DHS Security Data to Provide Insights to Cyberinsurance Providers
Cyberinsurance is designed to reduce the impact of losses associated with cybersecurity incidents, including data breaches, denial-of-service attacks and damage to enterprise networks. Numerous short-term studies have explored the global impact of these intrusions, with undoubtedly more to come. But what are the long-term impacts of cyberattacks? One U.S. government research project is determined to find out.
The Cyber Incident Data and Analysis Repository (CIDAR), a project led by the Department of Homeland Security (DHS), is a long-term study of cyberincidents. Launched in 2014, CIDAR may take a decade or more or complete, but it’s already delivering results. According to TechRepublic, CIDAR researchers will spend at least 10 years compiling anonymous data on cybersecurity incidents. Insurers can then use this information to calculate the risk of cyberthreats. In the short term, CIDAR may offer researchers a better way to study cybercrime trends and measure the effectiveness of enterprise security efforts.
Benefits Today and Tomorrow
Over the past few years, insurance companies have come to realize that government-compiled information on major cybersecurity attacks could help them with actuarial data — thus aiding a process that can take up to 15 years to produce statistically valid findings. Many nongovernment sources of cyberincident data often lack essential details, such as information on the security controls in place at the time of the incident, how and why these controls failed to stop the attack and the incident’s short- and long-term impacts, reports TechRepublic.
While CIDAR is designed to provide this information, the process won’t happen overnight. The database currently has some 4,000 fictional cybersecurity incidents but will soon include real-world events, too. The DHS plans to send this data file in the next few weeks to members of the CIDAR working group, which includes representatives from the insurance industry, corporate IT, education and government, according to the source.
Insurance and government officials can use short-term CIDAR data to evaluate cyberattack trends and examine the effectiveness of enterprise security tools, according to the DHS, which may publish its initial findings in the federal register before the end of 2017. The National Institute of Standards and Technology, which provides a cybersecurity framework for the private sector, has also shown interest in the CIDAR data.
The impact of the CIDAR effort may resonate beyond the cyberinsurance industry and perhaps even inspire business leaders to pay closer attention to enterprise security. A recent Trend Micro survey of C-suite executives found that organizations are often overconfident when it comes to cyberprotection.
An overwhelming majority of survey respondents, for instance, weren’t up to speed on the stringent new security requirements in the European Union’s General Data Protection Regulation (GDPR), which takes effect next May. In fact, 64 percent of Trend Micro respondents were unaware that a customer’s date of birth is considered personally identifiable information under the GDPR, and needs to be protected. An organization that doesn’t properly protect this information may face steep fines.