California dreams about cyber insurance, and federal lawmakers should pay attention

Some members of the California State Assembly seem to believe there is no better Valentine’s Day gift than the promise of cyber insurance. Assemblyman Edwin Chau (D-Monterey Park) introduced Assembly Bill 2320 on Feb. 14, which would require any business that contracts with the state and has access to people’s personal information to maintain cyber insurance coverage. Federal lawmakers should pay attention to what happens with the bill.

A seemingly minor requirement like this could prove a gift that keeps on giving for American taxpayers. Through risk assessments and requirements for baseline cyber practices, acquiring cyber insurance encourages robust cyber security and a higher degree of corporate resilience — saving us money and headaches.

The most direct operational need for cyber insurance stems from the fact that cyberattacks are both common and hugely expensive to address. A U.S. government IT contractor recently came under fire for exposing emails and credentials stemming from its access to the systems of three federal agencies. And in the infamous 2015 Office of Personnel Management (OPM) hack, cybercriminals leveraged credentials that had been issued to federal contractor Keypoint Government Solutions to steal the records of 21.5 million Americans.

Cyber incidents cost $200,000 on average, according to insurance carrier Hiscox. They are particularly damaging to small businesses, with an alarming 60 percent of affected firms going out of business within six months. In California’s case, the state requires that at least 25 percent of annual government contracting dollars be paid to certified small businesses. A cyber-insurance requirement would help protect those contracts and the taxpayers who rely on small business services.

In addition to providing financial protection, cyber insurance can have a direct impact on the security practices of firms in three principle ways:

First, it aligns the incentives of both contractors and insurers to mitigate risks. For their part, insurers want to underwrite prudent risks to avoid having to pay out large amounts in the event of a data breach. Clients want to prove to insurers that their security posture makes them worthy of coverage at low premiums. Firms that effectively manage their cyber risk get those lower premiums. 

Second, cyber insurance acts as a vehicle for best practices, which evolve on an ongoing basis. Cyber insurers leverage existing IT frameworks and best practices at both the underwriting stage (when the insurer decides to take on the risk) and the rate-setting stage (when premiums are determined relative to the risk). This process can function as a cybersecurity audit for firms and reinforces a culture of preparedness.

Third, cyber insurance adoption begets further adoption. Exposure to more clients means insurers have access to data about common threats and targets. As a result, they can offer a better and wider variety of products at increasingly lower premiums, expanding access to coverage for smaller or riskier businesses, or for those that do not contract with the government. Around 41 percent of firms in the U.S. and European markets have cyber insurance. The global market for cyber insurance policies measured $4 billion in 2018 and is predicted to grow to $20 billion in 2025. A codified cyber insurance requirement would accelerate adoption.

Chau’s bill endeavors to capture all of these benefits. However, it remains imperfect insofar as it empowers contracting agencies to establish the amount of coverage firms must carry. Contractors of different sizes face different threats and have different risk profiles. One with access to financial information could reasonably be held to a higher standard than one with access only to phone numbers. There is no magic formula to assign the ideal amount of coverage, and the matter may be best left to contractors and insurers to negotiate. Getting it right could mean the difference between a boon for security and a boondoggle.

For better and for worse, California has a history of foreshadowing policy developments that spread to other places. In 2002, its legislature passed the first state data breach law requiring businesses to disclose any breach of the security of personal information. Over the next 16 years, all 50 states followed suit. Should it pass, AB 2320 may prove similarly prone to widespread adoption. With any luck, Congress will take a hard look at the right way to implement cyber insurance requirements.

While the number of federal employees has remained steady in the past two decades, the number of federal contractors continues to rise. Federal contracting grew by 9 percent in 2018 alone. The question of how to manage the security risk of the growing tangle of contractors and subcontractors is a tricky one. Requiring federal contractors to acquire cyber insurance would be a step in the right direction.

Anne Hobson is a program manager at the Mercatus Center at George Mason University. Ian Adams is the vice president of policy at TechFreedom.