Majority Statement

• Chairman Jerry Moran
  Read statement

  Majority Statement

  Chairman Jerry Moran

  "Good morning. This hearing is now called to order.
   
  "First, I would like to thank the witnesses for taking the time to provide their valuable knowledge of the cybersecurity insurance market.  I would like to also thank the Committee Staff for their hard work in making this hearing possible.
   
  "The purpose of this hearing is to examine the state of the cyber insurance market, identify challenges and opportunities, and learn how cyber insurance may drive improvements to the risk management culture at businesses who purchase these insurance policies. This is our second hearing on the broad topic of data security and to my knowledge the first congressional hearing on the cyber insurance market.
   
  "American consumers and businesses face ongoing and serious cyber threats.  As was noted in our last subcommittee hearing, the Privacy Rights Clearinghouse has estimated that over 4,400 data breaches involving more than 932 million records have been made public since 2005.  The Verizon 2014 Data Breach Investigations Report reviewed more than 63,000 security incidents and found 1,367 confirmed data breaches in 2013.  On average, that means just under four data breaches occur every day across the globe.
   
  "One strategy for businesses to mitigate cyber or privacy-related losses is the purchase of cybersecurity insurance.  While some cyber–related losses may be covered under a business’s general insurance policy, the increase of publicly-reported cyber incidents and data breaches have lead insurers to begin offering stand-alone policies to cover cyber-related risks and losses.  Cyber insurance policies vary greatly, but increasingly new policies are being developed to cover costs ranging from crisis management in response to a data breach of personal or health information, to business interruption or damage to critical infrastructure systems from a cyber attack.

  "While an insurer’s primary function is to mitigate financial losses – not defend against cyber threats – cyber insurance may be a market-led approach to help businesses improve their cybersecurity posture by tying policy eligibility or lower premiums to better cybersecurity practices.  An example of this relationship is an auto insurer offering a “good driver discount” to a customer who avoids accidents or driving violations, providing an additional incentive to a driver to be more cautious and attentive.  The insurance company also wins. Even though the premium receipt they receive may be lower, in the end they have fewer claims to pay out.
   
  "The cyber insurance market is one of the fastest growing commercial lines of insurance.  Approximately 50 carriers now offer stand-alone cyber policies, and the total written premiums were $1.5-2 billion in 2014. Some estimates show the market could grow as high as $5 billion by the decade’s end. In 2014, the number of clients at brokerage Marsh & McClennan who purchased stand-alone cyber coverage – for example – increased by 32% over 2013. Amongst Marsh clients, the highest take-up rates for cyber insurance in 2014 were in health care, education, hospitality, and gaming.
   
  "Challenges in the cyber insurance market exist due to the difficulty of quantifying exposure to cyber risks, liabilities, and losses; the aggregation of losses due to the interconnected nature of IT; and the changing cyber threat environment. Several IT security firms are developing products and assisting insurers in either identifying potential threats and/or offering cyber products or services to better protect the networks.  For instance, a startup named BitSight partners with Liberty International Underwriters to externally analyze a company’s cybersecurity. In one case, BitSight helped discover a dormant threat in a company’s IT system and the insurer was able to work with the company to avoid a possible breach.  Another example is Overland Park, Kansas-based Risk Analytics, which partners with AIG to provide a security product to some of the AIG insurance clients.
   
  "As Congress considers cyber threat information sharing legislation as well as a national data breach notification standard, important questions about the developing state of the private insurance market come to mind. Today, we will focus our attention on some of the key questions on this topic, including:
   
  • How can the private sector – the insurers and insured – work together to not only increase their cybersecurity posture and address their risk, but also to mitigate losses in the event a breach or cyber incident?
  • What cyber insurance policies are currently offered and what losses do they cover?
  • How does an insurer assess a policy holder’s risk?
  • What specific factors do insurers consider when developing a policy and premium rate?
  • Has the NIST framework had an impact on how insurers communicate with businesses about their cyber posture?
  • What factors inhibit companies from purchasing a cyber insurance policy?
  • What factors inhibit insurers from offering this insurance?
  • What does the future of this market look like?
   
  "I am confident that today’s expert panel can share valuable insight to these important questions that can help Congress better understand the marketplace.   
   
  "I would like to now turn the Subcommittee’s Ranking Member, Senator Blumenthal."

Testimony

• Mr. Ben Beeson

  Vice President, Cyber Security and Privacy

  Lockton Companies
  Download Testimony (94.35 KB)

• Ms. Catherine Mulligan

  Senior Vice President

  Management Solutions Group, Zurich North America
  Download Testimony (123.78 KB)

• Ms. Ola Sage

  Chief Executive Officer

  e-Management
  Download Testimony (211.33 KB)

• Mr. Michael Menapace

  Counsel

  Wiggin and Dana LLP; Adjunct Professor of Insurance Law, Quinnipiac University School of Law
  Download Testimony (71.12 KB)