain interdependencies makes everyone a target for unscrupulous actors. Data and Risk Modeling - The risks presented by the cyber age are new and more rapidly evolving compared to more traditional risks that insures have been underwriting for hundreds of years. Thus, sufficient loss data and risk modeling capabilities, which are critical to responsible underwriting, will need time to develop. Moreover, the risk is continually evolving as bad actors look for new ways to expropriate information and process it for their own purposes. Aggregation and Accumulation - As indicated above, coverage for cyber events may be embedded in a number of insurance policy types. Further, cyber is also a global challenge, sometimes without geographic borders or predictable locational centers, thereby increasing the geographic risks broadly. The increasingly interconnected business environment and the ubiquitous presence of cyber in our commercial world also serves to increase the aggregation and accumulation risks insurers must manage. Forensic Review - A lack of actuarial data is not the only data gap that insurers may face. Often times insureds may avoid sharing data such as forensic reports with their insurer in an effort to avoid an assertion that they have waived the attorney client or work product privilege. Though these concerns are understandable, failing to provide forensic information hurts insurance carriers and their clients in two ways: (i) it makes it more difficult to evaluate claims triggered by a cyber-event given that critical information is withheld from the carrier; and (ii) there will be less information available to insurance carriers to aid in risk management and risk transfer solutions for the client and more broadly for the benefit of the cyber insurance market. Insurers are committed to meeting the challenges of market growth so that they can continue to evolve their product offerings in order to provide risk transfer solut8ions that benefit businesses of all sizes. Thank you for your interest in this subject matter. Our membership is an active participant in the cyber insurance market and we would be happy to discuss this issue and answer any questions that you may have. [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] STATEMENT ON BEHALF OF WILLIS TOWERS WATSON BEFORE THE UNITED STATES HOUSE OF REPRESENTATIVES COMMITTEE ON SMALL BUSINESS HEARING ENTITLED, ``PROTECTING SMALL BUSINESSES FROM CYBER ATTACKS: THE CYBERSECURITY INSURANCE OPTION'' JULY 26, 2017 On behalf of Willis Towers Watson, we submit the following statement in response to the above-referenced hearing. Small businesses (SBs) tend to be less concerned about their technology/cyber risks than their publicly traded counterparts. This view may be due primarily to a limited understanding of the scope of risks these organizations face. According to the Verizon Data Brach Repot, approximately 61% of data breach victims are businesses with less than 1,000 employees. With this in mind, here are some of the common misconceptions we found among SBs: a. We're not a target for attackers because we don't have valuable data: Any business that processes data and is connected to the internet has cyber risk. While SBs often do not have large `troves' of data, they still have data. Attackers view access to SB networks as a `path of least resistance.' Compared to large publicly traded companies, SBs may not have significant resources invested and dedicated to protecting their critical assets. As such, it is easier for a hacker to infiltrate a high volume of SBs than one large organizations with stronger controls. b. We outsource the storage/processing of data: Most SBs think outsourcing data storage and processing will completely transfer their risk and potential liability to the outsource provider. However, the organization that owns the data ultimately has reasonability for it. While there may be some shared liability with outsource providers, most have limit of liability provisions in their contracts. Further, determining liability is a lengthy process and something an organization will be challenged to devote time to while responding to a breach. c. We have adequate technology security controls: While technology controls are important and part of the solution, cyber risk at its core is a people risk. Willis Towers Watson claims data reveals that 69% of cyber breaches can be attributed to an organization's employees and can stem from a lost laptop, a disgruntled employee, inadequate cyber awareness training or hiring of non-qualified employees. Therefore, to address these vulnerabilities, it is important organizations to also devote attention and resources to people solutions, such as employee engagement, awareness and hiring the appropriate IT talent. Both Business to Business (B2B) and Business to Consumer (B2C) organizations should understand their cyber risk and consider cyber insurance as a method of risk transfer. For B2B organizations, it's easier to understand why cyber insurance is important. When dealing with other businesses, there may be contractual requirements that require organizations to carry cyber insurance or technology professional services coverage. If an organization is providing technology professional services, it is important for