15 Days of Cyber Insurance: Who collects data on breaches?

One of the biggest problems facing insurers and underwriters looking at cyber insurance is how to model the risk of a hack or data breach, given that these events come as an unpleasant surprise to the companies and organizations affected. Collecting data on previous breaches can help underwriters build models and look at the frequency of high-profile hacks (as smaller hacks may go unnoticed or unreported, depending on state-by-state data breach reporting requirements). Who is collecting that data, and how publicly available is it?

ISO recently announced that it will begin collecting and analyzing cyber insurance data; insurers have to provide their data themselves, but the incentive for doing so is receiving the aggregate dataset and analysis. Other companies that collect and analyze data on breaches and insurance include Verizon, Ponemon, IBM, Ernst & Young, and Veris, among others. These organizations usually produce yearly reports, where they produce graphs and opine on trends in hacking, usually without interviewing any hackers at all, or attempting to go to the source and analyze behavior. The reports are useful, and the data underlying them available for inspection, but in some cases the granularity (for example, analyzing businesses as “small, medium, and large”) won’t be helpful to an insurer hoping to build a customizable model that will discriminate by industry and type of security infrastructure.

Government organizations and states have their own data breach requirements, usually depending on whose data was breached and what type of data was involved (for example, health record breaches have to be reported separately from other types of data breaches, and states can require breach notification based on the number of state residents whose data was lost). Professional associations like the National Association of College and University Attorneys, or the National Association of Insurance Commissioners, will also collect breach data that is specific to their business, such as breaches of colleges and universities, or breach data reported by insurers themselves.

ISACs (Information Sharing and Analysis Centers) are nonprofit organizations established to facilitate the sharing of cyber threats between the private and public sectors. These organizations have taken off in the finance sector (FS-ISAC) and health (NH-ISAC) sector, but often suffer from a first-mover problem, in that by sharing information, organizations initially lose the knowledge advantage over competitors in their industry and government regulators, and have to hope that others will also share information in order to gain from the ISAC partnership. Some companies, more wary of government intrusion than of competitors’ advantages, are looking to form private ISACs to help one another protect against threats common to an industry while not allowing government organizations a peek at their security vulnerabilities. Private ISACs can be limited to organizations within a supply chain, who clearly share a common goal in maintaining and enhancing security, or they can involve adjacent companies who feel responsible for a common pool of customers. The recently-passed (but heavily debated) Cybersecurity Information Sharing Act, or CISA, allows private companies to share security information, including customer data, with the Department of Homeland Security (and in turn with the FBI and NSA), but many companies have noted customers’ privacy concerns and are considering protective measures like private ISACs before sharing data with DHS.

Missing from these threat information sharing repositories is an aggregation of data from post-breach activities, like litigation. Data breach litigation can drag on for years and involve hidden costs that insurers will be more sensitive to than consumers. Hoping to address this gap, a group at Stanford led by professors George Triantis and Michael Klausner is putting together a database of costs public companies incur as a result of cyber breaches. This data will be valuable to insurers and brokers, and to academic researchers, looking to answer questions about liability allocation and insurance design.