Rewarding IT Security in the Marketplace

Improving information technology security demands greater efforts from both the public and private sectors, as well as better coordination and cooperation between them. US initiatives include creating a series of industry-specific Information Sharing and Analysis Centers to encourage government/industry collaboration on information security. Private sector firms also need stronger incentives to invest adequately in IT security. Moving from trust management to risk management, with widely available and well-functioning markets for insurance covering IT security risks, could go a long way toward strengthening such incentives. Although the insurance industry has developed new forms of cyber insurance, coverage is limited, and few businesses now purchase these policies. Problems include lack of underwriting standards, little experience on which to base premiums, numerous exclusions and limits on liability, and an underdeveloped reinsurance market. Possible ways for government to spur insurance market expansion are explored, such as participating in standards development, mandating cyber insurance, facilitating reinsurance, or indemnifying catastrophic losses. In the end, rewarding IT security in the marketplace will likely require legislative changes to define liabilities more clearly and relate them to risk management principles and practices.