As the National Defense Authorization Act moves through the chambers of Congress and is finalized, both federal contractors and the non-partisan Cyberspace Solarium Commission will be watching closely to see what key cybersecurity provisions will become mandates for vendors.

While the two sides agree on most recommendations, a provision that would call for recommendations regarding cybersecurity insurance benchmarks match those of basic security standards is more contentious.  The Professional Services Council, which wrote a letter to lawmakers opposing this provision, believe that money spent on cybersecurity insurance would be better spent on internal improvements to companies’ processes and procedures.

The idea from the government commission’s side is that companies with poor cybersecurity posture will be identified as high risk and will have a cost associated with that.  There will be financial incentive to be more secure that would be reflected in premiums.

The state of the cybersecurity insurance market has been in flux in recent years though, which makes it a bit more difficult to rely on as the arbiter of who is or isn’t well protected.  Under the Obama administration, a plan was put forward for the government to maintain a repository (proposed by the Cyber Incident Data Analysis Working Group, or CIDAWG) of information that would include best practices and reports of incidents.  Critics were worried about fairness in terms of non-participating companies learning from the data, anonymization diluting the usefulness of the data, and the regulations that might arise from the data.

Since this idea was originally floated, the cybersecurity insurance industry has spent time cutting costs.  While they recognize the importance of collecting data to best assess risk, a 2019 study indicated that companies are saving money by collecting less data from those they’re insuring.

Other studies have shown that cybersecurity insurance generally helps companies with what to do after an attack, and uses lessons learned from an attack for their clients rather than a more proactive, preventative approach.  These surveys were conducted before a precipitous increase in the number of cyber attacks occurring though, and it’s important to be aware that this is a rapidly changing landscape.

The use of cybersecurity insurance as a proxy for good cybersecurity posture has a big caveat in that companies are self-reporting their posture to insurance companies, so it can be difficult to know just how closely companies are sticking to their own policies and procedures.

Regardless, government entities, particularly the Cyberspace Solarium Commission, are making recommendations for government vendors that include cybersecurity insurance.  The commission recommends bolstering the insurance companies by creating a federally funded research and development center to establish training and certification for the claims adjusters and underwriters.  They also believe that there should be standards for the time it takes to implement patches and how insurance payments are capped if companies haven’t been patching their systems.

One of the benefits that we tend to tout at Extract is that you won’t have to worry about our cybersecurity when using our software.  This is because it was designed to index or redact your documents while they remain behind your firewall.  We see organizations that invest heavily in their own cybersecurity and we don’t see the need to open them up to any new exposures.  In fact, in handling over five billion pages, we haven’t seen a single data breach, and we intend to keep it that way.

If you’d like to learn more about how our platform can securely help automate your document workflows, please reach out.

About the Author: Chris Mack

Chris is a Marketing Manager at Extract with experience in product development, data analysis, and both traditional and digital marketing. Chris received his bachelor’s degree in English from Bucknell University and has an MBA from the University of Notre Dame. A passionate marketer, Chris strives to make complex ideas more accessible to those around him in a compelling way.