The Department of Homeland Security has a mandate to help the private sector — and particularly critical infrastructure — secure itself from cyberattacks but has little authority to actively do so. To meet this mission, DHS is looking at alternatives to incentivize better security in various industries and is looking at cyber insurance as one of those means.
Federal Register: NPPD Seeks Comments on Cyber Incident Data Repository White Papers
Beyond giving people and organizations a safety net, the National Protection and Programs Directorate (NPPD) is hoping cyber insurance can act as an incentive for having a better security posture by offering more coverage and lower premiums to organizations that follow best practices and maintain strong cybersecurity.
However, the insurance industry needs more data to establish a baseline. To facilitate, NPPD created the Cyber Incident Data and Analysis Working Group (CIDAWG), a group of insurers, CIOs and CISOs from the private sector to figure out how to collect and use incident data in an anonymous but effective way.
A year after coming together, the group has released three draft whitepapers analyzing the key issues. From the document summaries:
Details how a cyber incident data repository could help advance the cause of cyber risk management and, with the right repository data, the kinds of analysis that would be useful to CISOs, CSOs, insurers and other cybersecurity professionals. NPPD seeks comments on the following:
- What value would an anonymized and trusted cyber incident data repository, as described in the whitepaper, have in terms of informing and improving cyber risk management practices?
- Do you agree with the potential benefits of an anonymized and trusted repository, as outlined in the whitepaper, that enterprise risk owners and insurers could use to share, store, aggregate, and analyze sensitive cyber incident data?
- Are there additional benefits of an anonymized and trusted repository that are not mentioned in the white paper? Please explain them briefly.
- What kinds of analysis from an anonymized and trusted repository would be most useful to your organization?
Cyber Incident Data Points and Repository-Support Analysis
Addresses the kinds of prioritized data categories and associated data points that should be shared among repository users to promote new kinds of needed cyber risk analysis. NPPD seeks comments on the following:
- Could specific data points within the 16 data categories effectively inform analysis to bolster cyber risk management activities?
- Are the 16 data categories accurately defined?
- What additional data categories could inform useful analysis to improve cyber risk management practices?
- What do these additional data categories mean from a CISO or other cybersecurity professional perspective?
- Please rank the level of importance for each data category, including any additional data categories that you have identified.
- What value does each data category and associated data points bring to a better understanding of cyber incidents and their impacts?
- What does each data point actually mean (and to whom); and which ones are the greatest priority, to which stakeholders and why?
- How easy/difficult would it be to access data associated with these categories in your organization and then share it into a repository and why?
Overcoming Perceived Obstacles to Sharing into a Cyber Incident Data Repository
Identifies perceived obstacles to voluntary cyber incident data sharing and offers potential approaches to overcoming those obstacles. NPPD seeks comments on the following:
- Would your organization be interested in contributing to a cyber incident data repository and using repository-supported analysis to improve your organization's risk management practices?
- What obstacles do you anticipate — both internal and external to your organization — that might prevent the sharing of cyber incident data into a repository?
- Who might say `no' to sharing and why?
- What mechanisms, policies, and procedures could help overcome these obstacles to sharing?
NPPD and CIDAWG are taking input on all three papers through May 24. Comments can be sent to cyber.security.insurance@hq.dhs.gov.
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.