Cyber insurance regulation looms
Greg Treverton: The former National Security Council chief says the cyber threat is driving collaboration
The growing threat that has government and industry driving productive collaboration is in the common efforts to build defences against cyber attack.
Former chairman of the US National Security Council Greg Treverton says the imminent nature of cyber threats had started to change the relationship between the public and private sector.
Mr Treverton, who served during the Obama presidency, said that on one hand, the most important infrastructures being attacked is in the hands of the private sector, and on the other is government figuring out the right policies to implement to minimise the impact of these attacks.
The cyber policy imperatives have become “an overwhelmingly public interest”.
“We have this paradigm that says how we protect things we care about is we regulate and then we insure. But that can’t work here,” Mr Treverton said on a visit to Australia this month.
“Ordinarily in this case, we would say [there is a] big government role, heavy regulation. But that’s not the way any us want to go ,because we understand that technology is moving so fast here that any regulation runs the risk of being overtaken by events immediately,” he said.
“What we’re searching for is new forms of public-private relationship that can provide insurance and good information about the risk they’re carrying, and at the same time provide incentives for corporations to protect themselves better and maybe seek insurance.
“For me it’s about finding a surrogate for an old paradigm that can’t work as it does in housing, electricity or earthquake insurance.”
Macquarie Telecom managing director Aidan Tudehope believes the government has started to help the private sector protect against cyber threats.
“They are extremely open and receptive to input and engagement,” Mr Tudehope said. “They know they need to set policy and influence not just the public sector and the states, they need to influence private sector because the critical infrastructure for this resides in private hands.”
“Because there is receptiveness, they are listening and actively engaging, and they need the private sector help to get it right. They can’t think about it in a thought bubble and they can’t think about it in the old paradigm where it takes an extended period of time to get policy right.”
Mr Treverton added if government can offer the private sector better incentives to protect themselves with cyber insurance then there’s a promising likelihood that the impact, when an attack occurs, is minimal.
The real concern, for Mr Treverton, however, is trying to get the smaller guys – the same ones who are unlikely able to afford cybersecurity insurance – to get on board with the idea of protecting themselves.
Karl Sullivan, Insurance Council of Australia general manager policy, risk and disaster, agrees that while SMEs are likely to be the most affected, they are also the most hesitant to take out any insurance cover.
“Whenever disaster strikes, [SMEs] is the segment of the business community we have to deal with most attentively, and it’s often an uncomfortable conversation. They’ll come forward to the government and say they can’t afford insurance,” he said.
“Only 40 per cent of SMEs take out cover, and only a fraction – about half take – take out comprehensive continuity cover, and cyber risk insurance is a bolt onto that, which will gradually become mainstream.
“The supply is there and they can access it at a price but the demand is not quite there. But it will build over time…and it will probably take a large incident to really spark interest around this.”
But it seems before any of that can happen, policies need to be introduced to help identify exactly what cyber insurance looks like.
Kelly Bulter who specialises in cyber security insurance from Marsh and McLeennan Companies says the definition of cyber security in the insurance sector remains unclear. She believes the government has a role to help correct it.
“Generally, most line of policy is similar from insurer to insurer. What we found from a cyber perspective is that they’re quite vastly different,” she said.
“The reason behind that is because cyber is not tested from a litigation point of view. Definitions are not set, so insurers are doing their best of defining how they see the risk. What that has created is product to product they’re not comparable, which is a real struggle for us when we go out to the market to present quotation to clients.”
The discussion follows as the Telecommunications Sector Security Reforms (TSSR) was passed through Senate last week after bipartisan support for the legislation that formalises the telecommunication industry’s responsibility to protect their networks.
“Our view is that it’s absolutely critical the government is informed and has influence to ensure critical infrastructure in this country is secure and safe, and part of that critical infrastructure is telecommunications infrastructure,” Mr Tudehope said.
“Therefore the government is playing a part in making sure it’s secure is critical because if there were to be widespread compromise to those environments, it would have a massive impact. In our view there was good consultation there, the government listened and where it has got to is a position we are comfortable with,” he said.