them to put together technology professional services coverage with cyber liability insurance, as there is an overlap in coverage. Even if an organization is not providing a technology professional service, cyber insurance should be considered as it can provide balance sheet protection for both first-party coverage (out of pocket expenses - i.e., business interruption, data restoration, and cyber extortion) and third-party liabilities (lawsuits alleging financial harm as a result of an organization's errors or omissions). For B2C organizations, historical buyers of cyber insurance were industries that held a lot of records (i.e., retail, healthcare and education); however, the more recent cyber claims have affected other industries such as manufacturing, nonprofits and critical infrastructure. One of the best practices for SBs seeking to understand their cyber exposures is to review cyber claims and losses scenarios, such as the following: Retail An online retailer noticed unusual activity on its server, which prompted an investigation. They discovered that hackers had stolen an employee's credentials and used them to access the names, billing addresses and credit card numbers of approximately 50,000 customers during checkout. Outcome: The insurer retained the appropriate vendors and notified the necessary individuals and agencies. The retailer incurred approximately $1M in first-party costs. Healthcare A hospital office employee stole medical profiles, histories and detailed personal information on approximately 125,000 patients. Outcome: The insurer provided the client hospital with crisis support team, made up of outside vendors, to help resolve the breach and reimbursed the hospital approximately $800,000 for the crisis team's expenses. Manufacturing A consumer products company underwent a software system upgrade performed by a vendor. The system upgrade failed, which caused all of the manufacturer's systems to malfunction on the same day. This caused an unintentional and unplanned outage, which resulted in the suspension of the manufacturer's operations. Outcome: $2M was paid by the insurer for extra expenses associated with the business interruption, including expenses to continue normal business operations. Technology Professional Services A technology services provider of software applications, implementation services and support contracted with a social welfare organization to consolidate and update its legacy IT systems. The social welfare organization filed suit against insured, claiming it failed to meet contractual deadlines, delivered a poorly performing system and failed to properly staff the project. Outcome: The social welfare organization sought damages in excess of $15M. Cyber Extortion A client's computer server was maliciously attacked by a virus that encrypted their data and demanded a $5,000 ransom to unencrypt. The insured reported the matter to the FBI and local authorities, and refused to pay the ransom. Outcome: The insurer engaged ex expert to perform a forensic analysis of the client's system. The expert found the impacted server didn't contain any confidential information. They removed the virus and strengthened the client's data security protections. The insurer reimbursed the insured $45,000 for forensic costs incurred. Handling cyber breaches can be complex and expensive, and costs can easily amount to thousands of dollars or millions if an organization is not proactive. SBs need to take advantage of cyber insurance, as it provides a risk transfer, as well as a partnership with the various experts (such as forensics, attorneys and public relations) that need to be involved in the event of a breach. Most cyber insurers offer their policyholders a choice of breach response services, typically from a list of pre-approved vendors. Many allow the policyholders' own choice of vendor. Most insurers also grant policyholders access to a complimentary cyber risk management portal that includes the most updated information on emerging cyber threats and the latest reports on risk mitigation measures and practices. Moreover, premiums and other terms and conditions are extremely competitive as market conditions are relatively soft with slight rate decreases. This is likely due to additional capacity in the market and underwriters being able to better quantify exposure. In sum, SBs need to be as proactive as their larger counterparts by: (1) conducting proper risk assessment and quantification; (2) investing in a cyber-savvy culture; (3) insuring cyber threats they can't mitigate and; (4) allocating enough capital to technological cyber defenses. Willis Towers Watson (NASDAQ: WLTW) is a leading global advisory, broking and solutions company that helps clients around the world turn risk into a path for growth. With roots dating to 1828, Willis Towers Watson has 39,000 employees in more than 120 countries. We design and deliver solutions that manage risk, optimize benefits, cultivate talent, and expand the power of capital to protect and strengthen institutions and individuals. Our unique perspective allows us to see the critical intersections between talent, assets and ideas - the dynamic formula that drives business performance. Together, we unlock potential. Learn more at willistowerswatson.com. [all]