The National Defense Authorization Act (NDAA) of 2021 gave the Government Accountability Office (GAO) marching orders to complete a study of the United States cyber insurance market, and GAO’s findings reinforced a recommendation by the National Cyberspace Solarium Commission for Congress to create an agency specifically tasked with collecting better data.
While much of the May 20 report focused on the industry side, GAO said that an entity to collect cyberattack data would allow the Federal government to better understand cyber risk and help the cyber insurance industry create more accurate risk models.
“Opportunities exist for improving the nation’s capacity for collecting cyber event and loss data and for coordinating industry-wide efforts to collect and share that information. … Support for better data collection dates back several years,” GAO says.
The report looked at key trends in the cyber insurance market and identified challenges currently faced. One of those challenges is a lack of comprehensive data on the cost to remediate cyberattacks and cyber losses. The Congress-created entity would be charged with collecting this sort of high-quality, comprehensive data.
Industry partners in the Department of Homeland Security’s (DHS) Cyber Incident Data and Analysis working group suggested an anonymized cyber incident data repository. The goal would be to “foster voluntary data sharing” of information like cyberattacks, data breaches, and business interruptions.
While this would be a step in the right direction, it would still fall short of the required cyber incident reporting DHS’s Cybersecurity and Infrastructure Security Agency (CISA) is looking for.
“For CISA to do its job, and for the Federal government to broadly execute the mission that the American people want us to do which is protect critical infrastructure broadly, we need information from victims of cyber incidents, so that we can share that information and raise the baseline of cybersecurity,” Acting CISA Director Brandon Wales said earlier this month.